B U S I N E S S S E RV I C E S
eR I S K S O L U T I O N S
IT IAS
Teaming/Outsourcing
Sales and Methodology Toolkit
Last Updated May, 1999.
FOR INTERNAL USE ONLY
Not for distribution outside of the firm.
!@#
Table of Contents
i-i i
able of Contents
iii-ii
i-iii
iii
Overview
The primary purpose of this sales and methodology toolkit is to describe a consistent
framework of procedures that we use to sell and deliver a business process focused
approach to providing IT internal audit services. It is designed to provide a consistent
value proposition and facilitate the effective and efficient delivery of high quality IT
internal audit services to clients throughout the world.
This toolkit contains two major components: the Sales Process and the Service Delivery
Methodology. The sales process contains key sales components related to the IT Internal
Audit Services market, company targets, key individuals within the company to target,
value propositions, critical success factors, key selling points related to our methodology,
and single frames. Our Service Delivery Methodology contains five major stages, which
include:
Co-develop the clients expectations regarding our relationship. We also begin to
understand the clients business, goals, objectives and strategies, as well as their
objectives for the IT internal audit function (Stage 1).
Conduct risk assessment by assisting client management responsible for the IT
internal audit function in developing a risk assessment with respect to the
companys processes and auditable units (e.g. location, division, etc.Stage 2).
Prepare the annual IT audit plan, which is approved by client management
responsible for the internal audit function, executive management and the Audit
Committee (Stage 3).
Execute the audit plan, as agreed with client management responsible for the IT
internal audit function. We focus on evaluating the effectiveness of controls
established by management to ensure that the selected processes achieve their
financial reporting, operating and compliance objectives (Stage 4).
Communicate the results of our work to client management responsible for the
internal audit function, executive management and the Audit Committee (Stage 5).
The stages of our service delivery methodology are the logical framework that we, or our
clients, would perform to deliver any IT Internal Audit Services. However, the nature of
the engagement determines the extent to which the individual activities and worksteps
are implemented. The scope of our IT internal audit services engagements may vary,
from limited engagements to perform a single IT internal audit project on a teaming
basis, to more comprehensive IT internal audit outsourcing engagements. Because of the
1-1
1
verview
variety in IT internal audit engagements, the procedures described in this document are
not intended to be a one-size-fits-all, prescriptive methodology. These procedures are
most applicable to our on-going teaming and outsourcing engagements. However, our
overall methodology framework, as outlined in this toolkit, should be followed on a goforward basis. Maintaining a common language and process will drive consistency,
productivity, and an improved knowledge management structure. In situations where we
perform smaller engagements, our teams should still consider the value of completing
each stage and activity, even if abbreviated, to ensure high quality and high value to our
client.
21-2
IAS Sales
Tom Sliwinski
(IAS Sales)
Phone (216) 583-3865
EY COMM 2887549
Cleveland
ISAAS Methodology
Jamie Ross
(ISAAS Program Coordinator)
Phone (216) 861-2297
EY COM 3297677
Cleveland
Jerry DeVault
(National Director of ISAAS
Assurance Services and Program
Sponsor)
Phone (216) 861-2214
EY COM 3953308
Cleveland
IAS Methodology
Sam Johnson
(IAS Operations)
Phone (216) 737-1680
EY COMM 2575648
Cleveland
1-3
3
Overview
The internal audit environment, especially IT internal audit, is changing. In addition to
traditional attest and compliance functions, internal audit departments are being
challenged to provide more value to the business. Management is demanding an audit
function that reduces risk, creates cost efficiencies, and continually delivers increased
value to the companys stakeholders. A world class audit function is being recognized as
a valuable and strategic corporate asset.
However, the investments required to build and maintain an effective audit function are
growing exponentially, especially in the areas of technology, knowledge, and people. At
the same time, domestic and international growth, mergers and acquisitions, increasingly
complicated transactions, and significant information technology changes have created
more complex companies with different, and in many cases, higher risk profiles than in
the past. Internal audit departments have difficulty keeping pace with these developments
because of staffing and budget constraints.
Insight from the internal audit marketplace indicates that most companies have not
invested in the required IT audit human resources and other critical investments (e.g.,
knowledge, technology, training, etc.) to adequately cover their key business and
information risks. These companies, are also finding it difficult to invest in subject
matter expertise, audit methodologies, technology, tools and training to cover the
organizations risk areas.
Our E&Y IT Internal Audit Services (IT IAS) are designed to either partially team or
fully outsource a companys IT internal audit function by providing:
More effective and efficient IT risk assessment and / or
Supplemental IT internal audit testing related to significant information systems
risks not currently being covered.
We can go to market with E&Y Internal Audit Services (IAS) or work the client direct
channel (e.g., Director of Internal Audit).
Service Delivery Methodology
Our basic methodology involves a five step process. A high-level overview of this
methodology follows. Additional detail is available in Section 3Service Delivery
Methodology.
2-1
1
ales Process
Co-develop Expectations With Client: We listen and learn about our clients
business goals, objectives and strategy. This critical step helps us to understand the
business and ensure we apply our resources in the right areas. Also, we co-develop
expectations with the client to serve as the foundation for our working relationship.
Conduct Risk Assessment: Our business process oriented IT risk assessment begins
with understanding the key business processes and how IT resources (i.e.,
applications, operating systems, hardware, data, people and facilities) and processes
support and enable the business.
Prepare Annual IT Audit Plan, which is responsive to the risk assessment and
business needs, for approval by client management responsible for the internal audit
function, executive management and the audit committee.
Execute Audit Plan: We focus on evaluating the effectiveness of controls
established by management to ensure that the selected processes achieve their
financial reporting, operating and compliance objectives. In addition, we make
recommendations for improvement based on what we learned.
Communicate Results of our work to client management responsible for the internal
audit function, executive management and the audit committee.
2-2
2-3
ales Process
Target Industries
Initial considerations for the primary industries to target should include:
An industry that is designated a national priority industry group - the best target
industries include:
Consumer Products
Telecommunications, computers and electronics
Energy
Financial services
Insurance
Healthcare
Whether business process models have been developed by the National Assurance
Support Center and our firmwide practice has industry SMEs,
Industries that have typically made investments in internal audit departments. FSI
and Insurance have historically made the largest investments in internal audit
functions. However, these two industries also present the most significant
independence and regulatory challenges.
Targeting Best Practices
Many areas conduct periodic (e.g., weekly) meetings to review ISAAS and IAS pursuits
and share information. The topics for discussion may include:
Brainstorming on pursuit strategy to determine how to best position E&Y to win
Review of IT needs on current pursuits
Re-evaluating lost pursuits to discover themes for the future
Re-examining stalled or lost IAS pursuits to determine if there is a opportunity for
IT audit services
Replicating winning strategies from other areas
We should be proactively working with IAS to manage our pipeline together. The IAS
client pursuit list can be found in the AABS IAS V6 PowerPack on the KnowledgeWeb.
See below:
Internal Audit Services PowerPack:
Document Title:
Author/Contact Person:
Barbara R. Bandera
Source:
Date Published:
May 1999
Keywords:
Originating Country:
United States
File Attachment:
2-4
Client Targeting
We have segmented the target market into components: AABS audit clients and nonaudit clients versus IAS targets and non-IAS targets.
High-potential IAS Target
Cold opportunities
START initiatives
IAS TARGETS
In many cases, our IAS practice may already be in discussions regarding a teaming or
outsourcing opportunity with a target. Where the IAS practice has built a relationship, we
should work closely with them to ensure that we are capitalizing on the relationship and
that we are coordinating our business development efforts.
Your area should closely link with IAS. Our experience indicates we have the most
success when we work together with IAS.
NON-IAS TARGETS
There are opportunities in this segment, but these opportunities will be for teaming on IT
IAS only.
2-5
ales Process
Triggering Events
In addition to targeting specific companies and industries, we also target based on key
triggering events. The following table highlights some common triggering events that
may be used to generate leads:
Triggering Events
Turnover among key members of
the buying group (e.g., CFO,
Director of Internal Audit)
Questions
Do you have a solid
understanding about your
audit functions IT
capabilities?
Are you satisfied with
internal audits performance
and capabilities related to IT
risks?
2-6
IT internal audit
How is the internal audit
functions may have
function responding to (or
difficulty keeping pace
are there any pending) recent
with the risks associated
changes in your business?
with the major business
changes.
2-7
ales Process
Source: IT and the Bottom Line, CIO Magazine, June 15, 1998
2-8
AUDIT COMMITTEE
Position Analysis:
In general, we have less frequent opportunity to interact with audit committee
members. When we do, its important to recognize their interests lie in three
fundamental areas:
Assessing the processes related to the companys risks and control
environment
Overseeing financial reporting
Evaluating the internal and external audit processes
Any contact with the audit committee should focus on addressing one of the three
areas above. IT internal audit services can address all three and should be
discussed within this context.
Sales Profile:
Approver - based on the recommendation of the CFO and/or DIA.
Not likely to be active members of the decision process.
2-9
ales Process
Entry Strategies
Once we identify the key buyer(s), our entry strategy may vary, as discussed below.
When
AABS Client (or
CS, Tax)
(Hot Opportunity)
Initial Contact
Director of IA or
CFO via ISAAS
and/or
Engagement
Partner to Client
ISAAS SE
E&Y Resource
AABS Partner
Area AS Leader
Area IT Internal
Audit Champion
Non-client
IAS Target
(Warm
Opportunity)
Leverage IAS
knowledge and
relationship
ISAAS SE
No prior
relationship
(Cold
Opportunity)
START Center
ISAAS SE
IAS Pursuit
Partner
Area AS Leader
Area IT Internal
Audit Champion
Area AS Leader
Area IT Internal
Audit Champion
Emphasize
Relationship
Quality of work
IT internal audit teaming value
proposition
Our investments in IT internal
audit people, technology,
methodology and knowledge
IT internal audit teaming value
proposition
Our investments in IT internal
audit people, technology,
methodology and knowledge
IT internal audit teaming value
proposition
Our investments in IT internal
audit people, technology,
methodology and knowledge
Fee Range:
Typical Fee:
2-10
Risk Assessment
$50,000 - $250,000
$100,000 - $2,000,000
$100,000
$300,000
These fees are based on our experience to date and vary widely within this range. Our
goal is to build these engagements into larger, profitable annuity projects. Because we
are able to leverage the skill sets and resources that our clients cannot, or do not, want to
invest in, we should be basing our fees on the value we deliver, not on the number of
hours or rate per hour. Therefore, when proposing fees, we should avoid quoting or
committing to a certain number of hours for a fixed fee.
Best practice is to quote a fixed fee for a level of risk coverage or a percentage of
standard based on the actual effort to complete the co-development audit plan. Generally,
our target realization should be 70%. This realization, combined with our standard rates
results in a business that is very profitable. Recent wins and current pursuits confirm this
strategy.
2-11
ales Process
Qualifying
Call
Proposal
(If Necessary)
Expanded
Capabilities Call
L.O.U.
Specific
Projects
2-12
We appreciate the opportunity to share our investments and capabilities in IT internal auditing, but before
we get into that would you spend a few moments to.....
.....give me an understanding the current internal audit capabilities - number of staff and key skills
.....give me a quick overview of your IT internal audit function today - capabilities and skill sets.
Current organizational changes - How have industry / company changes affected / impacted your
department - what challenges have they presented? (need to have done research to demonstrate that you
have a high level understanding and insight of the company and its industry)
Is the company implementing any new technologies? (e.g., eC, ERP, ESM) How are you addressing the
associated risk? What have been your challenges?
What is internal audits charter? What does management expect of you? What is the focus / priorities of
internal audit ?(compliance, value, leadership development)
How are you performing against your charter?
How do you measure success?
What are you most significant challenges?
How do you currently assess your business risks?
How do you determine and assess IT risks as they relate to your business?
What is your current risk assessment framework?
How do you prioritize your areas for review?
What are your priorities and projects for this year? Are you going to achieve your targets?
2-13
ales Process
Use a maximum of 5-7 slides. The goal of the IT Internal Audit Services presentation is to
create a dialogue between Ernst & Young and the potential project sponsor to solicit and
identify needs and issues. We intend this discuss to provide the client with an opportunity to
discuss some of the issues and concerns they have with how their IT internal auditors are
assessing risks for the business.
An example of Qualifying Call singleframes is included in the appendix.
We should not expect the client to be able to understand the single frames without our talking
points. We should use the singleframes as discussion guides. We should walk the client
through the ideas that are illustrated in the single frames to solicit their feedback and hear them
talk about their concerns. Our ability to listen and learn the organizations needs will enhance
our ability to deliver on expectations.
Use the Expectations are Changing slide which can be customized for their business
environment
Challenges & Investments - customize for IT internal audit
Qualifications slide - key points to sell about E&Y IT internal audit services
Client list
Service & Support Capabilities
Global Capabilities
2-14
Script
Recap information from previous discussion, what we learned about client needs / concerns from
the previous meeting, updating new players in meeting on previous meeting This is what we
heard, is that valid? Have we missed anything? This is what we are going to cover. Does this
meet your expectation for this meeting? (Note: This is not a co-development session - this is
setting the stage for why we are having the expanded capabilities call). This should be only
confirming the expectations we developed with the meeting sponsor beforehand.
Go through the Agenda for the meeting.
Include key slides from the 30 minute qualifying call to bring any additional participants to a
common level of understanding.
An example of The Expanded Capabilities Call along with talking points is included in the
appendix.
Use Barrier slide as lead in, but customize for client specific issues and terminology. You may
consider using the gap slide to summarize our investments, however, need to make the
barrier and the gap slides consistent.
Stress our flexible approach to developing solutions.
Highlight IT risk assessment approach, people, tools, methodologies, knowledge.
2-15
ales Process
Not a presentation
Demonstrate teamwork
Be careful of references
Have fun
2-16
Other Steps
Specific Projects
During our discussions, it may become apparent that the client is not interested in a large
teaming engagement or outsourcing their IT internal audit function. However, they may
want help from Ernst & Young with a specific project. In these instances, we should
respond appropriately with a targeted LOU or proposal for the work. These proposals
should be treated seriously - they may be a trial run to consider Ernst & Young for
later work.
Proposal
An example Proposal is included in the appendix
Letter of Understanding
An example LOU is included in the appendix
Competitive Assessment
Ernst & Young:
World-class people, methodology knowledge management, technology and tools
Fastest growing internal audit practice
Leadership - emerging as the leader in internal audit services
PriceWaterhouseCoopers:
Has become our strongest IT internal audit competitor to date
Much of their technology investments have come from Coopers & Lybrand
Broad cross-selling with IAS equivalent
Global capabilities with a strong FSI practice
Focus is on large, blue-chip, global clients
Portray Ernst & Young as a loose confederation of franchisees rather than global
Willing to price aggressively for strategic targets
Solid Growth
2-17
ales Process
Arthur Andersen:
Solid competitor - Initial market pioneer
Initial approach to outsourcing was not favorable to Internal Audit Director
Focus on both teaming and outsourcing
Integrated risk management framework
Global Best Practices Database
Highly leveraged staffing model
Aggressive pricing in competitive situations
Strong market recognition
Solid Growth
Deloitte & Touche:
Co-sourcing focus for overall internal audit - has been a losing strategy.
D&T is shifting to outsourcing
Strong Director of Internal Audit relationships because of co-sourcing strategy
Strong Retail industry practice
Low Growth
KPMG:
Insignificant competitor - little strategic direction
Still in start-up mode
Few competitive advantages - they compete primarily on relationships
Defensive position, only compete on their clients
2-18
2-19
ales Process
To overcome this objection, do not push for full-outsourcing of the internal audit
function. Rather, we should stress two important client benefits of working with Ernst &
Young:
Teaming opportunities - This is an excellent chance to stress the benefits of a
teaming arrangement. By working with Ernst & Young, the future leaders can
help analyze and understand the clients strengths and weaknesses and team with
us to address these weaknesses. This has the effect of making their internal audit
an even stronger grooming ground for the clients high potential managers.
Knowledge Transfer - We will transfer our knowledge to the client through handson work with our people, methodologies, technology and tools. This also has the
effect of making their internal audit a stronger function and their future leaders
more valuable.
