TSRS - IAS - Sales & Methodology Toolkit

A S S U R A N C E A N D A DV I S O RY
B U S I N E S S S E RV I C E S
eR I S K S O L U T I O N S
IT IAS
Teaming/Outsourcing
Sales and Methodology Toolkit
Last Updated May, 1999.
FOR INTERNAL USE ONLY
Not for distribution outside of the firm.
!@#
Table of Contents
TABLE OF CONTENTS ____________________________________________________________ I-I

IT INTERNAL AUDIT SERVICES OVERVIEW________________________________________ 1-1
OVERVIEW ...................................................................................................................................................... 1-1
PRACTICE MANAGEMENT POLICIES AND PROCEDURES ................................................................................... 1-2
INTEGRATED AUDIT CONSIDERATIONS ............................................................................................................ 1-2
PROGRAM SPONSORS AND RESOURCES ........................................................................................................... 1-3
IT INTERNAL AUDIT SERVICES SALES PROCESS __________________________________ 2-1
OVERVIEW ...................................................................................................................................................... 2-1
Service Delivery Methodology................................................................................................................... 2-1
OUR VALUE PROPOSITION ............................................................................................................................... 2-2
TARGET MARKET FOR IT INTERNAL AUDIT SERVICES .................................................................................... 2-3
Identifying Companies to Target ............................................................................................................... 2-3
Target Industries........................................................................................................................................ 2-4
Targeting Best Practices............................................................................................................................ 2-4
Client Targeting......................................................................................................................................... 2-5
Triggering Events ...................................................................................................................................... 2-6
MAKING THE SALE .......................................................................................................................................... 2-7
Identifying Whom in the Company to Target for IT Teaming Services...................................................... 2-7
Buyer Profiles ............................................................................................................................................ 2-7
Entry Strategies ....................................................................................................................................... 2-10
SERVICE PRICING GUIDELINES ...................................................................................................................... 2-10
IT INTERNAL AUDIT SERVICES SALES PROCESS ............................................................................................ 2-12
Overview.................................................................................................................................................. 2-12
THE QUALIFYING CALL ................................................................................................................................. 2-12
THE EXPANDED CAPABILITIES CALL ............................................................................................................. 2-15
THE CO-DEVELOPMENT MEETING: ............................................................................................................... 2-16
OTHER STEPS ................................................................................................................................................ 2-17
Specific Projects ...................................................................................................................................... 2-17
Proposal .................................................................................................................................................. 2-17
Letter of Understanding........................................................................................................................... 2-17
COMPETITIVE ASSESSMENT ........................................................................................................................... 2-17
FREQUENTLY ASKED QUESTIONS AND COMMON OBJECTIONS ...................................................................... 2-19
SUCCESS STORIES.......................................................................................................................................... 2-21
Aon........................................................................................................................................................... 2-21
Novell....................................................................................................................................................... 2-23
i-i i
able of Contents
IT INTERNAL AUDIT SERVICES METHODOLOGY __________________________________ 3-1

OVERVIEW....................................................................................................................................................... 3-1
STAGE 1CO-DEVELOP EXPECTATIONS WITH CLIENT ................................................................................... 3-5
Introduction ...............................................................................................................................................3-5
SUMMARY OF STAGE 1 ACTIVITIES ................................................................................................................. 3-6
SUMMARY OF STAGE 1 DELIVERABLES ........................................................................................................... 3-6
STAGE L ACTIVITIES ........................................................................................................................................ 3-6
Activity 1.1 Understand clients needs.......................................................................................................3-6
Activity 1.2 Understand clients business ..................................................................................................3-9
Activity 1.3 Determine scope of the engagement and risk assessment methodology ............................... 3-12
Activity1.4 Determine deliverables ..........................................................................................................3-14
Activity 1.5 Develop fee estimation and define client billing procedures ................................................3-15
STAGE 2: CONDUCT RISK ASSESSMENT ......................................................................................................... 3-16
Overview ..................................................................................................................................................3-16
Our Risk Assessment Framework ............................................................................................................3-16
SUMMARY OF STAGE 2 ACTIVITIES ............................................................................................................... 3-17
SUMMARY OF STAGE 2 DELIVERABLES ......................................................................................................... 3-18
ACTIVITY 2.1 - PLAN THE RISK ASSESSMENT ................................................................................................ 3-18
Introduction .............................................................................................................................................3-18
SUMMARY OF PRINCIPAL WORKSTEPS .......................................................................................................... 3-18
PRINCIPAL WORKSTEPS ................................................................................................................................. 3-18
2.1.1 Identify and Orient Project Team ...................................................................................................3-18
2.1.2 Identify Key Client Personnel to be Involved/Interviewed.............................................................. 3-20
2.1.3 Develop Risk Assessment Workplan ............................................................................................... 3-20
2.1.4 Determine Timeframe and Budget for Risk Assessment..................................................................3-21
ACTIVITY 2.2UNDERSTANDING THE ENTITYS BUSINESS GOALS, STRATEGIES,
OBJECTIVES AND CRITICAL SUCCESS FACTORS........................................................................................... 3-22
Introduction .............................................................................................................................................3-22
2.2.1 Identify relevant information held by E&Y .....................................................................................3-22
2.2.2 Confirm and Build Understanding .................................................................................................3-23
ACTIVITY 2.3UNDERSTAND THE MEGA & MAJOR BUSINESS PROCESSES AND
RELATED IT REQUIREMENTS ...................................................................................................................... 3-24
Introduction .............................................................................................................................................3-24
2.3.1 Identify the mega and major business processes ............................................................................3-24
2.3.2 Identify the key business processes .................................................................................................3-25
2.3.3 Understand how IT supports the mega and major business processes and its
potential impact on the business...........................................................................................................3-25
ACTIVITY 2.4 IDENTIFY THE IT RESOURCES AND RELATED PROCESSES .................................................... 3-27
Introduction .............................................................................................................................................3-27
2.4.1 Identify and Document IT Resources.............................................................................................. 3-28
2.4.2 IT Processes....................................................................................................................................3-29
ACTIVITY 2.5DOCUMENT RISK ASSESSMENT AND VALIDATE WITH MANAGEMENT .................................... 3-31
2.5.1 Document results/overall risk assessment conclusions...................................................................3-31
2.5.2 Prioritize risk areas ........................................................................................................................3-31
2.5.3 Validate with Management .............................................................................................................3-31
iii-ii
STAGE 3PREPARE ANNUAL IT AUDIT PLAN .............................................................................................. 3-32

Introduction ............................................................................................................................................. 3-32
STAGE 3 ACTIVITIES ...................................................................................................................................... 3-33
Activity 3.1 Understand Managements Expectations Regarding Risk Coverage ................................... 3-33
Activity 3.2 Prioritize Audits.................................................................................................................... 3-34
Activity 3.3 Understand Engagement Economics.................................................................................... 3-35
Activity 3.4 Agree Audit Plan .................................................................................................................. 3-35
STAGE 4EXECUTE AUDIT PLAN ................................................................................................................. 3-36
Introduction ............................................................................................................................................. 3-36
Activity 4.1 Scope the IT audit project..................................................................................................... 3-37
Activity 4.2 Understand the IT audit areas.............................................................................................. 3-39
Activity 4.3 Identify and Assess Risk........................................................................................................ 3-40
Activity 4.4 Control Identification and Evaluation.................................................................................. 3-41
Activity 4.5 Design Testing Strategy and Perform Tests ......................................................................... 3-43
Activity 4.6 Conclude and Report............................................................................................................ 3-46
STAGE 5: COMMUNICATE RESULTS ............................................................................................................... 3-48
Introduction ............................................................................................................................................. 3-48
SUMMARY OF STAGE 5 WORK ACTIVITIES .................................................................................................... 3-48
Activity 5.1 Understand Communication Protocols ................................................................................ 3-48
Activity 5.2 Prepare for Executive Management/Audit Committee Meetings.......................................... 3-49
Activity 5.3 Communicate Results ........................................................................................................... 3-49
Activity 5.4 Complete the Relevant Quality Control Procedures ............................................................ 3-50
Activity 5.5 Complete Billing Procedures................................................................................................ 3-50
APPENDIX A __________________________________________________________________ A-1
APPENDIX B __________________________________________________________________ B-1
APPENDIX C __________________________________________________________________ C-1
APPENDIX D __________________________________________________________________ D-1
APPENDIX E____________________________________________________________________E-1
APPENDIX F____________________________________________________________________F-1
APPENDIX G __________________________________________________________________ G-1
ConfidentialAll materials in this document are not to be distributed

outside of Ernst & Young LLP without written approval.
1999 Ernst & Young LLP

All rights reserved.
Ernst & Young is a registered trademark.
i-iii
iii
IT Internal Audit Services

Overview
Overview
The primary purpose of this sales and methodology toolkit is to describe a consistent
framework of procedures that we use to sell and deliver a business process focused
approach to providing IT internal audit services. It is designed to provide a consistent
value proposition and facilitate the effective and efficient delivery of high quality IT
internal audit services to clients throughout the world.
This toolkit contains two major components: the Sales Process and the Service Delivery
Methodology. The sales process contains key sales components related to the IT Internal
Audit Services market, company targets, key individuals within the company to target,
value propositions, critical success factors, key selling points related to our methodology,
and single frames. Our Service Delivery Methodology contains five major stages, which
include:
Co-develop the clients expectations regarding our relationship. We also begin to
understand the clients business, goals, objectives and strategies, as well as their
objectives for the IT internal audit function (Stage 1).
Conduct risk assessment by assisting client management responsible for the IT
internal audit function in developing a risk assessment with respect to the
companys processes and auditable units (e.g. location, division, etc.Stage 2).
Prepare the annual IT audit plan, which is approved by client management
responsible for the internal audit function, executive management and the Audit
Committee (Stage 3).
Execute the audit plan, as agreed with client management responsible for the IT
internal audit function. We focus on evaluating the effectiveness of controls
established by management to ensure that the selected processes achieve their
financial reporting, operating and compliance objectives (Stage 4).
Communicate the results of our work to client management responsible for the
internal audit function, executive management and the Audit Committee (Stage 5).
The stages of our service delivery methodology are the logical framework that we, or our
clients, would perform to deliver any IT Internal Audit Services. However, the nature of
the engagement determines the extent to which the individual activities and worksteps
are implemented. The scope of our IT internal audit services engagements may vary,
from limited engagements to perform a single IT internal audit project on a teaming
basis, to more comprehensive IT internal audit outsourcing engagements. Because of the
1-1
1
verview
variety in IT internal audit engagements, the procedures described in this document are
not intended to be a one-size-fits-all, prescriptive methodology. These procedures are
most applicable to our on-going teaming and outsourcing engagements. However, our
overall methodology framework, as outlined in this toolkit, should be followed on a goforward basis. Maintaining a common language and process will drive consistency,
productivity, and an improved knowledge management structure. In situations where we
perform smaller engagements, our teams should still consider the value of completing
each stage and activity, even if abbreviated, to ensure high quality and high value to our
client.
Practice Management Policies and Procedures