You dont Understand Our Business in Enough Detail
In some pursuits, the client will be concerned that Ernst & Young does not have a
sufficient detailed understanding of their business. We have several responses to this
objection including:
ASC - The Ernst & Young Assurance Support Center generates in-depth client and
industry research. Comprised of more than 50 partners and senior managers who
are thought leaders in their particular industries, the ASC works closely with audit
teams in the field to build and deploy industry knowledge, business process risk
models and benchmarking data along with leading-practice IT internal audit
approaches and techniques. Over 50 industry segments are supported by the ASC.
Process Models - Ernst & Young has developed process models for most major
industry segments. The leading-practice knowledge and understanding
incorporated in these models may help provide value to the company by
uncovering opportunities for improvement.
Relationship Manager - The client relationship manager is a critical part of our
service delivery methodology. This individual is the person who is responsible for
transferring business insight from and client needs to the Ernst & Young work
team. The relationship manager is a senior executive who has a strong industry
background and a thorough understanding of the client business.
Stable Core Team - Our philosophy on staffing is to select a core team to serve our
clients and manage the engagement on an ongoing basis. This allows us to
develop in-depth knowledge of the business and relationships within the company,
in addition to bringing them more specialized skill sets on a just-in-time basis.
We assemble the best possible team, based on the skills and experience, to conduct
our engagement in an effective and efficient manner.
Co-Develop Expectations - Finally, one of our strongest responses to this question
is to co-develop expectations with the client. We will assemble the core team and
other resources based on the jointly defined expectations. The purpose for this
step in the process is to make sure the client gets what they expect. If part of the
expectation is that we understand their business, (as typically is the case) Ernst &
Young will make certain this expectation is met.
2-20
Success Stories
Aon
Company Background: Our client is a holding company composed of commercial
insurance brokerage and consulting, and consumer underwriting companies. With 1997
annual revenue of approximately $5.8 billion and offices in more than 100 countries, the
client is a world leader in insurance and consulting services. The Company is a current
Audit, Tax and Consulting client.
Client Business Issue: The client maintained IT audit staff in Chicago, London and
Rotterdam. The client experienced rapid turnover in the IT Audit group globally. The
client has also been relying increasingly on new technologies including PeopleSoft and
various eCommerce applications. They found it difficult to get proper audit coverage as
they could not attract and retain skilled IT audit staff. Additionally, the IT environment
was changing so rapidly that it was becoming cost prohibitive to continually retrain the
IT audit staff.
Our Service Delivery Approach
1. Co-Developed Client ExpectationsWith the client, we developed an
understanding of the risks in their industry, business and ongoing projects. Senior
management preferred to have a single source responsible for the delivery of the
IT audit service and asked us to coordinate IT audit activities globally from
Chicago. As such, we worked from Chicago with the client IT Audit staff and
appropriate EY ISAAS personnel in the UK and Rotterdam to develop a unified
global IT audit plan.
2. Conduct Risk AssessmentWe interviewed a dozen CIOs and other IT executives
in the US to gain an understanding of projects in process and their areas of
concern. This information was used as the base for a risk assessment matrix. A
similar process was followed in the UK and Rotterdam.
3. Developed Annual IT Audit PlanWe developed an annual audit plan defining the
different projects to perform during the year. This plan was approved by the Vice
President Internal Audit and included all global projects. We are now completing
the first year of the engagement, and have developed our second year audit plan
based on the updated risk assessments, and submitted them to management for
approval.
4. Execute the Annual Audit PlanBecause the engagement was so large, a team was
assembled with an ISAAS manager assigned to each major business line with
another manager acting as the account leader. The account leader is responsible
for reviewing work programs and for ensuring quality delivery of service. Per the
global IT audit schedule, individual audits are scheduled and performed by the
ISAAS manager responsible for that area.
5. Communicate ResultsWe have a standing meeting every month to report US and
Rotterdam results to the Vice President Internal Audit. We report status by project
including hours and fees incurred that month. Additionally, we have a video
conference with the UK every month with the Vice President Internal Audit to
discuss the status of the UK projects. Audit reports are issued in the standard
client Internal Audit report format and are typically distributed to a wide variety of
senior management.
2-21
ales Process
2-22
Novell
Company Background: Our client is a leading provider of network operating software
enabled by directory services. Its Internet solutions make networks more manageable
and secure, and reduce the total cost of ownership for organizations of every kind and
size. The client also provides group collaboration software that links teams of users
working on a project as well as software that manages networked PCs from a central
location. The company earns more than $1 billion in annual revenue and is an Ernst &
Young audit client.
Client Business Issue: The client was performing less well as in earlier years and
realized that it needed to look at every revenue opportunity. Together with the clients
Internal Audit group, we uncovered a potential revenue assurance opportunity by
collecting outstanding software licensing fees. Based on our existing methodology and
global network, Ernst & Young ISAAS IT IAS was selected to coordinate and execute
the software licensing audits.
Our Service Delivery Approach: Using our Royalty Audit methodology (Royalty audits
for TCE companies located in the national revenue program catalog), we audited
licensees on behalf of the client using both domestic and International Ernst & Young
resources. So far we have visited licensees in more than 30 different countries. The
reviews were performed to ensure compliance to agreement and reporting requirements
of our client.
Value Received by the Client: To date we have recovered more than $16 million in
outstanding licensing fees, providing a ten to one return on the clients investment. The
client received increased value and assurance through a successfully managed and
coordinated project that used a consistent methodology that controlled travel expenses by
using our International network of professionals.
Based on our findings and recommendations, we are now involved with the client in a
business process re-engineering project that will provide the following:
Improved operating efficiencies by reducing administration costs associated with
the license management life-cycle.
Increased profits by identifying and implementing controls to better track revenue
from active licenses.
Improved customer satisfaction by improving the quality and consistency of the
license management services.
Improved understanding of license agreements by both licenser and licensee
Better structured agreements up front.
Better reporting systems and processes to accurately report revenues.
Timeliness of cash receipts.
Reduced incidence and expense of royalty audits.
Improved accurate, timeliness & completeness of reporting.
2-23
Overview
Our IT Internal Audit Services methodology provides ISAAS professionals with
guidance in performing IT Internal Audit Services. The methodology is intended to guide
the process whereby we evaluate, risk and control processes related to information
systems.
The methodology is structured around five stages designed to focus on the clients risks,
to generate value, and to assist us in performing our IT internal audit procedures in an
effective and efficient manner. The following IT Internal Audit Services Project
Routemap gives a description of the major stages and activities in the methodology:
Stages
Conduct Risk
Assessment
Activities
Deliverables*
Strategy Memorandum
Fee estimation for risk
assessment
Letter of Understanding
Client Assistance Listing
Relationship and
communication protocols
Value Scorecard
Summary of business
goals, objectives and
mega and major
processes
Summary of how IT
supports the business
High-level IT Process
documentation
Risk Assessment
Prepare Annual
IT Audit Plan
Understand
managements audit
coverage expectations
Prioritize audits
Understand
engagement
economics
Agree audit plan with
client
Communicate Results
Understand
communication
protocols
Understand the IT
audit areas
Design testing
strategy and perform
tests
Conclude and report
Scope document
Detailed project plans
Detailed documentation
Complete relevant
quality control
procedures
Summary reports to
Executive Management
or Audit Committee
3-1
1
M ethodology
The procedures in this document are not necessarily executed in a sequential fashion.
While there is a natural order to performing the stages, activities and worksteps, and they
are interdependent, we might not conduct the activities or procedures in a standard
sequence. The following summarizes the processes defined in this document:
Stage 1Co-Develop Client Expectations: We co-develop and confirm the basis for
our relationship with the client. We develop a mutual understanding of the scope of
our IT internal audit services among client management responsible for the IT
internal audit function, the clients executive management, the Audit Committee of
the Board of Directors, and the engagement team(s) responsible for our internal and,
external audit services as appropriate. We co-develop expectations with the client in
order to understand and document our relationship objectives and our relationship
protocols. Additionally, we begin to understand the clients business goals,
objectives, strategies, and risks.
Stage 2Conduct Risk Assessment: We assist client management responsible for
the IT internal audit function in developing a risk assessment of the clients IT
processes and IT components supporting the business processes. The purpose of the
risk assessment is to identify where significant IT risks exist, to assess the relative
levels of risk, and to align the IT internal audit approach with the areas of the
company that will provide an appropriate level of risk coverage. The risk assessment
establishes risk priorities and forms the primary, but not only, basis for the allocation
of resources in the annual IT audit plan. Our risk approach is a flexible, business and
IT process focused methodology, see Appendix A for detail methodology blueprint.
The risk assessment is reviewed and approved, at least annually, by the clients
executive management and the Audit Committee.
Stage 3Develop Annual IT Audit Plan: We work with client management
responsible for the IT internal audit function to develop the IT annual audit plan. The
annual IT audit plan defines the individual projects to perform during the year along
with an estimate of the total number of hours required for each project. In assisting
with the development of the plan, we consider the total available hours for the
overall engagement, the need for special management discretionary projects, and the
number and mix of specialized resources required to perform each audit. The annual
IT audit plan, which includes an outlook of projects to be performed on a rotating
basis over a specified period of time (e.g., three years), is reviewed and approved by
the clients executive management and the Audit Committee. It is updated as
required, at a minimum yearly, to reflect significant changes in the clients risk
profile that may result from changes in the organization structure, business
operations, technology infrastructure and/or new products and services.
3-2
Stage 4Execute the Annual Audit Plan: This stage is made up of five activities
designed to guide the execution of individual projects defined in the Annual IT Audit
Plan. All or part of certain sub-activities may or may not be performed depending
upon the scope of the particular project determined in Stage 3Annual IT Audit
Plan. The activities are:
Activity 4.1Scope the IT Audit Project: This is performed at the outset of each
project and provides focus and direction for the remainder of the procedures
performed during the execution of fieldwork. In this activity, we establish the
objectives, scope, and timing of the project and communicate these expectations
to management through a project scoping document.
Activity 4.2Understand the IT Audit Areas: This builds on our initial
understanding of the processes and/or areas selected for the audit which was
gained in Stage 2Risk Assessment. In this activity, we consider what additional
information is required for us to document an understanding of the audit area.
We also confirm the team members and agree roles and responsibilities.
Activity 4.3Identify and Assess Risks: This builds on our initial understanding
of the related risks, including key performance indicators, gained in Stage 2
Risk Assessment. In this activity, we consider where errors could occur in the IT
process or area (or business process where we are teaming with Internal Audit
Services) that would keep the process from achieving its financial reporting,
operating, or compliance objectives and walk through the process to confirm our
understanding. In this activity we determine the inherent risks as they relate to
the audit project and agree our risk assessment with management.
Activity 4.4Identify and Evaluate Controls: This builds on our initial
understanding of the related controls gained in Stage 2Risk Assessment. During
this activity, we preliminarily evaluate the effectiveness of the process design
and the controls in place to address the potential for errors to occur. This
preliminary evaluation is used in the next activity where the controls are tested,
as applicable. We also may provide management with recommendations for
improving the controls and enhancing process performance.
Activity 4.5Design Testing Strategy and Perform Tests: This builds on our
preliminary evaluation of the selected processes and related controls in the
previous activity. Where appropriate, the controls identified and preliminarily
evaluated as effective in the previous activity, we design and execute tests of
controls to determine if the controls were operating as we understood.
Exceptions noted in our testing are communicated to management and may result
in recommendations for improvement in our final report.
Activity 4.6Conclude the Audit/Reporting: We conclude the audit project by:
Reviewing all working papers, supporting documentation, and the draft
report.
Determining whether we have performed work sufficient to satisfy our
objectives and our conclusions are adequately supported.
Communicating the results of our work to management.
Requesting feedback from management on whether or not we have met
their expectations.
3-3
M ethodology
3-4
3-5
M ethodologyStage 1
Stage l Activities
Activity 1.1
IT Internal Audit Services engagements will, in most cases, be sponsored by the Director
of Internal Audit and top management of organizations. Like other ISAAS services, it is
necessary to understand what the clients concerns, needs, and expectations are and how
we can assist in meeting their needs. Once we have identified the necessary participants
(generally the clients Internal Audit Director, Chief Financial Officer, Chief Information
Officer, and other key executives) we should set objectives for the meetings. For internal
audit teaming and integrated audits, we ordinarily have the coordinating partner, the IAS
engagement partner and possibly other members of the external audit team participate in
these meetings.
In preparing for the meetings, we make a preliminary assessment of our relationship with
the client and our knowledge of the clients business and industry, its needs and
expectations, and its goals and objectives. In addition, we review and consider the results
of any prior ISAAS projects, client satisfaction surveys, and previous discussions with
management. This preliminary assessment also is important in considering which
3-6
3-7
M ethodologyStage 1
client nam e
Co-D evelop
Expectations
Internal Audit
D rivers
Focus
R isk C overage
B usiness Process
Gap Closures
E arly W arning
Detection
Value Creation
Strategic Insight
Shareholder Value
Idea G eneration
K nowledge Transfer
Audit Efficiency
R espect
M anagem ent
M easurem ent
M inimal D isruption
C lient Satisfaction
C om pletion of Audit
Plan
clien t n am e
R isk F ocu s
V alu e
S corecard
C om m u n ication
P rotocols
3-8
S p ecial
P rojects
c lien t n a m e
E s ta b lis h R e la tio n s h ip P ro to c o ls
R is k F o c u s
O u r T e am
S u b ject M a tter E xp ertise
C o m m u n ic a tio n
P r o to c o ls
E x e cu tiv e M a n a g em e n t/
A u d it C o m m ittee
R ep o r tin g
Activity 1.2
V a lu e S c o reca rd
C o m p o n en ts
O th er IA M ea su res
F re q u en cy o f C o m m u n ica tio n s
P ro c esses
G e og r ap h ic A re as
F u n c tio n a l U n its
S p e c ia l P r o jec ts
To better understand client expectations, deliver value to our clients and assist in
developing an internal audit IT risk assessment, we need to obtain a high level
understanding of the clients business. This understanding will allow us to effectively
perform a risk assessment and therefore appropriately focus our professionals. In
addition, we will gain credibility by demonstrating an appropriate depth of knowledge of
the clients industry and business.
To understand the clients business, we consider the following objectives:
Understand the organizations business objectives, goals and strategies;
Understand the critical success factors of the organization to successfully achieve
these objectives. In addition identify any strengths, opportunities and challenges
for the business to achieve these objectives;
Understand what influences exist, both internally and externally, to the
organization that will impact the business objectives and critical success factors;
Understand how the organization is structured including current staff capabilities;
and
Obtain a high-level understanding of the business processes and determine the key
business and IT processes.
We might obtain much of our understanding through a facilitated discussion with
appropriate company management. Within these meetings, we will discuss the
companys current state and the desired future state, as well as the business strategies and
risks. Before the discussion, we also may need to gain an understanding of the market
forces and other environmental factors affecting the company, as well as the influences
of the stakeholders.
3-9
M ethodologyStage 1
Following are example templates which can be used in our discussions to meet the above
objectives:
client name
Future State
Key Performance
Indicators
Critical Success
Factors
3-10
Maximum service
penetration through
distribution channels
Shared services
Business Risks
client name
Key Performance
Indicators
Managing growth
Stock price
SG&A reductions
EPS
Enterprise system
implementation
Inventory turnover
Business Risks
Departure of key
management
Increased competition
Using the knowledge obtained, we will be able to identify the higher level risks inherent
to achieving the business objectives of the organization and the system of controls over
these higher level risks. We also determine if the organization currently has a risk
framework in place. Risk frameworks will vary from client to client, but will include the
identification of the most significant high level risks faced by the organization.
There are various sources of information available that can be used to help us obtain our
high level understanding. If the organization is a current client of Ernst & Young, we
may be able to obtain useful information from external audit team, workpapers,
deliverables, IAS resources and intelligence, or the Business Intelligence Memorandum
(BIM) produced by the Assurance Support Center (ASC). Up-to-date market, industry
regulatory and technology information and trends can be obtained through the ASC
Custom Databases. In addition, industry Business Process and IT Process Models with
example business objectives, critical success factors, etc., are located in the ASC Industry
Link Database. Both the ASC Custom Databases and the ASC Industry Link Database
can be accessed through ASC Online on the ISAAS Workbench. We should also obtain, if
appropriate, the clients Strategic Business Plan, IT Strategic Plan, and organization
charts.
This information should be collated and kept in a central location (e.g., a background
binder, account plan document or Lotus Notes team database) for engagement team
members to review for background information prior to performing any work with the
client.
3-11
M ethodologyStage 1
Activity 1.3
Within the previous activities of this stage, we obtained an understanding of the clients
expectations and needs as well as a high-level understanding of the clients business and
IT processes. We also obtained information regarding the importance of IT supporting
these processes. This information is useful and necessary to determine the scope of the
engagement, which is the goal and output of this step. The project team should be
mindful that as the project progresses it may be appropriate and necessary to focus on
areas other than those initially selected. If the scope changes, we assess whether it is
necessary to revise the LOU, our fee estimates and/or timetables for completion.
The Risk Assessment is the primary driver for the development of the IT Internal Audit
Services Audit Plan. Therefore, we must appropriately co-develop the scope of the Risk
Assessment with the client. This is done by using the information gained through the
previous steps of this stage, and analyzing that information using the understanding and
knowledge of the major IT subprocesses as defined in COBITTM . Further discussion of
the major IT subprocesses and E&Ys use of the COBITTM methodology can be found in
Activity 3 within Stage 2 of this document. We also must determine whether a Risk
Assessment Methodology is already being used by the organization. The client may want
us to follow a pre-developed Risk Assessment Methodology. If there is a methodology
already in place, we will need to review the methodology to determine its adequacy and
whether we feel comfortable following the procedures. In the absence of a client risk
framework, we should consider using the business process/IT process framework
outlined in this methodology.
3-12
3-13
M ethodologyStage 1
Scoping the IT internal audit risk assessment and procedures is a complex process which
requires significant skills and professional judgment. It should therefore be performed by
the most senior and experienced team members. These team members should also have
knowledge about the major and sub IT processes.
Activity1.4
Determine deliverables
In addition to defining the scope of the project, we discuss with our client how we will
deliver the results of our review. The last work step within this stage of the methodology
is to agree upon the deliverables or report format. The discussion would likely include
the following:
The form of the deliverables (written report, oral presentation or both);
The contents of the deliverables (e.g., to what extent should the basis for the
observations and the recommendations be included in the report). This matter
becomes critical when there is the potential to include certain sensitive
information in the report.
The timing, or turn-around, of reports (e.g., draft report issued within 15
business days after the end of fieldwork). Many internal audit functions are
concerned with timely completion of audit reports, therefore it is critical that we
understand and discuss their expectations to ensure client satisfaction.
Management responses and timing. Some clients prefer that the draft reports have
initial management responses, while others prefer for management responses be
gathered at the time of the final closing meeting. The clients preference could
significantly impact our ability to meet report turn-around requirements. In
addition, some clients set deadlines for management responses (e.g., 10 business
days after the draft report is issued). These expectations are communicated to our
engagement team and to relevant client personnel to ensure that timing
requirements are understood and accepted.
Report Ratings. Client management may request that we apply ratings to our
reports. We discourage the used of ratings for two reasons:
We do not want to give the impression that we are issuing an opinion, or
attestation, on controls; and
Ratings do not foster and open environment for communication and
resolutions of issues.
On some engagements, the Director of Internal Audit or the audit liaison is
responsible for assigning ratings based on our detailed reports. However, if the
client requests us to assign the ratings, detailed guidance is provided in the
Internal Audit Services - Policies and Procedures Manual. The rating categories
should be co-developed with the client and documented in the strategies
memorandum. We may also request representation from client management
acknowledging that the ratings do not constitute an opinion or attestation on the
adequacy of controls.
The form and content of deliverables could, in this stage of the engagement, possibly be
set out on a provisional basis. While performing the engagement, the outlines of the
deliverables will become more clear and could be discussed with the client in more
detail.
3-14
Activity 1.5
3-15
ethodologyStage 2
3-16
At a high level, our risk assessment approach can be summarized in the following steps:
understanding business goals, objectives, and critical success factors;
understanding the business processes and the related IT requirements, including
the potential impact if the business requirements are not met, and
understanding the IT resources and processes that management has implemented
to meet the business requirements.
This can be illustrated by:
3-17
ethodologyStage 2
Principal Worksteps
2.1.1 Identify and Orient Project Team
Identify Project Team: When developing the project team, ensure the following areas
receive proper attention:
Delivering IT internal audit services requires experience in many aspects of IT
systems, audit and controls. Implicit within the development of this methodology
is the understanding that the professional, or at a minimum the project team as a
collective user, will have experience with understanding business processes,
understanding the major IT controls, and analyzing IT business processes to
determine whether they are helping ensure IT supports business objectives and
operations.
The engagement team should ideally include a leader or key team member who is
experienced in the industry served by the client organization. Such experience is
valuable in helping the client identify needs and issues relevant to their particular
industry.
3-18
Well developed interpersonal skills are required. To be effective, the project team
members will be required to gather information from various sources through
interviews. Team members should be skilled and comfortable with significant
interpersonal contact with high-level executive and senior management with the
client organization.
Additionally, the projects are often designed to touch many areas of the
organization. Therefore, the project manager must be skilled in managing a
complex engagement. The engagement will be comprised of components that
involve many of the business units, and will use multiple means of gathering data
and information. Ensuring that all are executed smoothly and concurrently requires
well developed project management skills.
Specific engagement team/project management team roles and responsibilities are
included in Appendix C-1. See additional guidance regarding engagement teams, review
responsibilities, independence requirements, etc., in the ISAAS Policies and Procedures
Workbench and the IAS Policies and Procedures Manual.
Orient the Project Team: Due to the size and complexity of IT Internal Audit
Engagements, special attention must be paid to orienting the project team, particularly in
area of setting expectations, and discussing roles and responsibilities. Specific areas for
consideration and communication are:
Project Charter: As a result of Stage 1Co-develop of Expectations, we develop a
brief project charter which defines the areas to be assessed and the scope of our
procedures. It also sets expectations for status reporting, communication, etc. The
project charter should be communicated to all team participants.
Engagement Roles & Responsibilities: As a part of the planning phase, we will
also develop a project workplan, budget and timeframe for the risk assessment.
The engagement executives and project manager ensure that the engagement team
understands each of their roles and areas of responsibility in performing the risk
assessment. Discussion points could include specific areas for evaluation,
supervision and review responsibilities, performance review expectations, etc.
Integrated Audit Considerations: Where we are performing internal audit
procedures for a current audit client, during Stage 1Co-Develop Expectations, we
identify areas where internal audit will perform procedures that will be relied upon
in the external audit. To ensure that these procedures are performed adequately
and timely, it is critical for each of the engagement team members to understand
the external audit requirements and their responsibilities for addressing these
requirements and communicating the results to the client, the internal audit team
and the external audit team. See an example of a Summary of Financial Audit
considerations user plan in Appendix C-7.
Project Documentation Standards: Prior to performing any work on the
engagement, we determine the form and content of the workpapers If the client is a
firm client, and the work to be performed in the risk assessment is to be relied
upon by the external audit team, then documentation standards promulgated by the
firm should be adhered to for the engagement. The risk assessment should also
incorporate firm standard for workpaper documentation as prescribed by the
ISAAS Policies and Procedures Workbench notes database. Although we strive for
3-19
ethodologyStage 2
3-20
3-21
ethodologyStage 2
Principal Worksteps
2.2.1 Identify relevant information held by E&Y
Use the knowledge acquired from Stage 1Co-develop of Expectations to prepare a draft
summary of the business goals, objectives, strategies and critical success factors.
Consider using the ASC Industry Process/Business Risk template as a starting point.
Depending upon specific circumstances, the engagement team may decide to use only the
output from Stage 1, rather than to perform additional work in this area. The decision as
to the level of detail required should be based on the professional judgment of the ISAAS
executive and the specific engagement requirements. If the entity is already a client of
the firm, give consideration to whether sufficient relevant information exists within other
E&Y engagement documentation. Examples of this may include:
AuditInformation collated from Audit Process Activity 7 (Understand Business
Goals, Objectives, Strategies and Critical Success Factors). This information is
likely to be documented using the ASC Industry Process/Business Risk template as
the example in Appendix B.
Internal Audit ServicesInformation from activities related to modeling the
business (Understand Business Goals, Objectives, Strategies and Critical Success
Factors).
3-22
3-23
ethodologyStage 2
Activity 2.3Understand the Mega & Major Business Processes and Related IT
Requirements
Introduction
Understanding the entities mega and major business processes and how these relate to
the critical success factors of the business enables us to identify the key business
processes. Determining how and what IT supports the key business processes will
provide an understanding the importance of IT to the business. This understanding allows
us to perform a more business focused IT risk assessment and direct our workplans to
provide the most value and comprehensive risk focus to the client.
Principal Worksteps
2.3.1 Identify the mega and major business processes
We obtain business process documentation directly from the client or from available
E&Y resources, such as IAS or external audit, or select a normative business model for
the industry that relates to the entity. These models are typically available from industry
PowerPacks and in the ASC Industry databases on Lotus Notes. Gain a high level
understanding of the clients documents or customize the normative industry models using
the information collected during co-development of expectations.
The purpose of this workstep is to enhance our understanding of the business for
purposes of our IT risk assessment. Our intent is not to perform a business risk
assessment or model the business. Therefore, our documentation and inquiries should be
at a high level.
Confirm who the owner of each business process is and obtain the following information:
Process NameThe name should reflect the common language that the client uses
Purpose/ObjectiveWhy the process exists
Owner of the ProcessWho is responsible for ensuring the process achieves is
objective
Beginning and EndingThe boundaries of the process
Inputs and OutputsWhat is required to perform the process and what is
produced from the process that can be passed on to other processes.
Summarize the information. See examples of major and mega process documentation in
Appendix C-3.
3-24
For clients that do not manage their businesses with a process orientation, identifying the
business process owners may be more difficult. In these cases, identify the functional
managers who are responsible for key aspects of each business process. For example, in
such a client, we may correlate the major processes to organizational components (e.g.,
department, division, subsidiary), and their functional managers. The following
illustrates one way to relate major business processes to functional departments:
Department
Process
X
Y
Z
2.3.2
It is essential that we understand which of the major business processes are most
important (key) to the business. This is necessary in order to focus our efforts on these
processes. The key business processes can be identified by developing an understanding
of which major processes have the greatest impact on the achievement of the clients
critical success factors.
One proven method of identifying the clients key business processes is the use of a
matrix of the processes and critical success factors to assess the effects of a number of
major processes on the clients critical success factors. See and example of the matrix in
Appendix C.
In less complex clients, it may be possible to understand the relationships without using a
matrix. Alternative methods may be used (e.g., making this correlation at the mega
process level). Professional judgment should be applied when determining the final
approach to be undertaken.
2.3.3 Understand how IT supports the mega and major business processes and its
potential impact on the business.
In workstep 3.2, we identified the key business processes and gained an understanding of
why they are critical to the success of the business. Our next step is to understand the
role that IT plays in enabling and/or ensuring that the key business processes are
successful. In order to understand the impact and importance of IT, we must understand:
Where are the key business processes supported by it?
What is the potential impact to the business if IT is not functioning as required?
Have there been any previous issues with IT not meeting the business
requirements?
3-25
ethodologyStage 2
3-26
3-27
ethodologyStage 2
Principal Worksteps
2.4.1
3-28
Data
Have there been previous data integrity issues?
Is data concentrated in one or a few databases, or throughout several
databases?
Applications
Do a few applications support several business processes?
Are there significant off-line or desktop systems in the business units?
Are applications new or old based on industry comparison?
Have there been recent implementations or are any planned?
Technology
Is the client using the latest technologies or older versions?
Have there been availability or connectivity issues?
Have there been recent implementations or are any planned?
Do a few systems support several applications or business processes.
Facilities
IT Processes
IT processes normally are a key enabler of an entitys business processes and often
significantly affect how management controls its business processes. Our objectives in
this activity are to:
Obtain a high-level understanding of the clients IT processes that support the
clients business processes and consider any business risks we identify.
Obtain an understanding and preliminarily evaluate the design of the controls
related to IT processes that affect our risk assessments for significant business
process IT requirements.
To assist us in understanding the IT processes and how they support the clients business
processes, we use the E&Y Information Technology Process ModelA Major Process
View. The major IT processes in this model are: Planning the IT Environment,
Developing and Delivering IT Solutions, Operating the IT Environment, and Organizing
and Monitoring IT Processes.
Factors influencing the importance the client places on developing controls in the
information technology processes include the nature, materiality, and volume of
information processed; the risk to the organization of poor business decisions based on
inaccurate or unreliable information generated by the information systems; the presence
or absence of manual controls around the IT processes; and the degree of disruption that
would occur if the client was forced to operate without certain information systems for
any length of time.
3-29
ethodologyStage 2
Factors which may influence our risk assessment, or indicate potential risk related to
certain IT processes, include:
Level of change expected in the environment (Planning, Developing and
Delivering),
Unusual number of failed projects or amends after implementation (Developing
and Delivering),
Poor response time or connectivity issues (Operating),
Above average IT spending (Planning, Monitoring),
Significant business changes, e.g., mergers, acquisitions, expansion, downsizing
(Planning, Developing and Delivering, Operating)
3-30
Conclude the results of completing the risk assessment summary. This should include a
demographic view of the Major Processes and their relative risk for each auditable unit.
For each auditable unit identified, considerations need to be included for
industry/product segment attributes, management business objectives and overall
company conduct and goals. The resulting output is an overall risk assessment for each
auditable unit that serves as a basis for allocating audit resources and preparing the
annual audit plan.
2.5.2
By applying client environment, business objective, and industry attributes, along with
overall experience among ISAAS professionals participating in the risk assessment, we
should be able to prioritize the results of our risk assessment. Additional factors to
consider include: financial exposure (i.e., materiality), quality of internal control systems
at both the entity level and application/process level (given either our preliminary
assessment or understanding based on prior experience), changes in management
structure, prior audit results, time or significant events since last audit, and location risk.
2.5.3
While we perform a number of procedures and assist in the development of the risk
assessments as described in this activity, the scope of our internal audit services, the
internal audit risk assessment and the frequency of internal audit activities remain the
responsibility of the client. Therefore, we present the results of our work to client
management responsible for the internal audit function and discuss its effect on the
annual audit plan. Validating the information gathered and findings produced to date is
important to ensure that that client supports our analysis that will be used in finalizing
the scope the risk analysis.
3-31
M ethodologyStage 3
3-32
Stage 3 Activities
Activity 3.1 Understand Managements Expectations Regarding Risk Coverage
Managements expectations regarding our IT audit coverage are a critical component to
deriving our preliminary audit plan. Based on the results of information obtained in Stage
1 - Co-Develop Expectations and Stage 2 - Conduct Risk Assessment, we have obtained
information from management regarding their risk tolerance and processes that impact
the critical business objectives of the organization. The next step is to co-develop a
preliminary audit plan that meets managements expectations as well as aligns our IT
audit resources to those processes that are higher risk to the objectives of the
organization.
This information is best obtained by making specific inquiries of management. We
incorporate the feedback from these inquires in our audit plan for the following reasons:
The preliminary IT audit plan must be co-developed with management as they are
ultimately responsible for the internal audit function and have engaged us to
provide internal audit services to their organization.
The nature and scope of our work is determined solely by agreement between the
client and engagement team, and, generally the work is performed for the benefit
of the client.
Management serves as the liaison between the internal audit function and
management of the organization, external auditors, regulators and other third
parties, whose needs/requirements impact the audit plan.
Managements expectations regarding audit coverage will have an impact on the
prioritization of audits when allocating IT audit resources.
The results of the IT risk assessment should compliment managements
assessment of risk which will drive the audit areas selected for the current year
audit plan.
Management may expect the audit plan to incorporate areas of lower risk or
procedures for external auditors or regulators.