While we have a certain amount of flexibility in determining the specific procedures we
perform during an IT internal audit services engagement, we must adhere to certain
professional and firm standards when providing IT internal audit services. The ISAAS
Policies and Procedures Workbench and the Internal Audit ServicesPolicies and
Procedures Manual describe our practice management policies and procedures for
providing IT internal audit services. The policies and procedures describe, among other
things, our policies for:
Client and engagement acceptance and engagement letters (Letters of Understanding),
Independence matters,
Working papers and our documentation requirements,
Responsibilities for review of IT internal audit working papers,
Communicating the results of our work and providing for appropriate follow-up, and
Responsibilities for reviewing IT internal audit reports prior to issuance.
Integrated Audit Considerations

Many of our IT internal audit outsourcing and IAS engagements are part of an
Integrated Audit. In an integrated audit, our internal audit procedures are an extension
of our external audit arrangement. Therefore, portions of the IT internal audit work may
be performed for, and relied on by, those performing the external audit. In these
situations we, as well as our clients, derive benefits from our coordinating our internal
and external audit efforts. When we are performing integrated audits, we discuss internal
audit and external audit integration requirements with the coordinating partner and other
engagement team members, as appropriate, in Stage 1 - Co-Develop Expectations. We
also refer to applicable portions of the Ernst & Young LLP Audit Process (Audit Process)
for additional guidance. See Appendix B-1 for more detailed information on the
applicable portions of the Audit Process.
21-2
Program Sponsors and Resources

For additional information regarding this service, please contact:
ISAAS Sales
Jamie Ross
(ISAAS Program Coordinator)
Phone (216) 861-2297
EY COM 3297677
Cleveland
Scott L. Miller
(ISAAS MSE)
Phone (216) 583-4915
EY COM 2576455
Cleveland
IAS Sales
Tom Sliwinski
(IAS Sales)
Phone (216) 583-3865
EY COMM 2887549
Cleveland
ISAAS Methodology
Jamie Ross
(ISAAS Program Coordinator)
Phone (216) 861-2297
EY COM 3297677
Cleveland
Jerry DeVault
(National Director of ISAAS
Assurance Services and Program
Sponsor)
Phone (216) 861-2214
EY COM 3953308
Cleveland
IAS Methodology
Sam Johnson
(IAS Operations)
Phone (216) 737-1680
EY COMM 2575648
Cleveland
1-3
3

Sales Process
Overview
The internal audit environment, especially IT internal audit, is changing. In addition to
traditional attest and compliance functions, internal audit departments are being
challenged to provide more value to the business. Management is demanding an audit
function that reduces risk, creates cost efficiencies, and continually delivers increased
value to the companys stakeholders. A world class audit function is being recognized as
a valuable and strategic corporate asset.
However, the investments required to build and maintain an effective audit function are
growing exponentially, especially in the areas of technology, knowledge, and people. At
the same time, domestic and international growth, mergers and acquisitions, increasingly
complicated transactions, and significant information technology changes have created
more complex companies with different, and in many cases, higher risk profiles than in
the past. Internal audit departments have difficulty keeping pace with these developments
because of staffing and budget constraints.
Insight from the internal audit marketplace indicates that most companies have not
invested in the required IT audit human resources and other critical investments (e.g.,
knowledge, technology, training, etc.) to adequately cover their key business and
information risks. These companies, are also finding it difficult to invest in subject
matter expertise, audit methodologies, technology, tools and training to cover the
organizations risk areas.
Our E&Y IT Internal Audit Services (IT IAS) are designed to either partially team or
fully outsource a companys IT internal audit function by providing:
More effective and efficient IT risk assessment and / or
Supplemental IT internal audit testing related to significant information systems
risks not currently being covered.
We can go to market with E&Y Internal Audit Services (IAS) or work the client direct
channel (e.g., Director of Internal Audit).
Service Delivery Methodology
Our basic methodology involves a five step process. A high-level overview of this
methodology follows. Additional detail is available in Section 3Service Delivery
Methodology.
2-1
1
ales Process
Co-develop Expectations With Client: We listen and learn about our clients
business goals, objectives and strategy. This critical step helps us to understand the
business and ensure we apply our resources in the right areas. Also, we co-develop
expectations with the client to serve as the foundation for our working relationship.
Conduct Risk Assessment: Our business process oriented IT risk assessment begins
with understanding the key business processes and how IT resources (i.e.,
applications, operating systems, hardware, data, people and facilities) and processes
support and enable the business.
Prepare Annual IT Audit Plan, which is responsive to the risk assessment and
business needs, for approval by client management responsible for the internal audit
function, executive management and the audit committee.
Execute Audit Plan: We focus on evaluating the effectiveness of controls
established by management to ensure that the selected processes achieve their
financial reporting, operating and compliance objectives. In addition, we make
recommendations for improvement based on what we learned.
Communicate Results of our work to client management responsible for the internal
audit function, executive management and the audit committee.
Our Value Proposition

As previously noted, expectations of internal audit functions are changing. Enterprise
and IT management expect internal audit functions to provide more consultative, or
value-added, recommendations while also expanding their risk coverage, particularly
in IT related issues, where even IT management has difficulty keeping up with the pace
of technology.
Such dramatic changes in the internal audit functions charter and culture require
significant investments in people, knowledge, technology and methodologies. However,
internal audit is also expected to make these transformations while maintaining, or even
reducing, costs. Most companies are finding it extremely difficult to meet these
challenges.
For example, the task of finding and keeping the appropriate resources is, itself,
exhausting. Experienced and qualified IT auditors are extremely difficult, and expensive,
to recruit and retain. In addition, most companies operate on multiple platforms,
applications, locations, etc. Most IT internal functions cannot afford to recruit the
number of individuals necessary to adequately evaluate risk. Beyond recruiting
resources, many organizations do not have the resources to invest in knowledge,
technology and methodologies or the infrastructure to support or maintain them.
Our IT Internal Audit Services are designed to assist our clients in better aligning their IT
internal audit coverage with their key business risks. Through our investments in people,
knowledge, technology and methodologies, we can assist our clients in accelerating to
world-class expectations. Specifically, we can provide them:
More business insight from the IT perspectivewe leverage the knowledge and
experience of thousands of global IT risk professionals to provide our clients with
strategic and operationally focused recommendations in the areas of IT risk
2-2
management and technology enablement. We help accelerate a comprehensive

improvement agenda which cuts the time from assessment to solution dramatically.
More comprehensive risk coverageour business process oriented IT Risk
Assessment focuses our technology specialists on the areas most important to your
business. We team with the client to develop a risk approach for the key IT areas and
assign professionals with appropriate industry experience and deep technology skills
to create an innovative assessment and testing solution.
Operate more efficientlyusing our people, state-of-the-art tools, technology, and
knowledge resources your IT risks are assessed, tested and communicated to
management in a timely and comprehensive manner. Together with the client, we
focus on the process of designing an efficient and effective world-class internal audit
function, while meeting managements growing expectations.
Target Market for IT Internal Audit Services

The primary goal for our IT Internal Audit Service offering is to grow to $40 million in
revenue by the year 2002. Much of this revenue is expected to be recurring. This
includes both engagements where we team with IAS and engagements where we provide
IT internal audit services independent of an IAS relationship.
Our focus is on targeting relatively large internal audit functions that are struggling to
build world-class IT audit capabilities. A critical success factor is being able to clearly
articulate current gaps in IT risk coverage and to effectively position E&Y to assist our
clients with improvement opportunities.
Identifying Companies to Target
Because larger engagements tend to be more profitable and we want to focus our
investment in the sales process, we concentrate on targets where we think that there is
potential for significant fees on an annual basis. (i.e., at least $250,000 per year) Factors
to consider when identifying IT IAS targets include:
Annual Revenues - although companies have different requirements for an internal
audit function based on size, industry and regulatory requirements, experience
shows that companies start building internal audit functions when they reach $250
- $500 million in revenue. Therefore, in order to focus on larger opportunities, a
guideline for potential targets would start at $1 billion in annual revenues.
History of Outsourcing - some companies have a history, or pre-disposition, to
outsourcing non-core competencies to third parties, while other companies are
extremely opposed to outsourcing any services. In order to optimize our sales
efforts, we want to focus on companies that are open to teaming opportunities and
avoid targets who we know are opposed to using outside assistance.
Recruiting Difficulties - while many companies recognize the value of an IT audit
function, or are striving to build a world-class audit function, they experience
significant difficulty with recruiting IT internal audit candidates. This may be
related to their industry, geographic location or strategic vision for internal audit.
2-3
ales Process
Target Industries
Initial considerations for the primary industries to target should include:
An industry that is designated a national priority industry group - the best target
industries include:
Consumer Products
Telecommunications, computers and electronics
Energy
Financial services
Insurance
Healthcare
Whether business process models have been developed by the National Assurance
Support Center and our firmwide practice has industry SMEs,
Industries that have typically made investments in internal audit departments. FSI
and Insurance have historically made the largest investments in internal audit
functions. However, these two industries also present the most significant
independence and regulatory challenges.
Targeting Best Practices
Many areas conduct periodic (e.g., weekly) meetings to review ISAAS and IAS pursuits
and share information. The topics for discussion may include:
Brainstorming on pursuit strategy to determine how to best position E&Y to win
Review of IT needs on current pursuits
Re-evaluating lost pursuits to discover themes for the future
Re-examining stalled or lost IAS pursuits to determine if there is a opportunity for
IT audit services
Replicating winning strategies from other areas
We should be proactively working with IAS to manage our pipeline together. The IAS
client pursuit list can be found in the AABS IAS V6 PowerPack on the KnowledgeWeb.
See below:
Internal Audit Services PowerPack:
Document Title:
United States IAS Client List & Engagement Information
Author/Contact Person:
Barbara R. Bandera
Source:
National Internal Audit Services
Date Published:
May 1999
Keywords:
Client References, Engagement Information, Fortune 500
Originating Country:
United States
File Attachment:
IAS clients May99 with Fortune.xls
2-4
Client Targeting
We have segmented the target market into components: AABS audit clients and nonaudit clients versus IAS targets and non-IAS targets.
High-potential IAS Target
Low-potential IAS Target ISAAS-only Target
AABS Audit Client