Since the preliminary IT audit plan needs to be co-developed with management, the
following questions should be asked to help us obtain sufficient understanding of the
client expectations regarding audit coverage:
How much risk exposure are you willing to accept?
Which audits will be performed on an annual basis or for the current year?
Are there any audits which can be cycled and what frequency best fits
managements comfort level (audit coverage for the moderate and lower risk
areas?)
What amount of audit hours need to be allocated to fulfill needs of external
auditors, regulators or other third parties?
Although the client may expect us to determine the answers to some of the above
questions, especially for integrated audits, we should ask if they have any specific
expectations in these areas.
3-33
M ethodologyStage 3
Activity 3.2
Prioritize Audits
With the above information, we begin the process of building the audit plan.
3.2.2 Identify Managements discretionary projects
Management may have also requested that the internal IT audit plan set aside some time
for the performance of management determined projects. Examples of these types of
projects include system conversion procedures, participation in Year 2000 status
meetings, etc. Usually management indicates that a percentage of budgeted hours or a
fixed amount of hours are to be designated for such projects. These resource needs are
typically set aside initially when putting together the audit plan with the remaining
resources being appropriately allocated. As these projects are hot buttons of
management, we assign a high priority to allocating resources for these needs.
3.2.3 Developing the audit strategy and preliminary budget
At this point, our prioritization of projects is complete. The next step is to develop an
audit strategy and develop preliminary budgets and timetables. We build the budget by
developing high-level workplans for each project and estimating the time to complete the
procedures. As the individual audits can incorporate a number of different services and
require different skill sets, we consider the number of hours required for different skill
sets and levels. For example, a Year 2000 review would require more experienced
resources than a operating system security assessment using one of our automated tools.
Although we are not creating detailed budgets in this phase, we still consider the nature,
the risk and the relative skill sets needed for the individual audits in developing the
preliminary budget.
We then allocate types and levels of resources required for each audit based on these
preliminary budgets. We will include the timeframe for each project within our budgets
to ensure resources are appropriately scheduled and client conflicts are detected early. A
sample Annual Audit Plan template is located in Appendix D-1 to assist in documenting
the audits to be performed during the year.
3-34
3-35
M ethodologyStage 4
3-36
Stage 4 Activities
Activity 4.1
3-37
M ethodologyStage 4
The agenda will differ from client to client and from audit to audit, however, it should
generally cover the following areas:
Attendee introductions;
Purpose of the audit;
Changes in the environment since initial risk assessment;
Proposed scope of engagement;
Additional changes required in the proposed scope;
Requirements of the client;
Key client and Ernst & Young contacts;
Timing of review and deliverables;
Questions and concerns of management.
4.1.4 Meet with Client Management
The agenda should be briefly discussed and agreed at the beginning of the meeting. From
this meeting, we should have an initial agreement on the project-level expectations
regarding the audit scope, specific deliverables and communication protocols. During the
meeting, we also identify any issues or conflicts in the organization that could hinder the
efficiency or effectiveness of the audit project. The meeting should also be used to gain
an understanding of managements risk and control awareness. Although this may not be
directly audited or reported it will provide useful insight when undertaking the audit.
4.1.5 Finalize IT Audit Scope
Update/Prepare Project Plan
Prior to performing the risk assessment, we should have obtained a signed Letter of
Understanding from the client. If we have not obtained this document, we must prepare a
Letter of Understanding before commencing our work. See the discussion of the Letter of
Understanding in Stage 1 - Co-develop Expectations with Client. For each specific audit
project, we should update or develop a project plan which should include the following:
Major process and associated sub-processes or specific area to be included in the
IT audit.
Anything that will be excluded from the audit.
Nature of the audit work to be performed.
Fieldwork start and completion dates.
Draft and final reporting protocols and deadlines.
Who will perform the audit.
This document should be shared with Client Management to ensure that all expectations
are consistent.
Confirm Required Resources
Depending on the size of the IT audit engagement, members of the project team may
perform various roles in executing fieldwork. A planning meeting should be held with
the audit team members to plan the audit and agree roles and responsibilities. We also
will outline the budget for the review and provide team members with performance
expectations and goals. We may want to hold a team orientation meeting to discuss the
3-38
details of our project plan and role assignments. This meeting would provide the team
direction on the objectives, scope, and timing of the project.
Activity 4.2 Understand the IT audit areas
4.2.1 Revisit Risk Assessment
During the Risk Assessment activities, sufficient understanding of the organizations
business processes, IT processes and supporting technology was obtained to identify the
significant risks inherent that would cause the organizations business objectives not to
be achieved. This understanding should have been updated to reflect discussions
undertaken during Activity 1 - Scope Audit Project.
It is necessary to determine the level of further analysis that is required to develop a full
understanding of the risks and related controls to ensure that the time allotted for the
audit project is not spent inefficiently, e.g. documenting a process to an unnecessary
depth of detail.
We may develop a high-level plan around what further information is required for us to
obtain our understanding. Essentially, we are required to understand how the process or
control area actually does what it has been designed to do and how it achieves its
objectives.
4.2.2 Acquire Information from Client Management and Staff
Having developed a plan outlining what additional information is required, we need to
interview appropriate client personnel for us to obtain the additional information which
was outlined above. It is likely that more than one meeting will be required to fully
develop our understanding to the appropriate level. In recognizing this it is important that
a top-down approach is taken to these meetings, e.g. meet with management first, before
moving to the staff. We must also always be cognizant of tests of controls that can be
performed at the same time that we are obtaining our high-level understanding. We will
typically be required to go back to these individuals, however, it will be more efficient to
test some controls at the same time we are obtaining our high-level understanding.
4.2.3 Document Understanding
To facilitate identification of risks and controls and to confirm our understanding of the
major process and associated sub-processes, we should document our understanding of
the processes. Caution must be used when doing this as it can be unnecessarily
inefficient to document too much detail or to try to perfect our understanding.
When reviewing IT processes, we can document our understanding using the
Documentation of IT Controls form used as part of the Ernst & Young Audit
Methodology. Efficiencies will be gained in integrated audits by using these external
audit forms and templates. In addition, we need to consider other audit process
considerations which may be beneficial in an integrated audit. Normally accepted
methods of capturing our knowledge include process diagrams, narrative notes, as well as
control analysis forms (CAF). Firm tools such as Permit and the ISS toolkit are also
acceptable. There are significant benefits to both E&Y and our clients, if we capture this
information in a consistent manner/structure.
3-39
M ethodologyStage 4
3-40
3-41
M ethodologyStage 4
would follow a transaction or control through the process to ensure that our
understanding as to the intended functioning of the control procedure is correct and
document the process and results. At this point, we may want to meet with the
appropriate process owners to confirm the completeness and our understanding of the
key controls.
The information we gain about controls during our inquiries of client personnel should
be detailed enough to enable us to identify the controls, understand how the various
controls are performed, who performs them, and what data, reports, files, or other
material are used in performing them. Furthermore, we determine what physical
evidence, if any, is produced as a result of performing the controls and what the best
method is for testing the controls. Once we have identified the controls, any required
testing of the effectiveness of the procedures can begin.
4.4.2 Evaluate Effectiveness of Controls
Evaluate Individual Controls
From our understanding and/or walkthroughs, we may have enough information to
initially evaluate the individual controls. Therefore, before performing additional tests of
controls, we evaluate whether the process and related controls identified are likely to be
effective in achieving the relevant objectives. Consider each risk in turn and evaluate
each control that has been identified as mitigating the risk. Consider the effectiveness of
the control in respect of the likelihood or impact of the risk:
Does the control prevent or detect the risk?
What is the nature (manual or IT) of the control?
Is the control effective and if this control was the only one operating would it
mitigate the risk in its own right?
Is the control effective, but only when it operates in conjunction with other
controls?
Is the control ineffective at mitigating the risk?
Evaluate Combination of Controls Over Each Risk
Having identified and evaluated individual control effectiveness, consider how effective
the combination of controls is over each risk. This is achieved by considering the mix of
controls, their respective effectiveness, type and nature. Attempt to identify any scenarios
where the risk could occur, even if the controls operate effectively.
Optimal Control Mix
Even if the controls are effective, they may not be the most efficient or effective controls
possible. View the controls over the risks to consider if a more efficient and effective
way of providing the same (or better) coverage over the risk exists.
4.4.3 Raise Issues and Agree with Management
In making our preliminary evaluation, we may identify certain weaknesses in the design
of controls that we should bring to managements attention. Even though we may
identify additional issues regarding the operation of controls in Activity 5 - Design
Testing Strategy and Perform Tests, we may bring issues to managements attention as
3-42
they are identified. To facilitate this communication, we may use an Issue Summary
template (see example at Appendix E-5) to document the issue, develop our
recommendation to improve the design of the control, and communicate the issue to
management for follow-up and corrective action.
We also need to consider communicating issues to the integrated audit team, specifically
the external audit team when issues may impact our evaluation of risk and controls
related to the financial audit. However, client management should be consulted prior to
any communication of issues to the financial or external audit team.
Activity 4.5
3-43
M ethodologyStage 4
Explanation
Advantages
Disadvantages
Re-performance
Precision
Time-consuming and
unless errors are
discovered which were not
detected by management,
does not necessarily
produce high quality
evidence.
Verification
Can be focused
onto potential
problem areas
Observation
Direct evidence of
the operation of
control procedures
is obtained
Inquiry
Tests the
understanding of the
individuals who
perform the control
Analytic
Procedures
3-44
3-45
M ethodologyStage 4
We also need to consider communicating issues to the integrated audit team, specifically
the external audit team when issues may impact our evaluation of risk and controls
related to the financial audit. However, client management should be consulted prior to
any communication of issues to the financial or external audit team.
Activity 4.6
3-46
3-47
M ethodologyStage 5
Stage 5 Activities
Activity 5.1 Understand Communication Protocols
The type and frequency of communication with executive management and the Audit
Committee is developed during Stage 1Co-Develop Client Expectations. The following
is a list of considerations, along with suggested timing, for meeting with executive
management and the Audit Committee:
We typically meet with executive management and the Audit Committee
periodically throughout the year, along with client management responsible for the
internal audit function, to report on the status of our work and to communicate
significant findings.
Client Service Charter (Stage 1)We discuss client expectations at least annually
at the FY Q1 meeting.
Risk Assessment (Stage 2)We review the annual risk assessment of the
organization, which is the basis for establishing the annual audit plan (typically
FY Q3 meeting for the following years audit plan).
3-48
Annual Audit Plan (Stage 3)We assist client management responsible for the
internal audit function in obtaining formal approval of the audit plan annually
(typically FY Q4 meeting for the following years annual audit plan). On a
quarterly basis, any significant changes to the annual audit plan are reviewed and
approved by executive management and the Audit Committee.
Status of Audit PlanWe review the status/completion of the annual audit plan at
each meeting.
Summary of Audit ResultsWe provide executive management and the Audit
Committee a summary of our significant audit findings. We agree with the client
the type of summary findings and recommendations they would like us to prepare,
as well as any other desired special communications.
Value ScorecardWe present our value scorecard to communicate the value we
have provided to the client through our services. Possible categories of value
include: idea generation, project assistance, revenue enhancements, cost savings,
and time savings. A sample Value Scorecard template is included in Appendix B
and is provided electronically in the IAS PowerPack.
Activity 5.2 Prepare for Executive Management/Audit Committee Meetings
In order to increase the effectiveness of meetings with executive management and the
Audit Committee, we need to be well prepared to meet our clients expectations.
Although the agenda for these meetings is agreed with the client, a sample Audit
Committee calendar documenting various discussion topics for quarterly meetings is
included in Appendix F. Due to the importance of these meetings, we should plan and
budget for adequate preparation time. In some situations, we need to perform a
significant number of activities prior to the meeting, such as sending meeting
notifications, making meeting arrangements, gathering presentation handouts from other
meeting participants, preparing our own materials and distributing these materials in
advance of the meeting.
Preparing for the Audit Committee requires direct participation of executives and
coordination with client management responsible for the internal audit function. In
addition, we ordinarily provide the appropriate client executive management with a copy
of our presentation materials prior to distributing them to the Audit Committee.
Activity 5.3 Communicate Results
We meet to present and discuss the material described in principal Activity 1 with
executive management and the Audit Committee on a periodic basis. The executives
attending the meetings with executive management and the Audit Committee should be
familiar with our audit results and be prepared to answer questions regarding the scope of
our work, our findings and recommendations. Ordinarily, we also discuss the value we
have provided, as documented in our Value Scorecard.
We should be responsive in following up on client requests coming out of the Audit
Committee meeting and request them to provide suggestions for future meeting
presentation topics.
3-49
M ethodologyStage 5
3-50
Appendix A-1
Stages
Conduct Risk
Assessment
Deliverables*
Activities
Validate our
understanding of IT and
risk
Strategy Memorandum
Summary of business
goals, objectives and
mega and major
processes
Summary of how IT
supports the business
High-level IT Process
documentation
Prepare Annual
IT Audit Plan
Understand
managements audit
coverage expectations
Prioritize audits
Understand
engagement
economics
Agree audit plan with
client
Communicate Results
Understand
communication
protocols
Design testing
strategy and perform
tests
Complete relevant
quality control
procedures
Scope document
Detailed project plans
Detailed documentation
Summary reports to
Executive Management
or Audit Committee
Risk Assessment
* NOTE: Internal deliverables are in italics; all others are external.
!@#$
A-1
Our methodology combines the three elements of an IT risk assessment within the
delivery concepts of CobIT. The risk assessment approach includes a business
requirements assessment, to assess the overall business risk environment, along with an
IT resource and IT process assessment. The IT resources and processes are then mapped
to the business processes, so that the auditor can combine IT and business processes to a
single view. Based on the results of the assessments and experienced auditor judgment, a
risk assessment is completed. The risk assessment is then leveraged into Stage 3 Prepare the Annual IT Audit Plan.
!@#$
A-2.11
ppendix A-2
Business Objectives:
Specific
Measurable
Attainable
Realistic
Timely
What are Business Strategies?
After defining goals and objectives' management generally develops and implements a
strategic plan to achieve them. A successful strategic plan helps to realize significant
opportunities for the business. Strategies are generally built around an understanding of
the markets in which the client operates and its competitive position in those markets, as
well as an understanding of the effect of the clients key stakeholders on the business
and other environmental factors.
Strategies may not be the result of a formal process and may not be summarized in
written plans or other documents. Even in the smallest companies, however, the
management generally knows the results the client is trying to achieve (i.e., its
objectives) and how it plans to achieve them (i.e., its strategy).
There are a number of alternative strategies a client can adopt to achieve a given
objective. For example, if the objective is to enter a new market within a specified time
period, alternative strategies to achieve this objective include the acquisition of existing
companies, the formation of joint ventures, or the establishment of new production
facilities.
2A-2.2
!@#$
!@#$
A-2.33
ppendix A-2
Mega
Major
Sub
Major
Sub
Sub
Sub
Activity
4A-2.4
Availability
!@#$
Confidentiality
Integrity
Effectiveness
Efficiency
IT Risks
For each of the business information requirement categories, there are several factors
which may affect the ability to meet the business needs, i.e., these are the risks, or
potential what can go wrong factors for each business information requirement
category. This next section will summarize the IT risk components for each business
requirement category. It is not meant to be all encompassing, but rather a framework to
work from in completing a risk assessment. Industry variables, changing technology and
the use or implementation and integration of technology into an entitys business
processes can affect the classification of the IT risk components by category or extend
the content of the components. IT risks are characterized as follows:
Business Information
Requirement
Availability
!@#$
Potential IT Risk
Component
Hardware Stability
Operating System Stability
Application Stability
External Factors, i.e. Telecommunications,
Environment
Network Stability
Overall system uptime/downtime
Throughput
Capacity
Accessibility
A-2.55
ppendix A-2
Infrastructure Design
Business Continuity Plan
Confidentiality
Security Design
Regulatory Requirements
Security/Penetration
Firewalls
Web Security
Encryption
VPN
Application Security Controls User Profiles
Knowledge Sharing
E-mail Provisions
Security Policies & Procedures
Integrity
Unauthorized access
Employee empowerment
Application functionality and controls
Operational controls
Segregation of Duties
Inappropriate decision making tools
Effectiveness
Efficiency
Timeliness
Cost/Benefit Effective
Optimal use of resources
6A-2.6
Application
Systems
Technology
!@#$
Facilities
People
EVENTS
INFORMATION
Business Objectives
Business Opportunities
External Requirements
Regulations
Risks
Effectiveness
Efficiency
Confidentiality
Integrity
Availability
TECHNOLOGY
FACILITIES
message
input
service
output
PEOPLE
IT Processes
The five business information requirement categories are the general structure used to
classify the IT related business risks identified in our understanding of an entity. We
then gain an understanding of the processes that IT management has put in place to
manage the IT resources and mitigate risk to the business requirements, e.g., what
processes has management implemented to ensure data and application availability?
To assist us in understanding the clients IT processes and how they and implemented to
support IT resources in meeting the business requirements, E&Y has developed the
Information Technology Process ModelA Major Process View. This view supports
the definition of how an IT department is organized and how its working structure is
defined to meet the business demands of the entity.
y
nc
ie
fic
iv
Ef
ct
IT
Re
so
ur
ce
s
fe
Ef
In
te
gr
en
ity
es
lit
tia
en
fid
on
Planning the
Developing and
Operating the
IT Environment Delivering IT
IT Environment
Objective: To
Solutions
provide and maintain
Objective:
To
acquire,
Objective: To
develop, deliver, and
the operation of the
ensure that IT plans
maintain new or
IT environment
are properly aligned
while ensuing the
enhanced business
with the business
availability,
solutions involving IT
goals, objectives,
confidentiality,
and
architecture
to
enable
and strategies.
integrity of
the organization to
information systems
meet its changing
business requirements. to meet the business
requirements.
PEOPLE
DATA
APPLICATIONS
TECHNOLOGY
FACILITIES
IT Processes
us
in
R es
eq s
ui Inf
re or
m m
A
en at
va
ts io
ila
n
bi
lit
y
!@#$
A-2.77
ppendix A-2
Developing and
Delivering IT
Solutions
Operating the IT
Environment
Organizing and
Monitoring IT
Processes
Each of the IT process categories contains many sub-processes that support or describe
the major process. For purposes of this methodology, we are using the 34 IT Process
areas defined by COBITTM as a framework, because it is the most widely accepted
framework for IT processes. These 34 IT Processes are grouped under the four (4)
major IT areas as defined in other E&Y methodologies. We do not intend this
methodology to be a vehicle by which we sell COBITTM, or to recommend its use to
the client over any other framework. Accordingly, other frameworks and guidance
may also be appropriate for the particular IT Internal Audit Services engagement.
Those frameworks, whether of another firm or of the organization for whom we are
performing IT Process work, may be substituted for the references to and use of the
8A-2.8
!@#$
COBITTM framework. If that approach is adopted by the engagement team, one of the
first steps in scoping the engagement should be to determine the IT process framework
used by the client (if any) and determine the extent to which the client would rather we
use that framework rather than COBITTM . IT processes are characterized as follows:
Category
Sub-component (Characteristics)
Planning the IT
Environment
IT Strategic Planning
Information Architecture
Technological Direction
IT Organization & Relationships
management of IT Investment
Communication of the Strategy
Management of Human Resources
Compliance with external requirements
Management of Projects
Quality Management
Developing and
Delivering IT
Solutions
Operating the IT
Environment
Organizing and
Monitoring IT
Processes
Operating the IT
Environment
!@#$
A-2.99
ppendix A-2
We should then identify the process owner(s) of the major IT processes. The process
owner(s) usually can be readily identified through inquiries of senior management, the
senior IT executives, or the owners of business, or through observation of the
functioning of the major IT processes. We obtain a high-level understanding of the
clients major IT processes through discussions with the IT process owners. As part of
gaining our high-level understanding of these processes, we ordinarily gain some
understanding of the controls related to the IT processes. We discuss with the process
owners how they manage the processes and how they identify risks relative to the
achievement of the business goals, objectives, and strategies (i.e., business risks). We
also discuss how they ensure IT supports the major business processes financial
reporting, operations, and compliance objectives. For entities in which these processes
are not centralized, we determine which process owners to include in our discussions.
We may identify significant business risks based upon our discussions with the IT
process owners, and if we do, we consider these risks. For example, an entitys IT
strategies may be significantly out of alignment with its business strategies, resulting in a
risk that the companys IT infrastructure cannot support the future processing
requirements resulting from the business planned growth.
10
A-2.10
!@#$
Appendix B-1
Integrated Audit Considerations
Many of our IT IAS and internal audit outsourcing engagements are part of an integrated
audit. In an Integrated Audit, our IT IAS and internal audit procedures are an extension
of our external audit arrangement. Therefore, portions of the IT internal audit work may
be performed for, and relied on by, those performing the external audit. In these
situations we, as well as our clients, derive benefits from our coordinating our internal
and external audit efforts. When we are performing integrated audits, we discuss internal
audit and external audit integration requirements with the coordinating partner and other
engagement team members, as appropriate, in Stage 1 - Co-Develop Expections. We
also refer to applicable portions of the Ernst & Young LLP Audit Process (Audit
Process) for additional guidance. Those portions of the Audit Process most likely
applicable in these situations include:
Audit planningIn many situations, we will want to coordinate our co-development
of client expectations and audit planning efforts, as well as agree on team goals and
objectives, with the external auditors. As part of their planning procedures, the
external audit team ordinarily receives materials from the Assurance Support Center
that would assist us in learning about the clients business and industry. We also
might want to review these documents. These materials typically include a Business
Intelligence Memorandum, industry-segment value chain and mega/major process
models. (See Activities 1, 2 and 3 of the Audit Process.)
Internal control at the entity level and consider the risk of fraudIn addition to the
understanding we need for internal audit purposes, we are often involved in
obtaining or updating our understanding of the clients internal control at the entity
level and the risk of material misstatement due to fraud to assist the external
auditors. The components of internal control, which we evaluate at the entity level,
include the control environment (manual and IT controls), risk assessment,
information and communication, control activities, and monitoring. The risk of
fraud from an external audit perspective includes material misstatements to the
financial statements due to fraudulent financial reporting and misappropriation of
assets. (See Activity 4 of the Audit Process.)
Understand, evaluate and test routine data processes and processes of the financial
statement closeWe often coordinate with the external auditors our work related to
accounting processes (both manual and automated), which are referred to in the
Audit Process as routine data processes, non-routine data processes, estimation
processes and the process of closing the books. While these procedures might be
encompassed within the scope of our IT business process focused work and
application reviews, additional procedures may be required to meet the needs of the
external auditors. (See Activities 9 and 10 of the Audit Process.)
Understand, evaluate and test the information technology processesIn most
situations we will want to coordinate performing the work steps in the Audit Process
related to how information technology (IT) supports the business and other
processes in achieving their financial reporting, operating and compliance
objectives. In moderately to highly complex IT environments, ISAAS professional
ordinarily assumes the role of the IT specialist in the audit process. Accordingly, the
!@#$
B-1.1
1
ppendix B-1
same individual(s) might be used for both internal and external audit purposes. (See
Activity 8 of the Audit Process.)
Combined risk assessmentThe combined risk assessment for purposes of the
external audit is focused on assessing the combined inherent and control risk for
significant financial statement accounts. It is used by the external auditors to
determine the nature, timing and extent of substantive audit procedures necessary to
hold their audit risk to an acceptable level. The risk assessment described in this
document is directed toward the companys IT processes and how IT supports the
business processes, with the objective of determining the risk areas to focus on for
IT internal audit purposes. While the objectives of these two risk assessments differ,
the work performed by IT internal auditors is an input into the external auditors
combined risk assessment. Therefore, we ordinarily coordinate how information
gathered and assessments made by IT internal auditors about inherent and control
risk are communicated to the external auditors for purposes of their combined risk
assessment. (See Activities 3 and 11 of the Audit Process.)
Analytical proceduresThe scope of our internal audit work might include
analytical procedures, especially data analysis procedures. The work steps included
in the Audit Process to plan, execute and evaluate analytical procedures ordinarily
are also applicable to analytical procedures performed during internal audit work.
(See Activity 13 of the Audit Process.)
Tests of detailsThe scope of our internal audit work might include tests of key
items, representative samples, other tests of underlying data or a combination of the
preceding types of tests of details. For example, we might confirm certain balances
or transactions to test for existence. (See Activity 14 of the Audit Process.)
Additional business process analysisAs further described in this document we
might also want to determine the root cause of errors that we identify in order to
assist the client in fixing a problem or improving a process. This is often performed
as a separate engagement. (See Activity 15 of the Audit Process.)
2B-1.2
!@#$
Appendix B-2
client name
Client Service
Charter
!@#$
B-2.11
ppendix B-2
client name
Risk Focus
Value
Scorecard
Communication
Protocols
Special
Projects
e
2B-2.2
!@#$
client name
Communication
Protocols
Executive Management/
Audit Committee
Reporting
Value Scorecard
Components
Other IA Measures
Frequency of Communications
Processes
Geographic Areas
Functional Units
Special Projects
!@#$
B-2.33
ppendix B-2
client name
Future State
Key Performance
Indicators
Critical Success
Factors
Business Risks
4B-2.4
!@#$
client name
Key Performance
Indicators
Business Risks
!@#$
B-2.55
An integrated methodology to bring value to FBS while efficiently and effectively executing our audit strategy
Objective
1. Identify client needs based on discussions with FBS management
related to business risks, objectives, strategies and critical success
factors.
2. Understand Mega and Major business processes and business
process controls.
3. Identify audit team based upon required competencies and team
roles. Orient the team to client needs, client business and team goals.
4. Complete appropriate planning documentation.
Deliverables
1. Prepare planning documentation including:
a. Identification of Mega and Major processes and identification
of important business controls
b. Overview of business risks, objectives, strategies and critical
success factors
c. Summary of meeting with FBS high level management
d. Summary of internal planning meetings
e. Key date schedule
f. Client assistance letter
g. Audit program
h. Audit strategies document
i.
Organizational chart (obtain from client)
j.
Prepare time budget using FBS Time Tracker
Success Definition/Measurement
1. Client and E&Y objectives are met and deliverables prepared
according to key date schedule.
2. Audit strategy incorporates FBS senior managements concerns.
Partner approval prior to starting fieldwork.
3. Team meeting prior to fieldwork to discuss team expectations and
areas of audit focus.
Objective
1. Execute the plan (within budget) coming out of planning phase
within calendar parameters.
2. Summarize findings and communicate timely.
3. Provide positive educational experience to staff.
Objective
1. Analyze individual or groups of audit results (data) and synthesize
into audit findings (information).
2. Escalate Needs Improvement or worse issues as soon as they
become a possibility.
Deliverables
1. Audit Program completion.
2. Audit results/Findings summary.
3. Written staff feedback.
Deliverables
1. Prioritized outline of audit findings validated by client for factual
accuracy and completeness.
2. Senior management meetings for Needs Improvement type issues.
Success Definition/Measurement
1. Met CSF.
2. Met or exceeded budget. Budget versus actual per Time Tracker.
3. People - Client feedback questionnaire.
4. Client satisfaction survey.
5. Increase staff interest in FBS. Relationship management meetings
quarterly with senior management and monthly Parrin meeting.
Success Definition/Measurement
1. Audit findings are in proper business context.
2. Audit findings are in proper priority (i.e., significant or other).
3. Evaluation/analysis phase of audit completed at or under budget.
4. Partner/Principal input obtained in this phase.
Objective
1. Efficient and effective audit report delivery process.
2.
Reports perceived to have value by client.
Deliverables
1. Concise report which is responsive to the key issues noted during
the audit.
2. Internally focused assessment (KPIs - see below).
Success Definition/Measurement
1. Fifteen-day report issuance rule.
2. Adherence to the ten-page rule.
3. Efficiency ratio # of drafts (dependent upon engagement hours,
rating, etc.).
4. Client report card.
Critical Success Factors
1. Timely executive involvement.
2. Effective client closing meeting.
3. Successful handoff from evaluation segment to reporting phase.
Best Practices
1. Adherence to process model.
2. Define all team roles.
3. Dont give away value - limit report to audit issues, not consulting.
Planning
Execution
Evaluation/Analysis
Reporting
The purpose of this memorandum is to document our understanding of the scope and approach of
the ISAAS work to be performed at ABC Company for the IT Internal Audit Services.
Background
ABC Company and its predecessors have been in business since 1877. A mutual company with
headquarters in Metropolitan, South Dakota, ABC is licensed to sell in 48 states and the District of
Columbia. The company offers life insurance and annuities, group life and disability insurance,
pension products and reinsurance services.
Scope of Assignment
ABC Company has contracted with us to perform IT Internal Audit Services and performance of a
risk based audit approach. We will perform an initial risk assessment which will include the
corporate operations as well as operations of all third party administrators. The objective of the risk
assessment process is to actively identify the Companys critical information systems resources and
business processes and apply certain risk factors to each. These risks are then individually analyzed
and ranked to allow for prioritization and proper allocation of information systems corporate audit
resources based upon the determination of relative risk. Risk assessment is accomplished by using
a uniform process and criteria for consistently defining and measuring risk across all areas.
Fully identifying all auditable areas requires regular and on-going communication with operating
company management. The scope of the discussions with management focus on understanding the
business and its operations. A thorough understanding of the business will require meetings with
functional heads of Accounting, Actuarial, Marketing, Human Resources, Finance, Operations
(Claims, Policy Service, and Underwriting) and all Information Systems functions. The process
identified above is utilized for assessing all areas of the Company utilizing information systems.
During the risk assessment process, each major operating areas system development plans and
priorities are obtained. This information will be incorporated into and considered in the rating of
the Control Risk factors since significant application and system changes may have a significant
impact on the internal control environment.
We will utilize a standard format for documenting our understanding and subsequent risk
assessment and IT audit plan.
Key Deliverables
We will develop a written report detailing our risk assessment. In addition, we will deliver an oral
presentation to the Executive Committee of our risk assessment.
Timetable
The draft risk assessment will be delivered to client management by 6/10/99. The oral presentation
will be given by 6/20/99. The audit plan for the remainder of the year will be agreed upon by
6/30/99.
!@#$
B-4.1
ppendix B-4
2B-4.2
!@#$
Appendix B-5
ABC Company
IT Risk Assessment
Sample Client Assistance Listing
!@#$
B-5
Appendix B-6
Ernst & Young L.L.P.
ISAAS
ABC Inc.
CLIENT NAME:
IT Internal Audit Services
ENGAGEMENT DESCRIPTION:
LISTING TYPE:
John Megabucks
AUDIT PARTNER:
ENGAGEMENT RELATIONSHIP MANAGER:
Bob Dole
ENGAGEMENT MANAGER:
- Risk Assessment
RESOURCE ASSIGNED:
RATE PER HOUR:
21%
8%
35%
8%
3%
4%
4%
6%
3%
5%
3%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
Planning
Documentation Review
Interviews
Post Interview Meetings
Interview Summary Write Up
Review Internal Audit Review Plan
Follow Up
Report Writing & Review - Draft
Report Writing & Review - Final
Presentation Development - Draft
Presentation Development - Final
ADMINISTRATIVE SURCHARGE:
Partner
475
Sr. Manager
358
10
10
Manager
281
10
Senior
182
10
Staff #1
133
20
40
20
10
10
4
8
18
$8,550
8%
$855
$9,405
22
$7,876
9%
$788
$8,664
56
$15,736
23%
$1,574
$17,310
BUDGETED
HOURS
10
2
2
10.0%
50
20
84
20
8
10
10
14
6
12
6
0
0
0
0
0
0
0
0
0
0
0
0
0
4
4
Note:
Rate include a 5% busy season charge.