Top priority - Hot
Opportunity
Leverage IAS and AABS
knowledge and relationships
Warm opportunity for
ISAAS
Leverage AABS relationships
Non-AABS Audit Client

Warm opportunity
Leverage IAS knowledge and
relationships
Cold opportunities
START initiatives
AUDIT CLIENT BASE

Because we already have key relationships established with these clients, these clients
should be our initial targets. The audit client base spends an estimated $3 billion
annually on their internal audit functions (IT, financial and compliance). We should
focus on clients who are trying to build their IT internal audit capabilities, or clients that
view IT internal audit as strategic to their organizations. Our experience indicates we
have a higher success rate with current AABS clients. Targeting our own AABS clients
also helps to alleviate the potential threat of our competitors gaining a strategic foothold
into our client base through the internal audit department.
NON-AUDIT CLIENT TARGETS

Ernst & Young may be at a disadvantage with non-clients because of the incumbent
auditor. However, some client boards are not willing to outsource or team with the
independent auditor. Therefore, it is important to understand the competitive situation
prior to spending a significant amount of time or resources on non-clients.
Our non-audit client targets should large, strategic targets or companies that have a
interest in significant outsourcing or teaming for IT internal audit services. Again, where
our IAS practice already has a relationship with a target, work closely with them to
ensure that we are capitalizing on already existing relationships and that we are
coordinating our development efforts.
In addition, our competitive position should be considered. Refer to the competitive
assessment section for additional information.
IAS TARGETS
In many cases, our IAS practice may already be in discussions regarding a teaming or
outsourcing opportunity with a target. Where the IAS practice has built a relationship, we
should work closely with them to ensure that we are capitalizing on the relationship and
that we are coordinating our business development efforts.
Your area should closely link with IAS. Our experience indicates we have the most
success when we work together with IAS.
NON-IAS TARGETS
There are opportunities in this segment, but these opportunities will be for teaming on IT
IAS only.
2-5
ales Process
Triggering Events
In addition to targeting specific companies and industries, we also target based on key
triggering events. The following table highlights some common triggering events that
may be used to generate leads:
Triggering Events
Turnover among key members of
the buying group (e.g., CFO,
Director of Internal Audit)
Questions
Do you have a solid
understanding about your
audit functions IT
capabilities?
Are you satisfied with
internal audits performance
and capabilities related to IT
risks?
2-6
What To Look For

Willingness to take a
non-traditional approach
Interest in changing the
status-quo
Difficulty addressing new

technology risks. (Even
world-class internal audit
functions have difficulty
developing the skill sets
and tools necessary to
address adequately.)
New Technologies - the

implementation of new
technologies such as ERP
applications, electronic commerce,
and enterprise systems
management solutions
How are you considering the

risks and designing the
controls associated with new
ERP, eC or ESM
investments?
Significant Business Changes some companies may have

difficulty covering risk where
there have been significant
changes in the business, such as:
acquisitions, global expansion,
new business segments,
consolidations, etc.
IT internal audit
How is the internal audit
functions may have
function responding to (or
difficulty keeping pace
are there any pending) recent
with the risks associated
changes in your business?
with the major business
changes.
Making The Sale

Identifying Whom in the Company to Target for IT Teaming Services
In general, we target the Director of Internal Audit or the executive to whom the IT
internal audit function reports.
Where we are pursuing IAS opportunities, we should also target the CFO or the
executive to whom the internal audit function reports. If we are teaming with IAS and
have a relationship with the internal audit director, we should proactively communicate
with the internal audit director in order to maintain our IT Teaming opportunities if IAS
outsourcing is not elected.
Buyer Profiles
We often need to sell to several different stakeholders in order to successfully secure
an IT audit services win. The significant stakeholders in an IT internal audit pursuit are
typically:
Director of Internal Audit
CFO
Audit Committee
CIO
Each one of these stakeholders should be viewed as potentially requiring a separate
process that requires the full attention and focus of the pursuit team. Each buyer may
view the benefits of IT audit teaming from a different perspective. As a result, we may
need to position our value proposition differently depending on the audience.
DIRECTOR OF INTERNAL AUDIT

Position Analysis:
Interested in understanding the potential positive and negative implications on
their department
Wants to know exactly what value E&Y will bring to a team effort and how this
will make the internal audit function world-class
Depending on the situation, the Director of Internal Audit may feel threatened. For
example, they may feel the prospect of supplementing or outsourcing the IT audit
function is an indicator they are not performing well. It is critical to assess this
issue quickly and develop our sales strategy accordingly.
If the DIA is
a progressive thinker,
understands the need to team to take the companys internal
audit to the next level, and
is striving to make continuous improvement in the companys
internal audit function,
then the DIA will play a key role in the sales process. In this situation, the
pursuit would initially focus on the DIA and progress to the CFO with the
DIA playing the role of advocate and coach.
2-7
ales Process
If the DIA is supported by company management but is a fairly traditional

thinker and is resistant to the concept of Ernst & Young
teaming/outsourcing, then the DIA should be included in the sales process
but should not be the initial focus of the pursuit. In this case, the pursuit
would focus on the CFO and progress to the DIA with the CFO playing
the role of advocate and coach.
If the internal audit function is considered by company management to be
sub-par and in need of improvement and the DIA is part of the problem,
then the DIA should not be included in the sales process. The pursuit
would focus on the CFO or others as the key buyer.
Sales Profile:
Buyer - The director of internal audit is usually the buyer of incremental internal
audit investments. May have the budget to buy without approval, however usually
requires approval from the CFO.
Sponsor - if progressive, often sponsors IT IAS services
Likely to be an active member in the decision process
CHIEF FINANCIAL OFFICER

Position Analysis:
Wants to be comfortable with the investment and will expect a financial analysis
to justify the decision
Wants to understand what additional value our services will deliver
Coordination with business strategy is a priority - Wants to know how internal
audit capabilities fit into the execution of the business strategy.
Has access to funding and the authority to spend the funding
Sales Profile:
Approver or Buyer - the person usually making the ultimate buy decision
May be sponsor if the Director of Internal Audit is not progressive
Likely to be an active member in the decision process
It is also useful to understand what the CFOs top IT concerns are. A summary of top
CFO IT concerns is presented below:
CFOs Top IT Management Issues
Prioritizing technology investments

Establishing and maintaining an effective dialog between IS and users
Ensuring year 2000 systems compliance
Identifying the appropriate level of technology investment
Upgrading/replacing legacy systems
Identifying how IT can improve or influence business processes
Maintaining effective, productive relationships with the IS function
Using technology to drive business change
Determining when and how to adopt emerging technologies
Educating top management on the value of technology
Evaluating/measuring the return on technology investments
Source: IT and the Bottom Line, CIO Magazine, June 15, 1998
2-8
AUDIT COMMITTEE
Position Analysis:
In general, we have less frequent opportunity to interact with audit committee
members. When we do, its important to recognize their interests lie in three
fundamental areas:
Assessing the processes related to the companys risks and control
environment
Overseeing financial reporting
Evaluating the internal and external audit processes
Any contact with the audit committee should focus on addressing one of the three
areas above. IT internal audit services can address all three and should be
discussed within this context.
Sales Profile:
Approver - based on the recommendation of the CFO and/or DIA.
Not likely to be active members of the decision process.
CHIEF INFORMATION OFFICER

Position Analysis:
This may be our most difficult buyer. CIOs may not be as interested in internal
audit capabilities.
The CIO may not want to be audited.
They have access to funding
Sales Profile:
Influencer - Should not be left out of the process because they can influence the
outcome
Co-developer - they will often need to be active in developing our IT risk
assessment plans and providing access to resources to carry out these plans.
2-9
ales Process
Entry Strategies
Once we identify the key buyer(s), our entry strategy may vary, as discussed below.
When
AABS Client (or
CS, Tax)
(Hot Opportunity)
Initial Contact
Director of IA or
CFO via ISAAS
and/or
Engagement
Partner to Client
ISAAS SE
E&Y Resource
AABS Partner
Area AS Leader
Area IT Internal
Audit Champion
Non-client
IAS Target
(Warm
Opportunity)
Leverage IAS
knowledge and
relationship
ISAAS SE
No prior
relationship
(Cold
Opportunity)
START Center
ISAAS SE
IAS Pursuit
Partner
Area AS Leader
Area IT Internal
Audit Champion
Area AS Leader
Area IT Internal
Audit Champion
Emphasize
Relationship
Quality of work
IT internal audit teaming value
proposition
Our investments in IT internal
audit people, technology,
methodology and knowledge
proposition
proposition
Service Pricing Guidelines

Fees for our IT internal audit teaming service will vary based on several variables:
Relative complexity of environment
Skill of client employees
Number of client locations
Number of business processes
In cases where we are part of a larger IAS engagement, the mix of IT to traditional
audit should be considered
Other factors
An objective of our sales program is to establish IT internal audit teaming as a
complementary offering to IAS offerings and as a stand-alone service offering. Not as a
loss-leader or an add-on service to be discounted to our clients. We believe the market
for these services is very large and there is great demand for those capable of delivering
the highest quality service. Our typical fees are outlined below:
Fee Range:
Typical Fee:
2-10
Risk Assessment
Execute Audit Plan
$50,000 - $250,000
$100,000 - $2,000,000
$100,000
$300,000
These fees are based on our experience to date and vary widely within this range. Our
goal is to build these engagements into larger, profitable annuity projects. Because we
are able to leverage the skill sets and resources that our clients cannot, or do not, want to
invest in, we should be basing our fees on the value we deliver, not on the number of
hours or rate per hour. Therefore, when proposing fees, we should avoid quoting or
committing to a certain number of hours for a fixed fee.
Best practice is to quote a fixed fee for a level of risk coverage or a percentage of
standard based on the actual effort to complete the co-development audit plan. Generally,
our target realization should be 70%. This realization, combined with our standard rates
results in a business that is very profitable. Recent wins and current pursuits confirm this
strategy.
2-11
ales Process
IT Internal Audit Services Sales Process

Overview
The sales process is a multi-step methodology that begins with a brief qualifying call and
ends with a letter of understanding. The steps in between may vary from client to client,
but typically include an expanded meeting on Ernst & Youngs IT internal audit and IAS
capabilities and either a co-development session, or a discussion regarding a specific
project. Detailed goals for each of these meetings along with a description of tools
available to support these meetings are described in the section below.

Sales Process
Co-Develop
Vision & Needs
Qualifying
Call
Proposal
(If Necessary)
Expanded
Capabilities Call
L.O.U.
Specific
Projects
The Qualifying Call

Goals/Objective of MeetingThere are three main goals for this meeting:
Qualify: Qualify the lead by answering several questions:

Does the client opportunity warrant the effort of a pursuit?
What is the potential for success?
Is the client contact the appropriate buyer?
Are they adequately addressing IT risks?
Do they view internal audit as a strategic function?
Have they worked with consultants, third parties, outsourcers in the
past?
What is internal audits mission (e.g., compliance/value add/
leadership development focus)?
2-12
Credentialize: Demonstrate some of our potential value to familiarize the prospect

with our capabilities.
Next Step Commitment: Get another meeting to discuss our capabilities in detail
or start with a co-development session. The next step will often involve additional
people from the client and E&Y. Determine the appropriate attendees, content to
cover and aggressively set a date for the meeting.
The initial call is typically no longer than 30-60 minutes, but will vary depending on the
relationship with the target. For example, for an AABS client we might have a longer
meeting which combines elements of the extended capabilities call or a co-development
session. We do not share all our information with the client at this initial meetingor we
wont have a legitimate reason to follow up. Remember, the goals are to qualify,
credentialize and determine next steps. We will typically not close on the first call.
Pre-Meeting Preparation: You will want to perform research on the company and
industry prior to making contact. You should use, at minimum, the resources of the ASC
and the CBK and contact the appropriate coordinating or client partner. Other resources
include the targets annual report, website, D&B reports, etc.
Agenda/Structure: There are three major segments to cover:
Introduction and qualifying
Credentialize - Briefly review E&Y capabilities
Determine next steps
Introduction and Qualifying Script and probing questions

(customize and use as appropriate)
We appreciate the opportunity to share our investments and capabilities in IT internal auditing, but before
we get into that would you spend a few moments to.....
.....give me an understanding the current internal audit capabilities - number of staff and key skills
.....give me a quick overview of your IT internal audit function today - capabilities and skill sets.
Current organizational changes - How have industry / company changes affected / impacted your
department - what challenges have they presented? (need to have done research to demonstrate that you
have a high level understanding and insight of the company and its industry)
Is the company implementing any new technologies? (e.g., eC, ERP, ESM) How are you addressing the
associated risk? What have been your challenges?
What is internal audits charter? What does management expect of you? What is the focus / priorities of
internal audit ?(compliance, value, leadership development)
How are you performing against your charter?
How do you measure success?
What are you most significant challenges?
How do you currently assess your business risks?
How do you determine and assess IT risks as they relate to your business?
What is your current risk assessment framework?
How do you prioritize your areas for review?
What are your priorities and projects for this year? Are you going to achieve your targets?
2-13
ales Process
CredentializeBrief review of E&Y capabilities.
Use a maximum of 5-7 slides. The goal of the IT Internal Audit Services presentation is to
create a dialogue between Ernst & Young and the potential project sponsor to solicit and
identify needs and issues. We intend this discuss to provide the client with an opportunity to
discuss some of the issues and concerns they have with how their IT internal auditors are
assessing risks for the business.
An example of Qualifying Call singleframes is included in the appendix.
We should not expect the client to be able to understand the single frames without our talking
points. We should use the singleframes as discussion guides. We should walk the client
through the ideas that are illustrated in the single frames to solicit their feedback and hear them
talk about their concerns. Our ability to listen and learn the organizations needs will enhance
our ability to deliver on expectations.
Use the Expectations are Changing slide which can be customized for their business
environment
Challenges & Investments - customize for IT internal audit
Qualifications slide - key points to sell about E&Y IT internal audit services
Client list
Service & Support Capabilities
Global Capabilities
Determine Next Steps

Assess interest - We have had a chance to discuss some of your needs and our capabilities.
Based on this information, would you be interested in continuing these discussions? Perhaps
with a larger audience?
Determine the next logical step. Our goal is a co-development session. What we have found to
work well is to have the key stakeholders participate in co-development of the solution. This
typically includes the Director of Internal Audit, CFO, CIO (potentially), key existing IT internal
audit managers (for teaming scenarios).
Alternatively, we can suggest the Expanded Capabilities Call (see below) if they want more
information.
Discuss the possibility of a test drive or SMEs for specific projects highlighted by the client.
2-14
The Expanded Capabilities Call

Goals/Objective of Meeting
Our goal is to demonstrate our skill sets and value propositions and to get agreement to
move on to next steps: co-development session or special project assistance.
Pre-Meeting Preparation: Based on what you have learned from the Qualifying Call,
structure a meeting to address the clients primary concerns and interests. You will want
to customize the singleframe presentation and talking points to highlight client issues.
Agenda / Structure:
Script
Recap information from previous discussion, what we learned about client needs / concerns from
the previous meeting, updating new players in meeting on previous meeting This is what we
heard, is that valid? Have we missed anything? This is what we are going to cover. Does this
meet your expectation for this meeting? (Note: This is not a co-development session - this is
setting the stage for why we are having the expanded capabilities call). This should be only
confirming the expectations we developed with the meeting sponsor beforehand.
Go through the Agenda for the meeting.
Include key slides from the 30 minute qualifying call to bring any additional participants to a
common level of understanding.
An example of The Expanded Capabilities Call along with talking points is included in the
appendix.
Use Barrier slide as lead in, but customize for client specific issues and terminology. You may
consider using the gap slide to summarize our investments, however, need to make the
barrier and the gap slides consistent.
Stress our flexible approach to developing solutions.
Highlight IT risk assessment approach, people, tools, methodologies, knowledge.
Determine Next Steps

Assess interest - We have had a chance to discuss some of your needs, our capabilities and
solutions. Based on this information, would you be interested in moving closer to a solution?
Who should be involved in these decision?
Determine the next logical step. The goal is a co-development session. What we have found to
work well is to have the key stakeholders participate in the co-development of solution - Director
of Internal Audit, CFO, CIO (potentially), key IT internal audit managers (for teaming scenarios).
2-15
ales Process
The Co-Development Meeting:

Goals/Objective of MeetingGoal is to discover and define client expectations for a
relationship and to align E&Y service delivery with these client needs. When you get to
this step in the sales process, you will have a well qualified prospect that is far along the
sales cycle. This step in the sales methodology actually overlaps with the service
delivery process. When conducting a co-development session, you are actually starting
the first step of service delivery and providing value to the client.
Pre-Meeting Preparation: A productive co-development session requires a half day
and involves several hard to reach client personnel including the Director of Internal
Audit, CFO, CIO and other key client members. Because of the time commitment on the
part of the client, a commitment to hold the session should be viewed as a serious buying
signal.
Prepare for the co-development meeting as though this is the beginning of our
engagement. E&Y attendees should include the coordinating partner, the relationship
manager, the sales executive and other key members of the pursuit team/future
engagement team.
Rules of Thumb for Co-Development
Not a presentation
Share rather than tell
Demonstrate teamwork
Never contradict each other
Let the client talk
Arrive on time and stay until the end
Do not appear to check-out after your component is complete
Be careful of references
Challenge, do not confront
Have fun
For additional information on client co-development sessions, refer to the IT IAS

Delivery Methodology section of this document.
Agenda/Structure
The basic agenda for the meeting is as follows:
Co-develop relationship Objectives
Establish relationship protocols
Understand business goals and objectives
Understanding your business strategies and risks
Develop action plan
2-16
Presentation and Talking Points

The singleframes presentation for this is included in the appendix.
Determine Next Steps:
Trial Close - We want to team with you to become your IT internal audit
provider. Based on the co-development action plan, are you interested in having
us submit a letter of understanding (or a proposal) for you to consider?
Our goal is NO PROPOSAL. If the client is not ready for a letter of
understanding, set minimum expectations for a proposal document. Determine
the next logical step - Proposal and / or LOU.
Other Steps
Specific Projects
During our discussions, it may become apparent that the client is not interested in a large
teaming engagement or outsourcing their IT internal audit function. However, they may
want help from Ernst & Young with a specific project. In these instances, we should
respond appropriately with a targeted LOU or proposal for the work. These proposals
should be treated seriously - they may be a trial run to consider Ernst & Young for
later work.
Proposal
An example Proposal is included in the appendix
Letter of Understanding
An example LOU is included in the appendix
Competitive Assessment
Ernst & Young:
World-class people, methodology knowledge management, technology and tools
Fastest growing internal audit practice
Leadership - emerging as the leader in internal audit services
PriceWaterhouseCoopers:
Has become our strongest IT internal audit competitor to date
Much of their technology investments have come from Coopers & Lybrand
Broad cross-selling with IAS equivalent
Global capabilities with a strong FSI practice
Focus is on large, blue-chip, global clients
Portray Ernst & Young as a loose confederation of franchisees rather than global
Willing to price aggressively for strategic targets
Solid Growth
2-17
ales Process
Arthur Andersen:
Solid competitor - Initial market pioneer
Initial approach to outsourcing was not favorable to Internal Audit Director
Focus on both teaming and outsourcing
Integrated risk management framework
Global Best Practices Database
Highly leveraged staffing model
Aggressive pricing in competitive situations
Strong market recognition
Solid Growth
Deloitte & Touche:
Co-sourcing focus for overall internal audit - has been a losing strategy.
D&T is shifting to outsourcing
Strong Director of Internal Audit relationships because of co-sourcing strategy
Strong Retail industry practice
Low Growth
KPMG:
Insignificant competitor - little strategic direction
Still in start-up mode
Few competitive advantages - they compete primarily on relationships
Defensive position, only compete on their clients
2-18
Frequently Asked Questions and Common Objections