2B-6
96
$17,472
40%
$1,747
$19,219
48
$6,384
20%
$638
$7,022
VALUATION
PERCENTGE
90%
85%
80%
70%
60%
50%
0
$0
0%
$0
$0
0
$0
0%
$0
$0
VALUED
AVG RATE
FEES
PER HOUR
$50,416
$47,615
$44,814
$39,213
$33,611
$28,009
$210
$198
$187
$163
$140
$117
0
$0
0%
$0
$0
CONTINGENCY
0
$0
0%
$0
$0
ADMIN
$5,042
$4,762
$4,481
$3,921
$3,361
$2,801
240
$56,018
100%
$5,602
$61,620
TOTAL
FEES & ADM
$55,458
$52,377
$49,296
$43,134
$36,972
$30,810
!@#$
Appendix C-1
Engagement Team Organization and Requirements
Engagement Partner or Leader: The engagement partner or leader is responsible for
the overall effectiveness of the engagement. Responsibilities include:
Managing relationships with key client personnel
Leading or taking a primary role for project scoping and pricing
Ensuring development of an effective workplan
Involvement in the analysis of the results of each stage of the project
Leading or taking a primary role in developing the recommendations and the
deliverables
Lead involvement in presenting deliverables.
Engagement Manager: The engagement manager is responsible for the day to day onsite activities of the engagement. Responsibilities include:
Managing day-to-day relationships with key client personnel
Developing the project scope and workplan
Identifying and scheduling engagement project team members
Leading engagement activities such as interviews, information gathering, and
information analysis
Involvement in key interviews and ensuring interview and information gathering
activities are properly conducted and recorded
Developing project analysis, recommendations and deliverables
Presenting deliverables to client
Monitoring and managing costing and billing activities and matters.
Engagement Team (Staff): The engagement project team is selected based on skill
requirements for the engagement scope. The project team should be comprised of an
appropriate mix of senior and staff consultants. Responsibilities include:
Understanding the engagement scope and workplan
Developing interview schedules and information request lists
Participating in key interviews with the engagement manager
Leading certain interviews
Collecting and compiling data and information for analysis
Assisting in analysis of data and information
Assisting with the preparation of the deliverables
Assisting as necessary with presenting deliverables to the client.
!@#$
C-1.1
1
ppendix C-1
2C-1.2
!@#$
Appendix C-2
Budget
Due Date
Worker
Status
!@#$
C-21
Appendix C-3 Sample Business Process and Critical Success Factor Documentation
!@#
!@#$
C-3.1
A ppendix C-3
The Hospital for Sick Children
Business &
Corporate
Development
Information and
Diagnostic
Services
Academic
and Clinical
Development
High
Moderate
Low
!@#
Child
Health
Services
Human
Resources
Research
2C-3.2
!@#$
!@#
Mega Process
Description
Set the strategic direction, policies and guidelines for the organization as a whole.
Build new and repeat business with community relations, including activities such as marketing, research and education.
Administer, physical, financial and human resources for the organization as a whole.
!@#$
C-3.33
A ppendix C-3
Major Process
Purpose
!@#
Manage contracts
Manage relationships
Manage education
Manage research
4C-3.4
!@#$
Major Process
Purpose
!@#
!@#$
C-3.55
A ppendix C-3
!@#
1. Lead in the delivery and exemplary patient care and development of new interventions and treatments
Enhance care delivery methods and processes by working
with new partners in care
Develop and implement more effective and efficient
methods, modes and processes of delivering patient care
Identify and implement new and innovative therapies,
treatments and technologies to improve clinical outcomes
Improve health care system functioning by collaborating
with others to effect system changes
Support the
organization
Mange research
Mange education
Manage relationships
Manage contracts
Major Process
Provide Governance
Ranking
(H/M/L)
Direct and guide the Develop and maintain the Deliver health care Manage health
organization
market
services
care delivery
6C-3.6
!@#$
!@#
Support the
organization
Mange research
Mange education
Manage relationships
Manage contracts
Major Process
Provide Governance
Ranking
(H/M/L)
Direct and guide the Develop and maintain the Deliver health care Manage health
organization
market
services
care delivery
4. Support, develop and retain staff and attract the best recruits
Foster an environment that values and supports staff in their
efforts to achieve HSC goals
Develop support, motivate and maximize performance of all
staff
Retain, attract and recruit the best people for HSC
!@#$
C-3.77
A ppendix C-3
!@#
5. Lead and work cooperatively with visible responsive networks and partnerships
Enhance HSC's ability to identify, evaluate and participate
6. Continue to improve, measure and evaluate the value and effectiveness of what we do
Integrate measurement, evaluation and continuous
Support the
organization
Mange research
Mange education
Manage relationships
Manage contracts
Provide Governance
Ranking
(H/M/L)
Major Process
Direct and guide the Develop and maintain the Deliver health care Manage health
organization
market
services
care delivery
8C-3.8
!@#$
Major Process
27 Goals
!@#$
10
6
3
3
10
2
4
4
5
4
4
7
8
3
1
4
11
1
13
Direct and guide the Develop and maintain the Deliver health care Manage health
organization
market
services
care delivery
Mange research
Mange education
Manage relationships
Manage contracts
Provide Governance
Ranking
(H/M/L)
Support the
organization
C-3.99
A ppendix C-3
Major Process
Risk
!@#
Impact
Manage relationships
10
C-3.10
!@#$
Major Process
Risk
Manage education
Manage research
!@#
The Hospital for Sick Children
Likelihood
Impact
Inadequate sponsorship for corporate initiatives
Failure to understand the stakeholder needs
Loss of affiliation with educational institutions
Approval of research proposals that do not have significant scientific merit
and have an unacceptable balance of benefit relative to risk
Information provided to participants of trials does not adequately disclose that
benefits, risks and impositions associated with participation
Failure of investigators to adhere to the rules and regulations of regulatory
bodies during the implementation of trials
Increasing dependence of academic health science centers on support from
the private sector may induce their leaders to be unduly deferential to private
sponsors which could influence the extent to which they support and defend
important values such as academic freedom
Research contracts being entered into by professional staff without the
hospital being party to the contract or reviewing and approving the contract
Not obtaining the maximum research funding
Not producing the best research programs and providing successful research
projects.
!@#$
C-3.11
11
A ppendix C-3
The Hospital for Sick Children
Likelihood
Major Process
Risk
!@#
Impact
12
C-3.12
!@#$
Major Process
Risk
!@#$
!@#
The Hospital for Sick Children
Likelihood
Impact
authorization security
Risk of a significant disruptive occurrence to an organization's operations,
such as an interruption of critical functions, systems, resources, or loss of vital
records due to lack of business continuity planning
Information system is not configured to match the actual business processes
leading to unexpected financial and operational results due to lack of
business process integrity
External threat due to connectivity to the external environment. Dial-up
solutions, Internet connectivity, network connections to business partners, etc.
all provide a potential avenue for exploitation to penetrate into the internal
network. Hacking tools are more available today than ever and are quite
simple for the novice user to operate. Due to lack of information system
security
Operating systems are mis-configured resulting in vulnerable conditions and
placed into production prior to vulnerability testing. The ability to exploit
these vulnerabilities poses a high risk to the infrastructure
Lack of asset management resulting in multiple points of risk concern such as
unknown software or unknown modems attached to the network. A poor
account of assets results in an effective risk assessment of what is to be
protected and how much to spend to protect it.
C-3.13
13
A ppendix C-3
The Hospital for Sick Children
Catastrophic
VH
VH
VH
Major
Moderate
Minor
Insignificant
4
3
2
1
T
L
VL
VL
1
Low
T
L
VL
VL
2
Unlikely
H
T
L
VL
3
Moderate
VH
H
T
L
4
Likely
VH
VH
H
T
5
High
Impact / Severity
!@#
Likelihood / Probability
Impact
Rating
Description
Catastrophic
Major
Moderate
Minor
Insignificant
Loss of ability to sustain on-going operation. A situation that would cause the organization to cease operating.
Probability
Rating
5
4
3
2
1
High
Likely
Moderate
Unlikely
Low
14
C-3.14
Description
!@#$
Competitive Disadvantage
ADDITIONAL COMMENTS
1: Business Threatened
2: Serious Damage
3: Significant Damage
4: Minor Impact
5: Negligible
1
ASSESSMENT
TOTAL SCORE
!@#$
C-4.1
1
ppendix C-4
Management Decisions
Could incorrect business decisions be made as a
result if errors in or unauthorised changes to
information?
Direct Loss of Business
Could orders or contracts be lost as a result of
errors in or unauthorized changes to information?
Fraud
Could fraudulent diversion of goods or funds arise
from or be concealed by unauthorised changes to
information?
Public Confidence
What damage could there be to public confidence,
public image or reputation, shareholders or supplier
loyalty as a result of errors in or unauthorized
changes to information?
Additional Costs
Could additional costs arise through unauthorised
changes to, or errors in, information e.g. Through
the need to investigate integrity problems, or to
restore the integrity of lost or corrupted data?
Legal Liability
Could legal, regulatory or contractual obligations be
breached if there are errors in or unauthorized
changes to information?
Staff Morale
Could there be a damaging effect on staff motivation
e.g. if staff cannot rely on information?
Business Disruption
Could the business otherwise be disrupted as a
result of errors in or unauthorised changes to
information?
ASSESSMENT
TOTAL SCORE
In summary, taking into account the ratings noted
above and any other consequences what is the
importance of the information integrity to the
business process?
2C-4.2
1: Essential
2: Very Important
3: Important
4: Useful
5: Nice to Have
1
2
3
ADDITIONAL COMMENTS
!@#$
ADDITIONALCOMMENTS
1: Business Threatened
2: Serious Damage
3: Significant Damage
4: Minor Impact
5: Negligible
Duration of Outage
Management Decisions
1
Hour
1
Day
2-3
Days
1
Week
1
Month
!@#$
C-4.3
3
ppendix C-4
BUSINESS-RISK
ADDITIONALCOMMENTS
TOTAL SCORE
1: Essential
2: Very Important
3: Important
4: Useful
5: Nice to Have
1
4C-4.4
!@#$
ADDITIONAL COMMENTS
1: Business Threatened
2: Serious Damage
3: Significant Damage
4: Minor Impact
5: Negligible
Timeliness
TOTAL SCORE
1: Essential
2: Very Important
3: Important
4: Useful
5: Nice to Have
1
!@#$
C-4.5
5
ppendix C-4
ADDITIONAL COMMENTS
1: Business Threatened
2: Serious Damage
3: Significant Damage
4: Minor Impact
5: Negligible
Costs?
ASSESSMENT
TOTAL SCORE
6C-4.6
!@#$
Appendix C-5
ABC Company
Software to Hardware Map
November 1998
System Name
Accounts Payable (APPO)
Check Printing (McCormick and Dodge)
Accounts Receivable (COOP)
Gentrax (EDI)
Purchasing (SICS)
Materials Requirements Planning (SICS)
Capacity Requirements Planning (SICS)
Master Production Schedule (SICS)
Job Instruction Sheet (JIS)
Shop Floor Control
Tool and Gauge Management System
(TGMS)
Advanced Quality System (AQS)
Electronic Non-Conforming System
!@#$
Description
Voucher and vendor information
Check Printing
Tax information, credit issued, authorization, credit
memos, customer account and payment history,
customer information, aging, credit limits
Debit/credit entries
Pricing on shipment data
Reviewing and reporting on product quality
A group of programs that are utilized for reporting
and tracking product to comply with government
contract requirements
EDI is used between customers and most
vendors. Electronic funds transfer (EFT),
purchase orders (PO), PO changes, invoices and
shipping notices. ANSI x12 for domestic and
Edifax for international.
Benefits and payroll administration. Purchased
from Computer Associates.
Group of programs separated between plants and
employee classification. Used for tracking time
and expenses. These programs feed into the
SHRIS application.
Purchasing of raw materials and components, also
for general purchasing. Keeps track of inventory.
Projection of raw materials requirements for
production.
Tool for assessing production capacity.
Production scheduling tool
On-line assembly instructions for use by
production employees
Routes products to appropriate point on the
production line.
Keeps track of tool and gauge usage, calibration,
location and maintenance
Quality control tool used for ensuring product
quality.
Tracks disposition of non-conforming materials or
product including required paperwork.
Locations
Source
Implement
IBM
Unix
Unix
UNIX
Date
Mainframe Digital Solaris SUN
N/A
X
N/A
X
N/A
X
Rockford
Rockford
Rockford
Custom
Package
Custom
Rockford
Rockford
Rockford
Rockford
Package
Custom
Custom
Custom
N/A
N/A
N/A
X
X
X
X
Rockford
Package
2Q 99
Rockford
Package
N/A
Rockford
Custom
N/A
Rockford
Custom
N/A
Rockford
Custom
N/A
Rockford
Rockford
Rockford
Custom
Custom
Package
N/A
N/A
N/A
X
X
X
Rockford
Custom
N/A
Rockford
Package
N/A
Rockford
Package
N/A
Rockford
Package
N/A
Novell Win NT
PC
4
4.11
St. Alone
X
C-5.1
ppendix C-5
System Name
Cost Accounting Management System
(CAMS).
Automated Manufacturing Systems
Lotus Notes
Unigraphics
Catia
SCINET
OPCA Scheduler
Openview
CICS
IMS
MVS OS390
NT 4
Novell 4.11
Unix HPUX
Unix Sun Solaris
Unix Sun OS
Unix Digital
ACF2
NDS
Auto Secure (Platinum)
Network Dial in
Mainframe Dial
SQL Database
TMC
Databases DB2 and IMS
Macafee
Firewall
PBX Communications
2C-5.2
Description
General cost accounting for the manufacturing
process.
Applications that are specific to an automated
machine and may reside on a stand alone
machine.
E-mail and database application that is used for
product support and communication of service
bulletins to customers
CAD system for designing new products as well as
manufacturing.
CAD system for designing new products as well as
manufacturing.
Customer Support
Mainframe Scheduler
Change control tool used for controlling changes to
the mainframe environment.
Mainframe transaction processing
Mainframe transaction processing
Mainframe operating system
NT Server operating System
Novell network and server operating system
HP Openview for system management
Engineering
Engineering
Run Machines
Mainframe Security
Novell Security
UNIX Security
US Robotics Net Server - Radius connection uses
network authentication. Reachout is used for
remote control of workstation.
Advantis (IBM Global network uses passport
software).
Data base that contains management reports from
various systems
Management reporting tool for use with SQL
database
MFG. uses Both
Antivirus
Interlock
Phone system (Rolm)
Locations
Source
Implement
IBM
Unix
Unix
UNIX
Date
Mainframe Digital Solaris SUN
N/A
X
Novell Win NT
PC
4
4.11
St. Alone
Rockford
Package
Rockford
Package
N/A
Rockford
Package
N/A
Rockford
Package
N/A
Rockford
Package
N/A
Rockford
Rockford
Rockford
Package
Package
Package
N/A
N/A
N/A
X
X
X
Rockford
Rockford
Rockford
Rockford
Rockford
Rockford
Rockford
Rockford
Rockford
Rockford
Rockford
Rockford
Rockford
Package
Package
Package
Package
Package
Package
Package
Package
Package
Package
Package
Package
Package
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
X
X
X
Rockford
Package
N/A
Rockford
Package
N/A
Rockford
Package
N/A
Rockford
Rockford
Rockford
Rockford
Package
Package
Package
Package
N/A
N/A
N/A
N/A
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
!@#$
ABC Company
Software Business Process Map
November 1998
Mega Process
Major Process
Product/
Process
Concept
Determination
System Name
Accounts Payable (APPO)
Check Printing
Accounts Receivable
(COOP)
General Ledger (Millenium)
Invoicing (COOP)
Manufacturing Quality
Assurance (COOP).
Government contract
compliance
Gentrax (EDI)
Payroll /Human resources
(SHRIS)
Labor Systems
Purchasing (SICS)
Materials Requirements
(SICS)
Capacity Requirements
Planning (SICS)
Master Production
Schedule (SICS)
Job Instruction Sheet (JIS)
Shop Floor Control
Tool and Gauge
Management System
(TGMS)
Advanced Quality System
(AQS)
Electronic Non-Conforming
System
Cost Accounting
Management System
(CAMS).