What about your Independence?
Independence is an issue for both internal and external auditors. In our teaming approach,
management and the Director of Internal Audit remain responsible for approving the risk
assessment, audit plan, and internal audit program. We help execute the risk assessment
and audit plan. This separation ensures that independence is preserved.
It is not uncommon for a companys external auditor to also assist in the execution of
internal audit procedures. Ernst & Young assists many clients, including publicly traded
companies, in this area. In fact, approximately 70% of companies who have fully
outsourced their internal audit function or are teaming have done so with their external
auditor. Acknowledging this trend and the SECs interest in this area, the AICPA issued
an ethics interpretation in May 1996 specifying that these services can be performed by a
companys external auditor without impairing independence. We adhere strictly to
AICPA rules governing external auditor independence which state that:
The performance of extended audit services which include assistance in the
performance of the clients internal audit activities would not be considered to impair
independence with respect to a client for which the member also performs a service
requiring independence, so long as the member or his or her firm does not appear to act
in a capacity equivalent to a member of client management or as an employee.
The key requirements of these rules include:
The Company must designate an individual to be responsible for performing
management functions (e.g., approving the audit scope, evaluating the audit
results, etc.).
The Company must maintain the internal control structure.
The Company must approve the internal audit program and related risk analysis.
The Company must evaluate the results of internal audit activities.
To maintain independence, the Ernst & Young internal audit staff will report directly to
the Director of Internal Audit. As a result, any issues that arise as a result of our audit
procedures will be directed to the Director of Internal Audit for follow-up and
disposition.
In some cases, a client may be concerned that E&Y internal audit staff will share
findings with E&Y external auditors before management has a chance to address them.
An appropriate solution is to set up a robust process that ensures the potential issues
affecting our external audit are discussed with management before being communicated
with the external audit team. (e.g., a Firewall)
We use Internal Audit as a Training Ground for Leadership. How does that Impact
that Mission?
The experience that internal audit provides is invaluable as a skill to help build a solid
understanding of business. In some pursuit situations, the client may use the internal
audit function as a training ground for future company leaders. This kind of client is not
likely to outsource their entire internal audit function.
2-19
ales Process
To overcome this objection, do not push for full-outsourcing of the internal audit
function. Rather, we should stress two important client benefits of working with Ernst &
Young:
Teaming opportunities - This is an excellent chance to stress the benefits of a
teaming arrangement. By working with Ernst & Young, the future leaders can
help analyze and understand the clients strengths and weaknesses and team with
us to address these weaknesses. This has the effect of making their internal audit
an even stronger grooming ground for the clients high potential managers.
Knowledge Transfer - We will transfer our knowledge to the client through handson work with our people, methodologies, technology and tools. This also has the
effect of making their internal audit a stronger function and their future leaders
more valuable.
You dont Understand Our Business in Enough Detail
In some pursuits, the client will be concerned that Ernst & Young does not have a
sufficient detailed understanding of their business. We have several responses to this
objection including:
ASC - The Ernst & Young Assurance Support Center generates in-depth client and
industry research. Comprised of more than 50 partners and senior managers who
are thought leaders in their particular industries, the ASC works closely with audit
teams in the field to build and deploy industry knowledge, business process risk
models and benchmarking data along with leading-practice IT internal audit
approaches and techniques. Over 50 industry segments are supported by the ASC.
Process Models - Ernst & Young has developed process models for most major
industry segments. The leading-practice knowledge and understanding
incorporated in these models may help provide value to the company by
uncovering opportunities for improvement.
Relationship Manager - The client relationship manager is a critical part of our
service delivery methodology. This individual is the person who is responsible for
transferring business insight from and client needs to the Ernst & Young work
team. The relationship manager is a senior executive who has a strong industry
background and a thorough understanding of the client business.
Stable Core Team - Our philosophy on staffing is to select a core team to serve our
clients and manage the engagement on an ongoing basis. This allows us to
develop in-depth knowledge of the business and relationships within the company,
in addition to bringing them more specialized skill sets on a just-in-time basis.
We assemble the best possible team, based on the skills and experience, to conduct
our engagement in an effective and efficient manner.
Co-Develop Expectations - Finally, one of our strongest responses to this question
is to co-develop expectations with the client. We will assemble the core team and
other resources based on the jointly defined expectations. The purpose for this
step in the process is to make sure the client gets what they expect. If part of the
expectation is that we understand their business, (as typically is the case) Ernst &
Young will make certain this expectation is met.
2-20
Success Stories
Aon
Company Background: Our client is a holding company composed of commercial
insurance brokerage and consulting, and consumer underwriting companies. With 1997
annual revenue of approximately $5.8 billion and offices in more than 100 countries, the
client is a world leader in insurance and consulting services. The Company is a current
Audit, Tax and Consulting client.
Client Business Issue: The client maintained IT audit staff in Chicago, London and
Rotterdam. The client experienced rapid turnover in the IT Audit group globally. The
client has also been relying increasingly on new technologies including PeopleSoft and
various eCommerce applications. They found it difficult to get proper audit coverage as
they could not attract and retain skilled IT audit staff. Additionally, the IT environment
was changing so rapidly that it was becoming cost prohibitive to continually retrain the
IT audit staff.
Our Service Delivery Approach
1. Co-Developed Client ExpectationsWith the client, we developed an
understanding of the risks in their industry, business and ongoing projects. Senior
management preferred to have a single source responsible for the delivery of the
IT audit service and asked us to coordinate IT audit activities globally from
Chicago. As such, we worked from Chicago with the client IT Audit staff and
appropriate EY ISAAS personnel in the UK and Rotterdam to develop a unified
global IT audit plan.
2. Conduct Risk AssessmentWe interviewed a dozen CIOs and other IT executives
in the US to gain an understanding of projects in process and their areas of
concern. This information was used as the base for a risk assessment matrix. A
similar process was followed in the UK and Rotterdam.
3. Developed Annual IT Audit PlanWe developed an annual audit plan defining the
different projects to perform during the year. This plan was approved by the Vice
President Internal Audit and included all global projects. We are now completing
the first year of the engagement, and have developed our second year audit plan
based on the updated risk assessments, and submitted them to management for
approval.
4. Execute the Annual Audit PlanBecause the engagement was so large, a team was
assembled with an ISAAS manager assigned to each major business line with
another manager acting as the account leader. The account leader is responsible
for reviewing work programs and for ensuring quality delivery of service. Per the
global IT audit schedule, individual audits are scheduled and performed by the
ISAAS manager responsible for that area.
5. Communicate ResultsWe have a standing meeting every month to report US and
Rotterdam results to the Vice President Internal Audit. We report status by project
including hours and fees incurred that month. Additionally, we have a video
conference with the UK every month with the Vice President Internal Audit to
discuss the status of the UK projects. Audit reports are issued in the standard
client Internal Audit report format and are typically distributed to a wide variety of
senior management.
2-21
ales Process
Value Received by the Client

The client received higher quality risk coverage with a focus on its IT issues.
We provided management with recommendations for improved controls and

enhanced IT process improvements.
We identified several single points of failure (SPFs) that the client had not
addressed as part of a business continuity audit. The major findings in the review
were that Business Continuity Planning (BCP) policies or standards did not exist.
As the client had been growing through acquisition, and actively merging
operations where possible, it had unknowingly introduced several SPFs into the
environment. Our review caused the client to focus on its time critical business
processes and realize that it was vulnerable to disruption. Because of the lack of
standards and policies, it is unlikely that management would have recognized this
weakness without our assistance.
We identified IT security weaknesses in the UNIX, Windows NT, Oracle, Lotus
Notes and Dial-in environments as part of an IT security infrastructure audit. The
main findings from this audit included weaknesses in the Security Policies,
Standards, and Procedures. As these platforms were supporting mission critical
business processes, the client was risking the integrity, availability and
confidentiality of its systems and data.
We provided detailed security enhancement suggestions for PeopleSoft HRMS
and Financials implementations. We also provided suggestions for process
improvements related to the business processes associated with these
implementations. The main findings from this audit were:
Weaknesses in System Security. Weaknesses noted in system security
settings were so severe as to allow most individuals in the accounting
department to modify current and prior period data without leaving an
audit trail. This weakness could potentially lead to an inability to balance
accounts and close the books in a timely fashion.
Application Development and Change Control. The company was in the
process of rolling out these applications to various other operating units.
In order to support these operating units, additional complex modifications
would be required. Without proper application development and change
control procedures, the company created a risk that these modifications
would be erroneous. This situation had the potential to create inaccurate
financial information.
Re-structure of the Business Processes supported by the application. The
various departments using these applications were still learning how the
system operated. Hence, the lack of specific procedures created the risk
that users would enter inaccurate or incomplete information into the
system. This could potentially have a significant impact on the Companys
ability to close the books and produce accurate financial reports.
2-22
Novell
Company Background: Our client is a leading provider of network operating software
enabled by directory services. Its Internet solutions make networks more manageable
and secure, and reduce the total cost of ownership for organizations of every kind and
size. The client also provides group collaboration software that links teams of users
working on a project as well as software that manages networked PCs from a central
location. The company earns more than $1 billion in annual revenue and is an Ernst &
Young audit client.
Client Business Issue: The client was performing less well as in earlier years and
realized that it needed to look at every revenue opportunity. Together with the clients
Internal Audit group, we uncovered a potential revenue assurance opportunity by
collecting outstanding software licensing fees. Based on our existing methodology and
global network, Ernst & Young ISAAS IT IAS was selected to coordinate and execute
the software licensing audits.
Our Service Delivery Approach: Using our Royalty Audit methodology (Royalty audits
for TCE companies located in the national revenue program catalog), we audited
licensees on behalf of the client using both domestic and International Ernst & Young
resources. So far we have visited licensees in more than 30 different countries. The
reviews were performed to ensure compliance to agreement and reporting requirements
of our client.
Value Received by the Client: To date we have recovered more than $16 million in
outstanding licensing fees, providing a ten to one return on the clients investment. The
client received increased value and assurance through a successfully managed and
coordinated project that used a consistent methodology that controlled travel expenses by
using our International network of professionals.
Based on our findings and recommendations, we are now involved with the client in a
business process re-engineering project that will provide the following:
Improved operating efficiencies by reducing administration costs associated with
the license management life-cycle.
Increased profits by identifying and implementing controls to better track revenue
from active licenses.
Improved customer satisfaction by improving the quality and consistency of the
license management services.
Improved understanding of license agreements by both licenser and licensee
Better structured agreements up front.
Better reporting systems and processes to accurately report revenues.
Timeliness of cash receipts.
Reduced incidence and expense of royalty audits.
Improved accurate, timeliness & completeness of reporting.
2-23

Methodology
Overview
Our IT Internal Audit Services methodology provides ISAAS professionals with
guidance in performing IT Internal Audit Services. The methodology is intended to guide
the process whereby we evaluate, risk and control processes related to information
systems.
The methodology is structured around five stages designed to focus on the clients risks,
to generate value, and to assist us in performing our IT internal audit procedures in an
effective and efficient manner. The following IT Internal Audit Services Project
Routemap gives a description of the major stages and activities in the methodology:
Stages
IT Internal Audit Services Project Routemap

Co-develop Expectations
with Client
Conduct Risk
Assessment
Understand the clients

needs
Plan the risk

assessment
Understand the client's

business at a high level

business goals,
strategies, and critical
success factors
Activities
Determine the scope of

the engagement and risk
Develop understanding
assessment
of the mega and major
methodology
business processes
Determine deliverables
and obtain agreement
of IT resources and
from the client
related IT processes
Develop fee estimation
Validate our
and define client billing
understanding of IT and
risk
procedures
Deliverables*
Strategy Memorandum
Fee estimation for risk
assessment
Client Assistance Listing
Relationship and
communication protocols
Value Scorecard
Summary of business
goals, objectives and
mega and major
processes
Summary of how IT
supports the business
High-level IT Process
documentation
Risk Assessment
Prepare Annual
IT Audit Plan
Understand
managements audit
coverage expectations
Prioritize audits
Understand
engagement
economics
Agree audit plan with
client
Major Stages & Activities with Deliverables
Communicate Results
Execute Audit Plan

Scope the IT audit
project
Understand
communication
protocols
Understand the IT
audit areas
Prepare for meeting

with Executive
Management or Audit
Committee
Identify and assess

risks
Identify and evaluate
controls
Meet with Executive

Management or Audit
Committee
Design testing
strategy and perform
tests
Conclude and report
Plan of resources / skill

sets needed
Summary of areas to be
audited
Preliminary budget
Preliminary timeline
Scope document
Detailed project plans
Detailed documentation
Complete relevant
quality control
procedures

Summary reports to
Executive Management
or Audit Committee
Detailed findings and

recommendations reports
Client satisfaction feedback
* NOTE: Internal deliverables are in italics; all others are external.

Privileged and Confidential.
No part of this may be reproduced or transmitted
without permission of Ernst & Young LLP.
3-1
1
M ethodology
The procedures in this document are not necessarily executed in a sequential fashion.
While there is a natural order to performing the stages, activities and worksteps, and they
are interdependent, we might not conduct the activities or procedures in a standard
sequence. The following summarizes the processes defined in this document:
Stage 1Co-Develop Client Expectations: We co-develop and confirm the basis for
our relationship with the client. We develop a mutual understanding of the scope of
our IT internal audit services among client management responsible for the IT
internal audit function, the clients executive management, the Audit Committee of
the Board of Directors, and the engagement team(s) responsible for our internal and,
external audit services as appropriate. We co-develop expectations with the client in
order to understand and document our relationship objectives and our relationship
protocols. Additionally, we begin to understand the clients business goals,
objectives, strategies, and risks.
Stage 2Conduct Risk Assessment: We assist client management responsible for
the IT internal audit function in developing a risk assessment of the clients IT
processes and IT components supporting the business processes. The purpose of the
risk assessment is to identify where significant IT risks exist, to assess the relative
levels of risk, and to align the IT internal audit approach with the areas of the
company that will provide an appropriate level of risk coverage. The risk assessment
establishes risk priorities and forms the primary, but not only, basis for the allocation
of resources in the annual IT audit plan. Our risk approach is a flexible, business and
IT process focused methodology, see Appendix A for detail methodology blueprint.
The risk assessment is reviewed and approved, at least annually, by the clients
executive management and the Audit Committee.
Stage 3Develop Annual IT Audit Plan: We work with client management
responsible for the IT internal audit function to develop the IT annual audit plan. The
annual IT audit plan defines the individual projects to perform during the year along
with an estimate of the total number of hours required for each project. In assisting
with the development of the plan, we consider the total available hours for the
overall engagement, the need for special management discretionary projects, and the
number and mix of specialized resources required to perform each audit. The annual
IT audit plan, which includes an outlook of projects to be performed on a rotating
basis over a specified period of time (e.g., three years), is reviewed and approved by
the clients executive management and the Audit Committee. It is updated as
required, at a minimum yearly, to reflect significant changes in the clients risk
profile that may result from changes in the organization structure, business
operations, technology infrastructure and/or new products and services.
3-2
Stage 4Execute the Annual Audit Plan: This stage is made up of five activities
designed to guide the execution of individual projects defined in the Annual IT Audit
Plan. All or part of certain sub-activities may or may not be performed depending
upon the scope of the particular project determined in Stage 3Annual IT Audit
Plan. The activities are:
Activity 4.1Scope the IT Audit Project: This is performed at the outset of each
project and provides focus and direction for the remainder of the procedures
performed during the execution of fieldwork. In this activity, we establish the
objectives, scope, and timing of the project and communicate these expectations
to management through a project scoping document.
Activity 4.2Understand the IT Audit Areas: This builds on our initial
understanding of the processes and/or areas selected for the audit which was
gained in Stage 2Risk Assessment. In this activity, we consider what additional
information is required for us to document an understanding of the audit area.
We also confirm the team members and agree roles and responsibilities.
Activity 4.3Identify and Assess Risks: This builds on our initial understanding
of the related risks, including key performance indicators, gained in Stage 2
Risk Assessment. In this activity, we consider where errors could occur in the IT
process or area (or business process where we are teaming with Internal Audit
Services) that would keep the process from achieving its financial reporting,
operating, or compliance objectives and walk through the process to confirm our
understanding. In this activity we determine the inherent risks as they relate to
the audit project and agree our risk assessment with management.
Activity 4.4Identify and Evaluate Controls: This builds on our initial
understanding of the related controls gained in Stage 2Risk Assessment. During
this activity, we preliminarily evaluate the effectiveness of the process design
and the controls in place to address the potential for errors to occur. This
preliminary evaluation is used in the next activity where the controls are tested,
as applicable. We also may provide management with recommendations for
improving the controls and enhancing process performance.
Activity 4.5Design Testing Strategy and Perform Tests: This builds on our
preliminary evaluation of the selected processes and related controls in the
previous activity. Where appropriate, the controls identified and preliminarily
evaluated as effective in the previous activity, we design and execute tests of
controls to determine if the controls were operating as we understood.
Exceptions noted in our testing are communicated to management and may result
in recommendations for improvement in our final report.
Activity 4.6Conclude the Audit/Reporting: We conclude the audit project by:
Reviewing all working papers, supporting documentation, and the draft
report.
Determining whether we have performed work sufficient to satisfy our
objectives and our conclusions are adequately supported.
Communicating the results of our work to management.
Requesting feedback from management on whether or not we have met
their expectations.
3-3
M ethodology
Stage 5Communicate Results: Working with client management responsible for

the IT internal audit function, we communicate the results of our internal audit work
to executive management and the Audit Committee based on expectations codeveloped in Stage 1Co-Develop Client Expectations. At appropriate times during
the audit year, formal approval of the risk assessment and annual IT audit plan is
obtained. We also periodically communicate the results of our IT audit projects,
including significant issues, and the value we have provided to the company through
our Value Scorecard.
3-4
Stage 1Co-Develop Expectations with Client

Introduction
The first stage in our IT Internal Audit Services methodology is to co-develop
expectations with the client. We develop a mutual understanding of the scope of our IT
internal audit services with key client management and, where applicable, the
engagement team responsible for our internal and, in an integrated audit, external audit
services. Co-developing expectations involves key activities, such as determining
expectations related to our services, deliverables, and basis for measuring the value we
deliver. To help us gain this understanding, we conduct co-develop expectation meetings
with key client and engagement personnel to discuss and document the following:
IT Internal Audit Objectives
Scope and timing of procedures
Clients Business and IT Goals, Objectives, and Strategies
Communication protocols, including measuring and communicating value, as well
as engagement issues and status
The process of co-developing expectations and communicating value begins during the
sales process, continues throughout the engagement, and involves periodic discussions
with appropriate management.
Co-developing expectations for integrated audits requires us to understand both the
internal audit and external audit requirements. Appendix B-1 includes a discussion of
necessary considerations within an integrated audit. As with any engagement, we also
must ensure that we have followed specific firm guidelines for client and engagement
acceptance. For non-audit clients, we follow guidance and perform the procedures set
forth in the Policy and Practice Statement, Client and Engagement Acceptance-Other
AABS Manual.
Generally, co-development begins during the Sales Process. We obtain an understanding
of client expectations and document them in a letter of understanding (LOU) signed by
the appropriate management personnel of the client. The LOU documents (at a highlevel) services to be provided as agreed in Stage 1 - Co-develop Expectations with Client.
This letter also documents the billing requirements and must include our standard terms
and conditions for ISAAS consulting engagements and the alternative dispute resolution
provision, which may be applicable in those rare instances when the firm and a client
cannot resolve a matter informally. (See ISAAS Policies and Procedures Workbench for
the standard LOUs, terms and conditions, and alternative dispute resolution provision.)
Additional co-development sessions may be necessary to refine our project scope and
expectations or further refine requirements.
3-5
M ethodologyStage 1
Summary of Stage 1 Activities

In order to scope the IT Internal Audit Services engagement properly, we identify several
activities to guide the team through the initial meetings with the client:
1.1 Understand the clients needs and learn the basis for setting the service
expectations.
1.2 Understand the clients business at a high level to establish a basis for a better
understanding of how IT is used to support the business.
1.3 Determine the scope of the engagement and risk assessment methodology to
provide the basis for building the workplan.
1.4 Determine the deliverables and obtain agreement from the client.
1.5 Develop fee estimation and define client billing procedures.
Summary of Stage 1 Deliverables