Automated Manufacturing
Systems
Lotus Notes
Unigraphics
Catia
SCINET
OPCA Scheduler
Openview
CICS
IMS
MVS OS390
NT 4
Novell 4.11
Unix HPUX
Unix Sun Solaris
Unix Sun OS
Unix Digital
ACF2
NDS
Auto Secure (Platinum)
Network Dial in
Mainframe Dial
!@#$
New Product
Design
Product/
Translation
Process
Development
Product
Testing
Select
Marketing
Strategy
Order
Processing
Procurement
Procurement Purchasing Receiving
Planning
Material
Storage and
Distribution
Production
Product Delivery
Production Conversion Distribution Invoicing
Planning
Product
Service
Support
Various
Support
Processes
Executive
Total
Various
Total
Executive
Processes
Processes
Systems
Support
1
1
1
1
1
1
1
3
1
1
3
1
1
1
1
1
8
1
2
4
2
1
1
1
1
1
1
1
4
4
1
1
1
1
1
1
1
1
1
3
1
2
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
3
3
2
2
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
C-5.3
ppendix C-5
Mega Process
Major Process
System Name
SQL Database
TMC
Databases DB2 and IMS
Macafee
Firewall
PBX Communications
Total Systems Process
Support
4C-5.4
Product/
Process
Concept
Determination
New Product
Design
Product/
Translation
Process
Development
Product
Testing
Select
Marketing
Strategy
Order
Processing
Procurement
Procurement Purchasing Receiving
Planning
Material
Storage and
Distribution
Production
Product Delivery
Production Conversion Distribution Invoicing
Planning
11
Product
Service
Support
Various
Support
Processes
1
1
1
1
1
1
30
Executive
Total
Various
Total
Executive
Processes
Processes
Systems
Support
1
1
11
2
2
1
1
1
1
93
!@#$
MEGA PROCESSES
MAJOR PROCESSES
Risk
Importance
SOURCES OF RISK
(H=high,
M=med., L=low)
Inability to retain market competitive pricing, lost reimbursement
H
Unintended risk assumption, lack of negotiation leverage, lost contract payments
M
Ineffective marketing, managed care leverage, tax-status restrictions
L
Industry consolidation/inability to substitute resources andcontol utilization
H
Loss of key physicians, low clinician utilization, lack of
mgmt expertise in non-acute
M
environments
1999/2000 Planned
Project Descriptions
Chargemaster review includes code assignment and
maintaince of CM
Managed care contracting includes compliance with contract procedures/payments
Tax return compliance audit and consistency/standardization of returns
Due diligence acquisition process review
Home Health Service Process Assessment
Process review of revenue cycle including: registration, charge capture, and billing
Discharge Patient
Collect Payment/Financial
(Manage billing and receivables to include medical records)
H
H
H
H
Executive
(Set the strategic direction,
policies, and guidlines for
the organization as a whole)
H
H
H
H
Revenue cycle including: registration, charge capture, and billing (physician practice)
Unrelated business income for joint ventures tax assessment
Qualified use of tax-exempt bond proceeds review
Intermediate sanctions policy and procedures review
M
H
M
System Maintenance
Data Security
Contingency Planning
Operations Management
Application Systems
H
H
H
H
H
Manage Utilization
Provide Patient Care (inpatient/outpatient)
Information Systems
(Information systems, security, and
related software and hardware)
!@#$
C-6
Primary Audit(s)
Final
Reconsider
Project
Sign-
Risks
Manager
off
Credit
Retail (Commercial
Loan Service Center
cycled)
Leasing
Leasing
Commercial
Financial Statements
Commercial
Financial Statements
Commercial
Financial Statements
Commercial
Financial Statements
Corporate/Interim
Credit
Corporate/Quarterly
Reviews
Test the aging of account balances, reset dates and the interest income and
accrual posting on the Total system (Corporate Cards)
Test the aging of delinquent account balances, reset dates and interest income
and accrual posting on the lease accounting system
Test the aging of account balances, reset dates, and interest income and accrual
posting on the AFS system (commercial, financial institutions, real estate,
asset-based lending)
Review the residual value estimation process for leased assets to determine
whether any additional write-downs need to be made in accordance with FASB
13.
Credit
Payment System
Leasing
Retail (Commercial
Loan Service Center
audit cycled)
Leasing
!@#$
C-7.1
ppendix C-7
FBS Bank
Summary of Key Financial Audit Considerations
December 31, 1998
Account Classification
Consumer Loans (Residential Mortgages, Home Equity
Loans, Consumer Cards, Automobile Loans, Revolving
Lines of Credit, Student Loans) and Interest Receivable
Primary Audit(s)
Final
Reconsider
Project
Sign-
Risks
Manager
off
ACAPs Audit
ACAPs Audit
Credit
Consumer Loan
Compliance
Payment System and
Mtech audits
Installment Loan
Accounting &
Operations and Shaw
Audit
Retail Service Center
Retail Asset
Confirmations
Retail Asset
Confirmations
2C-7.2
!@#$
FBS Bank
Summary of Key Financial Audit Considerations
December 31, 1998
Account Classification
Other Significant Areas
Primary Audit(s)
Final
Reconsider
Project
Sign-
Risks
Manager
off
Trust
Corporate/Financial
Statements
Corporate/Financial
Statements
BTC
BTC
Corporate/Financial
Statements
!@#$
C-7.3
IAS
IAS
IAS
ABS/IAS
IAS
ABS
IAS
IAS
IAS
Tax
IAS
IAS
IAS
IAS/Tax
Description of project
Regional / Corporate
Due diligence acquisition process review
Medical necessity for PT/OT services
Corporate compliance plan effectiveness
Qualified use of tax-exempt bond proceeds review
Intermediate sanctions policy and procedures review
Unrelated business income for joint ventures tax assessment
Tax return compliance audit and consistency/standardization of returns
FACIS - automated database screening for sanctioned personnel
Special projects (as requested by management)
Acute Care Facilities
Process review of revenue cycle
- Registration
- Charge Capture
- Billing
Lab operational review
Radiology and pharmacy documentation and billing process
Chargemaster review includes code assignment and maintaince of CM
72 hour rule includes test for non-compliance and review of
policies/procedures
Cost report reimbursement optimization study
Accounts receivable review includes establishment of reserves, aging,
collection
IBNR Process review
Accounts Payable includes compliance with policy and test for duplicate
payment
Private enurement exposure, includes reasonableness of physician
compensation
Medical records review tests for completeness, accuracy and
confidentiality
Payroll cycle review for accuracy, approvals and compliance with
procedures
Managed care contracting includes compliance with contract
procedures/payments
Outsourced services contract and compliance review/tax implications
!@#$
Type of
Project
Estimated Cost
Per Project
# of
Projects
Total
Cost
$10,000
$14,000
$15,000
$ 8,000
$30,000
$ 5,000
$20,000
$15,000
$70,000
1
2
2
1
1
1
0
1
1
$10,000
$28,000
$30,000
$8,000
$30,000
$5,000
$$15,000
$70,000
$$24,000
$24,000
$24,000
$24,000
$36,000
$29,000
$ 6,000
0
1
1
1
0
0
2
2
$$24,000
$24,000
$24,000
$$$58,000
$12,000
$55,000
$48,000
1
1
$55,000
$48,000
$30,000
$28,500
1
0
$30,000
$-
$ 5,000
$5,000
R,C
$30,000
$-
$28,000
$-
R,O
$34,500
$-
$23,000
$-
R,O
R,C
C
R,C
R
R
R,O
C
Enity
One
1
1
1
1
1
1
1
1
1
R,O
1
1
1
R,O
C
R,O
C
O
R,O
1
1
1
1
1
1
1
R,O
R
D-1.1
ppendix D-1
IAS
R,O
IAS
Tax
IAS
Physician Practices
Revenue cycle including: registration, charge capture, and billing
Physician practice tax review and physician exit strategies
Home health service process assessment
R,O
R
R,C
1
1
1
1
1
1
1
1
1
1
1
ISAAS
ISAAS
ISAAS
ISAAS
ISAAS
ISAAS
ISAAS
ISAAS
Information Technology
Information technology risk assessment
General controls review (acute care)
General controls reveiw (physician practice)
Accounts payable application review
Application specific reviews as determined by the risk assess.
representative projects include
- Accounts receivable
- Laboratory
- Radiology and pharmacy
$18,000
$18,000
$38,500
$ 5,000
$24,000
2
2
0
$77,000
$10,000
$-
R,O
$40,000
$51,200
$12,800
$16,000
$16,000
1
1
2
1
0
$40,000
$51,200
$25,600
$16,000
$-
R,O
R,O
R,O
$16,000
$16,000
$16,000
0
0
0
$$$-
31
$713,800
R
R
R
1
1
Totals
E&Y
Notations
IAS
ISAAS
TAX
ABS
D-1.2
2
1
1
Type of Project
Interal Audit Services
Information Systems Assurance and Advisory Services
Tax Services
Health Care Advisory Business Services
R
O
C
Risk
Operational
Compliance
!@#$
Year 2 & 3
E&Y
Notations
Tax/IAS
ABS
IAS
Tax
Tax
Tax
Tax
ABS
IAS
IAS
IAS
ABS/IAS
IAS
ABS
IAS
IAS
IAS
Tax
IAS
IAS
IAS
IAS/Tax
IAS
Description of project
Regional / Corporate
Due diligence acquisition process review
Medical necessity for PT/OT services
Corporate compliance plan effectiveness
Qualified use of tax-exempt bond proceeds review
Intermediate sanctions policy and procedures review
Unrelated business income for joint ventures tax assessment
Tax return compliance audit and consistency/standardization of returns
FACIS - automated database screening for sanctioned personnel
Special projects (as requested by management)
Acute Care Facilities
Process review of revenue cycle
- Registration
- Charge Capture
- Billing
Lab operational review
Radiology and pharmacy documentation and billing process
Chargemaster review includes code assignment and maintaince of CM
72 hour rule includes test for non-compliance and review of
policies/procedures
Cost report reimbursement optimization study
Accounts receivable review includes establishment of reserves, aging,
collection
IBNR Process review
Accounts Payable includes compliance with policy and test for duplicate
payment
Private enurement exposure, includes reasonableness of physician
compensation
Medical records review tests for completeness, accuracy and
confidentiality
Payroll cycle review for accuracy, approvals and compliance with
procedures
Managed care contracting includes compliance with contract
procedures/payments
Outsourced services contract and compliance review/tax implications
Contracted lab performance review
!@#$
Type of
Project
R,O
R,C
C
R,C
R
R
R,O
C
Enity
One
2
2
3
3
3
2
2
R,O
3
3
3
3
R,O
C
R,O
C
O
R,O
2
2
R,C
R
R,O
$10,000
$14,000
$15,000
$8,000
$30,000
$5,000
$20,000
$15,000
$70,000
2
2
$20,000
$28,000
1
1
1
1
0
$30,000
$5,000
$20,000
$20,000
$-
2
2
2
2
1
2
1
1
$$48,000
$48,000
$48,000
$24,000
$ 72,000
$29,000
$6,000
$55,000
$48,000
2
1
$110,000
$48,000
$30,000
$28,500
1
2
$30,000
$10,000
$ 5,000
$60,000
$30,000
$60,000
$28,000
$28,000
$34,500
$34,500
$23,000
$18,000
1
0
$ 18,000
$-
R,O
Total Cost
$$24,000
$24,000
$24,000
$24,000
$36,000
$29,000
$ 6,000
# of
Projects
2
2
2
2
2
3
2
2
2
R,O
Estimated Cost
Per Project
2
2
3
D-1.3
ppendix D-1
IAS
Tax
IAS
ISAAS
ISAAS
ISAAS
ISAAS
ISAAS
ISAAS
ISAAS
ISAAS
E&Y
Notations
IAS
ISAAS
TAX
ABS
D-1.4
4
Physician Practices
Revenue cycle including: registration, charge capture, and billing
Physician practice tax review and physician exit strategies
Home health service process assessment
Information Technology
Information technology risk assessment
General controls review (acute care)
General controls reveiw (physician practice)
Accounts payable application review
Application specific reviews as determined by the risk assess.
representative projects include
- Accounts receivable
- Laboratory
- Radiology and pharmacy
R,O
R
R,C
R
R
R
1
1
2
3
R,O
R,O
R,O
R,O
$38,500
$ 5,000
$24,000
0
0
1
1
$$$24,000
$24,000
$40,000
$51,200
$12,800
$16,000
$16,000
2
1
0
4
0
2
32000
$51,200
$$64,000
$$32,000
1
2
$16,000
$32,000
31
$1,071,700
$16,000
$16,000
$16,000
Type of Project
Interal Audit Services
Information Systems Assurance and Advisory Services
Tax Services
Health Care Advisory Business Services
R
O
C
Risk
Operational
Compliance
!@#$
Project Descriptions
The following descriptions outline the scope and approach of the projects in the three year plan. A separate
report, including findings, recommendations and management responses will be issued at the conclusion of
each project.
Regional/Corporate
Due diligence acquisition process review
Document the components of the acquisition or joint venture process. Review the effectiveness of key process
components, specifically, evaluation, financial and qualitative analysis, and negotiation. Evaluate the controls
over these processes. Test the accuracy of historical financial and qualitative projections versus actual results.
Medical necessity for PT/OT services
Assess the adequacy of documentation related to the medical necessity of physical and occupational therapy
services provided to Medicare residents of skilled nursing facilities (SNFs). Test for adherence to guidelines
which require that therapy services be reasonable and necessary, and provide a specific and effective treatment
for the patients condition.
Corporate compliance plan effectiveness
Perform a diagnostic review of existing corporate compliance program effectiveness. This typically involves
sampling and auditing the knowledge and performance of personnel critical to the organizations Corporate
Compliance program; specifically, to determine the effectiveness of training programs and overall compliance
with Office of Inspector General (OIG) standards. This review will be prepared in accordance with the OIG
model program for Hospitals.
Qualified use of tax-exempt bond proceeds review
Review policies and procedures in place to monitor the qualified use of tax-exempt bond financed facilities,
given recent regulations issued by the U.S. Department of Treasury.
Intermediate sanctions policy and procedures review
Review intermediate sanctions policy and procedures including a list of disqualified persons and the guidelines
used to create the list. Review documentation confirming how a rebuttable presumption of reasonableness was
established for applicable transactions and documentation identifying how the intermediate sanctions policies
tie in to other corporate policies.
Unrelated business income for joint ventures tax assessment
Review the structure of joint venture relationships to ensure tax exposure items associated with unrelated
business income and private enurement are adequately addressed and supported by appropriate documentation.
Tax return compliance process audit and consistency/standardization of returns
Review the tax return compliance processes, including assessing the technical accuracy of the returns,
reviewing the charity care and community benefit reporting of each health care entity and ensuring consistent
disclosure and reporting among the entities in the WFSI system.
FACIS - automated database screening for sanctioned personnel
Screen health professionals and contracted companies through over 200 governmental databases including
records of sanctioned healthcare personnel and institutions. The databases include individuals and entities with
disciplinary actions and sanctions at all levels of government, including federal, state, and other quality
assurance entities.
!@#$
D-1.5
5
ppendix D-1
Special projects represents a percentage of the overall IA budget (typically 10%) which is available at
managements discretion for EY support on an as-needed basis to address timely issues; performing an audit in
support of a corporate compliance hot line call is a typical project of this type.
Acute Care Facilities
Process review of revenue cycle including registration, charge capture, and billing
A review of policies and procedures for the registration, charge capture, and billing process. Evaluation of the
internal control environment includes a review for complete and accurate patient information collection and
proper dissemination of information. A review of select accounts will help to identify if all charges are
captured, documented and billed correctly.
Lab operational review
Evaluate the efficiency and effectiveness of laboratory operations and the laboratory results reporting system.
Review for the existence of and compliance with internal controls surrounding the reliability and integrity of
information produced by the lab system. Assess the controls over timeliness, completeness and accuracy of the
capture and entry of patient charges.
Radiology and pharmacy documentation and billing process
Review the charge process to verify that patient charging is consistent with policies and procedures. Tests of
charges for accuracy, completeness and timeliness. Verify that all documentation is included and supports the
charges. Review internal management reports for sufficient/timely information and the follow-up process, if
applicable, for resolution of outstanding items.