After completing this stage, the following documents should be developed:
Strategy/Planning Memorandum
Relationship and Communication Protocols
Fee Estimate
Co-developed Value Scorecard
Examples of these documents are located in Appendix B or within the ISAAS Policies
and Procedures Workbench.
Stage l Activities
Activity 1.1
Understand clients needs
IT Internal Audit Services engagements will, in most cases, be sponsored by the Director
of Internal Audit and top management of organizations. Like other ISAAS services, it is
necessary to understand what the clients concerns, needs, and expectations are and how
we can assist in meeting their needs. Once we have identified the necessary participants
(generally the clients Internal Audit Director, Chief Financial Officer, Chief Information
Officer, and other key executives) we should set objectives for the meetings. For internal
audit teaming and integrated audits, we ordinarily have the coordinating partner, the IAS
engagement partner and possibly other members of the external audit team participate in
these meetings.
In preparing for the meetings, we make a preliminary assessment of our relationship with
the client and our knowledge of the clients business and industry, its needs and
expectations, and its goals and objectives. In addition, we review and consider the results
of any prior ISAAS projects, client satisfaction surveys, and previous discussions with
management. This preliminary assessment also is important in considering which
3-6
engagement team members should participate in the discussions, and it allows us to

preliminarily determine the commitments we are willing to make.
During the co-develop expectations meetings, we obtain sufficient information to meet
the following objectives:
Understand the clients specific concerns regarding IT risk and risk coverage in
their organization.
Determine how to customize the IT Internal Audit Services methodology to
address the clients situation. For example, if the client uses a service bureau to
maintain the computing environment, our methodology will require customization
to address the service bureau processes according to the clients expectations.
Description of the relationship between the client and Ernst & Young in such a
way that it can be measured afterwards. These measurements should be agreed
with the client and documented within a value scorecard.
High level setting of expectations regarding the IT Internal Audit Services
engagement and the client expectations regarding our service delivery.
Documentation of the above.
To obtain meaningful information, the meetings require in-depth discussion between the
clients decision makers and the more experienced E&Y team members. While
understanding the clients concerns, three key elements for a successful relationship will
be discussed:
Obtaining insight to the clients understanding of the organizations issues and
problems;
Ensuring we have a sufficient understanding in the clients business;
Standards for providing and performing effective and efficient service.
The success of the relationship strongly relies on our ability to provide value to the
client. This value could be expressed by means of a project or service charter and a value
scorecard to measure the value delivered. Defining the expectations and service level
together with the client and discussing these elements is a continuous process throughout
the engagement. The value scorecard is an important tool for use to measure our success.
The service charter and value scorecard can be found in Appendix B-2 and B-3.
3-7
M ethodologyStage 1
client nam e
C o-Develop Relationship O bjectives
Co-D evelop
Expectations
Internal Audit
D rivers
Focus
R isk C overage
B usiness Process
Gap Closures
E arly W arning
Detection
Value Creation
Strategic Insight
Shareholder Value
Idea G eneration
K nowledge Transfer
Audit Efficiency
R espect
M anagem ent
M easurem ent
M inimal D isruption
C lient Satisfaction
C om pletion of Audit
Plan
clien t n am e
E stab lish R elatio n s h ip P ro to c o ls

O u r T eam
R isk F ocu s
V alu e
S corecard
C om m u n ication
P rotocols
3-8
S p ecial
P rojects
c lien t n a m e
E s ta b lis h R e la tio n s h ip P ro to c o ls
R is k F o c u s
O u r T e am
S u b ject M a tter E xp ertise
C o m m u n ic a tio n
P r o to c o ls
E x e cu tiv e M a n a g em e n t/
A u d it C o m m ittee
R ep o r tin g
Activity 1.2
V a lu e S c o reca rd
C o m p o n en ts
O th er IA M ea su res
F re q u en cy o f C o m m u n ica tio n s
Understand clients business
P ro c esses
G e og r ap h ic A re as
F u n c tio n a l U n its
S p e c ia l P r o jec ts
To better understand client expectations, deliver value to our clients and assist in
developing an internal audit IT risk assessment, we need to obtain a high level
understanding of the clients business. This understanding will allow us to effectively
perform a risk assessment and therefore appropriately focus our professionals. In
addition, we will gain credibility by demonstrating an appropriate depth of knowledge of
the clients industry and business.
To understand the clients business, we consider the following objectives:
Understand the organizations business objectives, goals and strategies;
Understand the critical success factors of the organization to successfully achieve
these objectives. In addition identify any strengths, opportunities and challenges
for the business to achieve these objectives;
Understand what influences exist, both internally and externally, to the
organization that will impact the business objectives and critical success factors;
Understand how the organization is structured including current staff capabilities;
and
Obtain a high-level understanding of the business processes and determine the key
business and IT processes.
We might obtain much of our understanding through a facilitated discussion with
appropriate company management. Within these meetings, we will discuss the
companys current state and the desired future state, as well as the business strategies and
risks. Before the discussion, we also may need to gain an understanding of the market
forces and other environmental factors affecting the company, as well as the influences
of the stakeholders.
3-9
M ethodologyStage 1
Following are example templates which can be used in our discussions to meet the above
objectives:
client name
Understanding Your Business Goals and Objectives

Current State
Dominate in domestic
markets
Excellent growth potential
Significant cross
marketing potential
Decentralized systems/
processes
Future State
Key Performance
Indicators
Critical Success
Factors
3-10
Managing 25% growth with

high profitability
Maximum service
penetration through
distribution channels
Shared services
Premiere retailer worldwide
Business Risks
client name
Understanding Your Business Strategies and Risks

Critical Success
Factors
Key Performance
Indicators
Managing growth
Stock price
SG&A reductions
EPS
Enterprise system
implementation
Inventory turnover
Business Risks
Departure of key
management
Increased competition
Lack of system integration
Using the knowledge obtained, we will be able to identify the higher level risks inherent
to achieving the business objectives of the organization and the system of controls over
these higher level risks. We also determine if the organization currently has a risk
framework in place. Risk frameworks will vary from client to client, but will include the
identification of the most significant high level risks faced by the organization.
There are various sources of information available that can be used to help us obtain our
high level understanding. If the organization is a current client of Ernst & Young, we
may be able to obtain useful information from external audit team, workpapers,
deliverables, IAS resources and intelligence, or the Business Intelligence Memorandum
(BIM) produced by the Assurance Support Center (ASC). Up-to-date market, industry
regulatory and technology information and trends can be obtained through the ASC
Custom Databases. In addition, industry Business Process and IT Process Models with
example business objectives, critical success factors, etc., are located in the ASC Industry
Link Database. Both the ASC Custom Databases and the ASC Industry Link Database
can be accessed through ASC Online on the ISAAS Workbench. We should also obtain, if
appropriate, the clients Strategic Business Plan, IT Strategic Plan, and organization
charts.
This information should be collated and kept in a central location (e.g., a background
binder, account plan document or Lotus Notes team database) for engagement team
members to review for background information prior to performing any work with the
client.
3-11
M ethodologyStage 1
Activity 1.3
Determine scope of the engagement and risk assessment methodology
Within the previous activities of this stage, we obtained an understanding of the clients
expectations and needs as well as a high-level understanding of the clients business and
IT processes. We also obtained information regarding the importance of IT supporting
these processes. This information is useful and necessary to determine the scope of the
engagement, which is the goal and output of this step. The project team should be
mindful that as the project progresses it may be appropriate and necessary to focus on
areas other than those initially selected. If the scope changes, we assess whether it is
necessary to revise the LOU, our fee estimates and/or timetables for completion.
The Risk Assessment is the primary driver for the development of the IT Internal Audit
Services Audit Plan. Therefore, we must appropriately co-develop the scope of the Risk
Assessment with the client. This is done by using the information gained through the
previous steps of this stage, and analyzing that information using the understanding and
knowledge of the major IT subprocesses as defined in COBITTM . Further discussion of
the major IT subprocesses and E&Ys use of the COBITTM methodology can be found in
Activity 3 within Stage 2 of this document. We also must determine whether a Risk
Assessment Methodology is already being used by the organization. The client may want
us to follow a pre-developed Risk Assessment Methodology. If there is a methodology
already in place, we will need to review the methodology to determine its adequacy and
whether we feel comfortable following the procedures. In the absence of a client risk
framework, we should consider using the business process/IT process framework
outlined in this methodology.
3-12
Through our client meetings, we need to ensure we have a mutual understanding