Chargemaster review includes code assignment and maintenance of CM
A process approach to review, assess and enhance revenue generation through the proper design and
maintenance of the Chargemaster. Includes departmental coding review for improved billing/reimbursement
and infrastructure development for Chargemaster support.
72-hour rule includes test for non-compliance and review of policies/procedures
Evaluate compliance with Medicares 3-day rule using quadruped's 72 Hour diagnostic tool. Using both
inpatient and outpatient billing data, this tool identifies claims for non-physician services performed within
three days of admission. The effectiveness of the policies and procedures will be evaluated based upon the
results of this analysis.
Cost report reimbursement optimization study
Comprehensive review of the cost reporting process, designed to increase reimbursement. Includes ensuring
appropriate reporting of pass-through items based upon the most recent interpretation of the regulations,
identifying opportunities to update the cost reporting process to more accurately reflect appropriate
allocations between inpatient/outpatient services and correcting the report to adhere to appropriate
Regulations as they apply.
Accounts receivable review includes establishment of reserves, aging and collection
A review of policies and procedures for the accounts receivable process. Document and evaluate establishment
of reserves. Verify that the collection process is effective and functioning as intended. Review the receivable
reports and investigate significant changes in aging categories.
IBNR process review
Document claims processing within the organization specific to Incurred But Not Reported (IBNR) claims.
Evaluate the controls and policies/procedures in place to minimize the charges which have not yet entered the
claims processing flow. This will include an analytic review of claims data in an effort to identify root causes,
areas of high risk and associated cost.
Accounts payable includes compliance with policy and test for duplicate payment
Evaluation of the system of internal controls including detailed tests of completed invoices, review for
supporting documentation, proper authorization and tests for duplicate payments. Includes a review of
6D-1.6
!@#$
controls over check stock. Other tests include using computer assisted audit techniques to identify unusual
payments for a more focused analysis.
Private enurement exposure includes reasonableness of physician compensation
Review contracts for compliance with regulations and hospital policy based upon a review of payments for
non-clinical services, advances, services performed and referral incentives.
Medical records review tests for completeness, accuracy and confidentially
Review medical records for accuracy, timeliness, and accessibility. Review for sufficient information to
identify a patient, support diagnosis, justify treatment and document results accurately. Review the records to
ensure they are confidential, secure, current, authenticated, legible and complete.
Payroll cycle review for accuracy, approvals and compliance with procedures
Review payroll policies and procedures. Evaluate controls to help ensure payroll changes are accurate and
properly authorized. Detailed tests will include using diagnostic tools to review pay rates, hours worked,
employee address records and tax identification information. Other tests to include a review of controls over
payroll check stock.
Managed care contracting includes compliance with contract procedures/payments
Review and evaluate the managed care contracting process including adherence to policies and procedures.
Evaluate controls for identifying participant eligibility and coverage. Assess utilization review process
including how payments and write-offs are monitored for timeliness and accuracy. Computer assisted audit
tools and analytics will be employed to model expected payments relative to actual payments, highlighting
areas of increased exposure and opportunity.
Outsourced services contract and compliance review/tax implications
Review select contracted services to ensure the services are performed in accordance with agreed upon terms.
Review for accurate and timely billing, as well as continued compliance monitoring procedures. Assess the tax
implications of the agreement.
Contracted lab performance review
Evaluate the laboratorys compliance with the contract. Determine if policies and procedures are in place and
operating effectively. A high level review of the laboratory operations and the billing system will be
performed.
Physician Practices
Revenue cycle including registration, charge capture, and billing
A review of policies and procedures for the registration, charge capture, and billing process. Evaluation of the
internal control environment includes a review for complete and accurate patient information collection and
proper dissemination of information. A review of select accounts will help to identify if all charges are
captured, documented and billed correctly.
Physician practice tax review and physician exit strategies
Review operational results of physician practices to ensure tax exposures related to deficits are minimized and
exit strategies are documented and implemented.
Home Health Services Process Assessment
Review home health care policies and procedures, evaluate internal controls with emphasis on segregation of
duties, controls over cash and billing procedures. Also includes review for effectiveness of information systems.
!@#$
D-1.7
7
ppendix D-1
Information Technology
Information Technology risk assessment
Review of the IT inventory including hardware, operating systems, applications, network and
telecommunications. Based upon the inventories, IT will have discussions with local and corporate
management regarding risks and concerns related to these specific IT areas.
General Controls review
Review of the controls that support the data center and related activities. Specifically, these reviews cover:
physical security of the data center, logical security controls, operations management, IT administration and
strategy, systems development and maintenance and business continuity planning.
General Controls review (physician practice)
Similar to the general controls review noted above, IT would select a sample of physician billing offices and
perform a general controls review and also determine the level and controls surrounding the interfaces to
corporate or hospital based systems.
Accounts Payable application review
This review will consist of evaluating system controls within the A/P application. Typical controls include:
invoice input, reporting controls, application level security, change management and backup/recovery
procedures.
Application specific reviews as determined by the risk assessment
Representative projects may include accounts receivable, laboratory, radiology and pharmacy
8D-1.8
!@#$
ABC Inc.
CLIENT NAME:
IT Internal Audit Services
ENGAGEMENT DESCRIPTION:
LISTING TYPE:
John Megabucks
AUDIT PARTNER:
ENGAGEMENT RELATIONSHIP MANAGER:
Bob Dole
ENGAGEMENT MANAGER:
- Application Review
10%
23%
20%
11%
6%
3%
3%
9%
4%
9%
3%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
Planning
Application Security
Interface Testing
Edit Check Testing
Reconciliation Review
Physical Security of Forms
Output Distribution
Report Writing & Review - Draft
Report Writing & Review - Final
Presentation Development - Draft
Presentation Development - Final
ADMINISTRATIVE SURCHARGE:
Partner
475
Manager
281
Senior
182
10
20
10
16
10
9.5%
Staff #1
133
BUDGETED
HOURS
14
32
28
16
8
4
4
12
6
12
4
0
0
0
0
0
0
0
0
0
0
0
0
0
4
4
4
2
4
$1,900
3%
$181
$2,081
20
$5,620
14%
$534
$6,154
BUDGETED
FEES
$3,728
$5,042
$4,510
$2,620
$1,260
$532
$532
$1,792
$1,290
$2,580
$1,512
$0
$0
$0
$0
$0
$0
$0
$0
$0
$0
$0
$0
$0
50
$9,100
36%
$865
$9,965
66
$8,778
47%
$834
$9,612
0
$0
0%
$0
$0
VALUATION
PERCENTGE
90%
85%
80%
70%
60%
50%
!@#$
0
$0
0%
$0
$0
0
$0
0%
$0
$0
VALUED
AVG RATE
FEES
PER HOUR
$22,858
$21,588
$20,318
$17,779
$15,239
$12,699
$163
$154
$145
$127
$109
$91
0
$0
0%
$0
$0
CONTINGENCY
0
$0
0%
$0
$0
ADMIN
$2,172
$2,051
$1,930
$1,689
$1,448
$1,206
140
$25,398
100%
$2,413
140.0
$25,398
$27,811
TOTAL
FEES & ADM
$25,030
$23,639
$22,249
$19,468
$16,686
$13,905
EXPENSES
D-29
ABC Company
Accounts Payable Application Review
Proposed Audit Scope
4/29/99
I.
Objective
The primary purpose of this review will be to perform a post implementation review of the
Accounts Payable application. The review will focus on testing specific agreed upon business
controls and processes.
2. Identify and quantify all individuals with authority, or the potential, to create and approve
their own checks.
3. Identify and quantify all individuals with authority to perform payment cancellation
procedures and related control weaknesses surrounding payment cancellations. Specifically
inquire as to controls in place for generating replacement checks.
4. Review the implementation plan for the application upgrade (Year 2000 compliant version),
and SYBASE to Microsoft SQL Server conversion.
5. Review process for approving invoices.
6. Review all aspects of the check printing and distribution process.
7. Since timely reconciliation is an integral part of the control environment, review the
procedures for cash reconciliations.
8. Identify and review the controls in place over the approved vendor database.
9. Identify and research other application workflow issues as identified.
III. Timing
The review will begin on Monday, May 12 with a draft report delivered by early June. We will
provide a weekly update of time incurred and will communicate any issues as they arise.
IV. Budget
We currently estimate the total hours of the engagement at 160. We will not exceed this time
without first discussing any situations with you. The estimated rate and hour breakdown is as
follows:
!@#$
E-1.1
1
ppendix E-1
Staff Level
Estimated
Hours
Sr. Manager
249.00
498.00
Manager
20
195.00
3,900.00
Senior
78
126.00
9,828.00
Staff
60
93.00
5,580.00
160
2E-1.2
Hourly
Rate
Estimated
Fees
19,806.00
!@#$
THE
THE ABC
ABC COMPANY
COMPANY
IT
Internal
Audit
Accounts
Payable
IT Internal Audit Accounts Payable Application
Application Review
Review
Agenda
Agenda 4/29/99
4/29/99
A)
A) Ernst
Ernst &
& Young
Young LLP
LLP Team
Team
John
John Megabucks,
Megabucks, ISAAS
ISAAS Partner
Partner
Bob
Bob Dole,
Dole, ISAAS
ISAAS Manager
Manager
Bo
Bo Diddly,
Diddly, eSS
eSS Senior
Senior Consultant
Consultant
B)
B) Changes
Changes in
in Accounts
Accounts Payable
Payable Process
Process or
or IT
IT Environment
Environment
C)
C) Proposed
Proposed Scope
Scope of
of Engagement
Engagement (See
(See Attachment)
Attachment)
D)
D) Requirements
Requirements of
of ABC
ABC Company
Company
E)
E) Key
Key Contacts
Contacts
F)
F) Timing
Timing
G)
G) Questions
Questions or
or Concerns
Concerns
!@#$
E-2
1
ABC Company
Check Distribution Process
Mailroom hand delivers the checks to the
department contact.
At their desk
NOTE: If checks are not mailed on the same day they are received, the requestor is required to store the checks in a locked
cabinet at their desk.
!@#$
E-3
ABC COMPANY
NARRATIVE NOTES
MAILROOM CHECK DISTRIBUTION PROCESS
Objective:
Methodology: Corroborative inquiry and observation with appropriate ABC Company personnel to
obtain an understanding of the process.
Results:
On March 4, 1999, we met with Cashier and Systems Analysis to review the check
printing and distribution process. This process consisted of the checks that were
processed the proceeding evening and the on-demand checks that were submitted in
the same day.
Mailroom Observation:
We observed how checks are sent to the mailroom, how checks are stuffed into
envelopes, and how the number of checks mailed are reconciled to the number of
checks Cashier printed to be mailed directly.
Checks are picked up from the tray in Cashiers area on the mailrooms second mail
run which takes place at 10:00 a.m.. The individual picking up the checks for
mailing, is not required to sign the check pickup sheet which lists the number of
checks picked up and who picked them up.
Once the checks have been picked up, they are ready to be stuffed into the envelope,
sealed, and mailed. Checks are stuffed automatically on a machine in the mailroom.
After the checks have been stuffed, the individual in the mailroom looks at the
address window on each envelope to ensure there is an address. During our
observation, there was one check that did not have an address.
When all of the checks have been stuffed, the mailroom calls Cashier and tells her
how many checks are going to be mailed and also any checks that need an address.
Once Cashier receives this information she informs the mailroom individual that the
amount of checks being mailed is correct. Any time a check needs an address, the
mailroom walks the check up to Cashier immediately for corrections to be made.
Next, the number of checks being mailed and the number of exceptions are written
in a log in the mailroom. Finally, the envelopes are sealed and ready to be mailed.
Reasons Checks Go Back to the Departments:
We discussed with Client Support and New Business Account Representative the
reasons behind them requesting to have their checks sent back to them once they
have been printed.
!@#$
E-4.1
1
ppendix E-4
Client Support
The primary reason Client Support requests to have some of her checks sent back to
her is because she needs to enclose a remittance along with the check in the
envelope. In addition, Client Support may have a check sent back to her because she
has to Federal Express it overnight. Finally, Client Support explained that she has
had minimal problems with checks consisting of the incorrect address after she
changes it in the application system. Therefore, she requests to have the checks back
for the ones that she has changed the address on to make sure they print correctly.
This issue may be an interface problem, because the system is picking up a
completely different address than the previous one or the one it was changed to.
New Business Account Representative
New Business explained that she requests to have checks sent back to her on a
regular basis, because she deals with the approval of applications. These approvals
may lead to withdrawals, postpones, declines, and not takens, which require a letter
to be sent along with the check so the individual receiving the refund check in the
mail does not get the check back before they receive the letter.
Check Storage Security:
Checks are delivered to the requesting departments by the mailroom. These checks
are placed in a tray that resides in the area of each department. During the day, the
requesting individual picks up their own check from the tray or someone will pick
up the check and place in a basket on the respective individuals desk. This process
leads to checks being left in trays and on desks overnight, etc.
2E-4.2
!@#$
ABC Company
Issues Summary Example
Workpaper
Reference
B1
CONCERN
Corporate
Database
B1
Corporate
Database
B1
Corporate
Database
Verbally discussed
with client - problem
log does have a
problem resolution
field, however, it was
not printed on the
report we received.
D1
LAN
Program
Change
Verbally discussed
with client compensating controls
are in place.
D1
LAN
Program
Change
D1
LAN
Program
Change
!@#$
ISSUE RESOLUTION
E-53
Audit Project:
Date:
Completed By:
CLIENT FEEDBACK
Your input is essential to our improvement and success. Please mark the box which best describes the level at which we
performed during the audit project. Please provide specific examples whenever possible in the space provided. Thank
you!
Not at all
Very much so
Suggestions/Comments
!@#$
E-6.1
1
ppendix E-6
Not at all
Very much so
Suggestions/Comments
2E-6.2
!@#$
Meeting Dates
Mar
Aug
Nov
Audit Committee
Review and approve minutes from prior meeting
Review Audit Committee Charter
Private discussions with:
Internal Auditor
Review of year end financial results (including accounting, tax, and financial
reporting matters)
Review of regulatory filings (e.g., 10K) by:
Management
!@#$
F-1
1
Appendix G-1
SERVICE
OTHER PRACTICES
LAUNCH DATE
May, 1999
SERVICE OVERVIEW
Service Description: Through teaming with Internal Audit Services, or working directly with a clients Director of
Internal Audit, we can provide a variety of IT internal audit services, including:
IT Internal Audit Services (Teaming)supplementing the existing IT internal audit resources with depth in
specific specialty areas to perform risk assessments, complete specific projects, provide knowledge transfer or
deploy resources in remote locations.
Outsourcingproviding the full IT Audit function from planning through execution and reporting.
BENEFITS
Value Proposition: Our IT Internal Audit Services are designed to assist clients in better aligning their IT internal
audit coverage with their key business risks. Through our investments in people, knowledge, technology and
methodologies, we can assist our clients in accelerating to world-class expectations. Specifically, we can provide:
More business insight from the IT perspectivewe leverage the knowledge and experience of thousands of
global IT risk professionals to provide clients with strategic and operationally focused recommendations in the
areas of IT risk management and technology enablement. We help accelerate a comprehensive improvement
agenda which cuts the time from assessment to solution dramatically.
More comprehensive risk coverageour business process oriented IT Risk Assessment focuses our
technology specialists on the areas most important to your business. We team with the client to develop a risk
approach for the key IT areas and assign professionals with appropriate industry experience and deep
technology skills to create an innovative assessment and testing solution.
Operate more efficientlyusing our people, state-of-the-art tools, technology, and knowledge resources your
IT risks are assessed, tested and communicated to management in a timely and comprehensive manner.
Together with the client, we focus on the process of designing an efficient and effective world-class internal audit
function, while meeting managements growing expectations.
Significant business changes present some companies with problems in risk coverage. (e.g.,
acquisitions, global expansion, new business segments, consolidations, etc.)
RED
FLAGS
!@#$
G-1.1
1
ppendix G-1
2G-1.2
!@#$
E R N S T & Y O U N G LLP
www.ey.com