regarding the scope of our procedures. We meet with key client personnel to co-develop
expectations for IT Internal Audit procedures and document the results in a Strategy
Memorandum (Example in Appendix B-4). We should obtain agreement in the
following areas of the engagement:
ScopeDefine the specific procedures to be performed by E&Y. Identify any
items (business processes, IT processes, divisions, locations, etc.) which should
not be included as part of the risk assessment. In addition, we need agreement on
the depth of our risk assessment. This initial scope may be changed as other areas
are studied and issues are identified in those areas. Scope changes should be
documented as addendums to the strategy memorandum and, if necessary, to the
Letter of Understanding. We should also discuss managements expectations and
communication protocols for ad-hoc consultations and projects which are outside
the initial scope of one agreement an annual audit plan. Considerations include:
who approves scope changes, fee and billing arrangements, etc.
TimingDefine a basic timeline for the performance of the procedures and key
deadlines (milestones).
Roles and ResponsibilitiesPresent our IT Internal Audit team and confirm that
we have the right service team to meet the client needs. We may allow the client to
provide input on the staff to be used on the engagement. We also define the
responsibilities of the client and the E&Y engagement team. In this process, we
identify the need for knowledge transfer activities or the inclusion of client
personnel as part of the engagement team. When teaming with IAS and/or the
external audit team, we coordinate closely to ensure that we have consistent
application of agreed relationships (i.e., the client should see us as one entity, not
IAS and ISAAS). We apply the same amount of care and due diligence in
coordinating with IAS and external audit as we do with the client internal audit
function.
Communication MechanismsDefine the methods and approach for
communicating with the client, both informally and with formal findings and
recommendations, to ensure that all interested parties are notified of the
engagements status and results on a timely basis. One method for communicating
interim results would be to have periodic meetings at key points throughout the
review process. This can include a listing of key issues noted to date with a status
check of those issues that are still unresolved (periodic issues list).
AssumptionsDefine any assumptions that may affect the scope, timing, or
responsibilities of the review (e.g., the internal audit department will provide
assistance in the definition of key business processes). This should be documented
in a formal appendix to the Letter of Understanding, as well as taken into
consideration in preparation of the Client Assistance Package. (Example in
Appendix B-4).
OtherDefine other areas of managements concern that may be encompassed
with the engagement (e.g., implementation of a new access control software
system).
3-13
M ethodologyStage 1
Scoping the IT internal audit risk assessment and procedures is a complex process which
requires significant skills and professional judgment. It should therefore be performed by
the most senior and experienced team members. These team members should also have
knowledge about the major and sub IT processes.
Activity1.4
In addition to defining the scope of the project, we discuss with our client how we will
deliver the results of our review. The last work step within this stage of the methodology
is to agree upon the deliverables or report format. The discussion would likely include
the following:
The form of the deliverables (written report, oral presentation or both);
The contents of the deliverables (e.g., to what extent should the basis for the
observations and the recommendations be included in the report). This matter
becomes critical when there is the potential to include certain sensitive
information in the report.
The timing, or turn-around, of reports (e.g., draft report issued within 15
business days after the end of fieldwork). Many internal audit functions are
concerned with timely completion of audit reports, therefore it is critical that we
understand and discuss their expectations to ensure client satisfaction.
Management responses and timing. Some clients prefer that the draft reports have
initial management responses, while others prefer for management responses be
gathered at the time of the final closing meeting. The clients preference could
significantly impact our ability to meet report turn-around requirements. In
addition, some clients set deadlines for management responses (e.g., 10 business
days after the draft report is issued). These expectations are communicated to our
engagement team and to relevant client personnel to ensure that timing
requirements are understood and accepted.
Report Ratings. Client management may request that we apply ratings to our
reports. We discourage the used of ratings for two reasons:
We do not want to give the impression that we are issuing an opinion, or
attestation, on controls; and
Ratings do not foster and open environment for communication and
resolutions of issues.
On some engagements, the Director of Internal Audit or the audit liaison is
responsible for assigning ratings based on our detailed reports. However, if the
client requests us to assign the ratings, detailed guidance is provided in the
Internal Audit Services - Policies and Procedures Manual. The rating categories
should be co-developed with the client and documented in the strategies
memorandum. We may also request representation from client management
acknowledging that the ratings do not constitute an opinion or attestation on the
adequacy of controls.
The form and content of deliverables could, in this stage of the engagement, possibly be
set out on a provisional basis. While performing the engagement, the outlines of the
deliverables will become more clear and could be discussed with the client in more
detail.
3-14
Activity 1.5
Develop fee estimation and define client billing procedures

As we have been determining the scope and timing of the engagement, we must also
ensure that fees have been agreed upon with the client. Engagement economics and
pricing models will differ between clients depending on internal and external
circumstances. We follow the firm guidelines for pricing all engagements.
It is advisable to avoid selling IT Internal Audit Services as a flat fee engagement.
Pricing engagements using hourly rates helps ensure that we are able to staff the
engagements with the appropriate expertise and helps avoid unpaid scope change
requirements.
Any agreed upon pricing module should be included within the Letter of Understanding.
See Appendix B-5 for an example fee estimation template that can be used to evaluate
the staffing mix and fee structure.
Define client billing procedures
The engagement team partner and team leader should establish the billing procedures
with client management. Procedures should include:
Who is authorizing personnel to bill;
Payment/Collection requirements;
Expense policy (firms or clients) or capatation requirements for engagement
expenses.
3-15
ethodologyStage 2
Stage 2: Conduct Risk Assessment

Overview
All entities are involved with risk management and assessment on a daily basis. Based on
management objectives, direction of work performance and management style,
employees conduct their activities to minimize risk to their company. A risk assessment
is performed to take a snap shot in time of these activities and their impact on mitigating
all forms of business risk. Therefore, a risk assessment is applicable for a period of time
and should be reperformed on a regular basis if used to plan or make decisions.
There is no practical way to reduce risk to zero. Risk is inherent to conducting business.
Management must practically manage its risk processes to determine how much risk is to
be accepted versus mitigated, controlled, insured, etc. Risk management and risk
assessments are not only based on the control objectives of a company, but should also
identify and analyze risks relative to achievement of the business objectives. This forms
the basis for determining how the risks should be managed or monitored to contribute to
the success of the business. Success is a measurement that also needs to be identified.
Business success can be measured in many forms and isnt only based on the profitability
of the company. Short-term business strategies may include discounting until profitable
to gain entrance into a new market or to improve overall market penetration for a
product. We must understand the key business measurements in order to identify the
elements that management includes in the measurement of risk mitigation.
Understanding the business and the impact of IT on the business is key to performing IT
risk management. Ordinarily, IT management gains an understanding of the business
requirements and priorities, in order to most effectively prioritize efforts and allocate
resources. IT risk management efforts are similar. IT management implements controls
and processes based on the relative risk and impact to the business. Accordingly, IT risk
assessment should incorporate a business requirements analysis to ensure that IT internal
audit resources are focused on areas of most value to the business. In all cases, our
engagement executives work with the client to determine how we ensure that the risk
assessment is aligned with overall business requirements. This can include engagements
where we already have a long standing external audit relationship, or where client
management doesnt want a business process risk assessment included in our scope of
service.
Our Risk Assessment Framework
Our IT risk assessment approach is a flexible, business and IT process focused risk
approach that maximizes the use of the firms methodology, technology, tools, and
knowledge, combined with the auditors training, judgment and industry experience. Our
approach involves the assessment of the business requirements and IT Risks through our
understanding of the clients business goals and objectives (Activity 2). This will enable
us to focus the scope of our risk assessment on the areas where IT is most important to
the business (Activity 3). This understanding also enables the ISAAS team to more
appropriately assess the impact of any observations or findings in subsequent stages of
the risk assessment and audit plan delivery.
3-16
At a high level, our risk assessment approach can be summarized in the following steps:
understanding business goals, objectives, and critical success factors;
understanding the business processes and the related IT requirements, including
the potential impact if the business requirements are not met, and
understanding the IT resources and processes that management has implemented
to meet the business requirements.
This can be illustrated by:
Appendix A provides a detailed description of the different elements of our risk

assessment framework and definition of key terminology. Professionals should read
and understand this framework before proceeding with Stage 2.
This section outlines our approach for the IT risk assessment process assuming we are
performing Stages 1-5 of the methodology for the client. However, a client may request
that we only perform Stage 1 and 2, or certain activities within Stage 2. These
expectations should be discussed during the Sales Process and Stage 1Co-Develop
Expectations. Based on client expectations and quality assurance requirements, we
modify our approach as required.

To conduct the IT Risk Assessment, we perform the following activities:
2.1 Plan the risk assessment to ensure that we have the proper project team, project
organization, and an effective project plan in place.
2.2 Understand the business goals and objectives, strategies, and critical success
factors to focus our scope to areas where IT is most important to the business.
2.3 Understand the mega and major business processes and related IT requirements to
identify the key business processes and assess the importance and impact of IT.
2.4 Identify the IT Resources and related IT processes in place to further develop our
understanding of the IT environment and the potential risks.
2.5 Document our overall risk assessment and validate with management for input into
the IT audit plan.
3-17
ethodologyStage 2

Summary of business goals, objectives, and critical success factors.
Identification of the key business processes.
Summary of the IT resources that support the business processes and the potential
business impact.
High-level documentation of the IT processes.
Risk assessment conclusions.
Activity 2.1 - Plan the Risk Assessment

Introduction
To ensure a successful risk assessment, team involvement and project organization, an
effective plan and project charter should be developed and reviewed with the client.
Summary of Principal Worksteps

2.1.1 Identify and Orient Project Team
2.1.2 Identify Key client Personnel to be Involved/Interviewed
2.1.3 Develop Risk Assessment Workplan
2.1.4 Determine Timeframe and Budget for Risk Assessment
Principal Worksteps
2.1.1 Identify and Orient Project Team
Identify Project Team: When developing the project team, ensure the following areas
receive proper attention:
Delivering IT internal audit services requires experience in many aspects of IT
systems, audit and controls. Implicit within the development of this methodology
is the understanding that the professional, or at a minimum the project team as a
collective user, will have experience with understanding business processes,
understanding the major IT controls, and analyzing IT business processes to
determine whether they are helping ensure IT supports business objectives and
operations.
The engagement team should ideally include a leader or key team member who is
experienced in the industry served by the client organization. Such experience is
valuable in helping the client identify needs and issues relevant to their particular
industry.
3-18
Well developed interpersonal skills are required. To be effective, the project team
members will be required to gather information from various sources through
interviews. Team members should be skilled and comfortable with significant
interpersonal contact with high-level executive and senior management with the
client organization.
Additionally, the projects are often designed to touch many areas of the
organization. Therefore, the project manager must be skilled in managing a
complex engagement. The engagement will be comprised of components that
involve many of the business units, and will use multiple means of gathering data
and information. Ensuring that all are executed smoothly and concurrently requires
well developed project management skills.
Specific engagement team/project management team roles and responsibilities are
included in Appendix C-1. See additional guidance regarding engagement teams, review
responsibilities, independence requirements, etc., in the ISAAS Policies and Procedures
Workbench and the IAS Policies and Procedures Manual.
Orient the Project Team: Due to the size and complexity of IT Internal Audit
Engagements, special attention must be paid to orienting the project team, particularly in
area of setting expectations, and discussing roles and responsibilities. Specific areas for
consideration and communication are:
Project Charter: As a result of Stage 1Co-develop of Expectations, we develop a
brief project charter which defines the areas to be assessed and the scope of our
procedures. It also sets expectations for status reporting, communication, etc. The
project charter should be communicated to all team participants.
Engagement Roles & Responsibilities: As a part of the planning phase, we will
also develop a project workplan, budget and timeframe for the risk assessment.
The engagement executives and project manager ensure that the engagement team
understands each of their roles and areas of responsibility in performing the risk
assessment. Discussion points could include specific areas for evaluation,
supervision and review responsibilities, performance review expectations, etc.
Integrated Audit Considerations: Where we are performing internal audit
procedures for a current audit client, during Stage 1Co-Develop Expectations, we
identify areas where internal audit will perform procedures that will be relied upon
in the external audit. To ensure that these procedures are performed adequately
and timely, it is critical for each of the engagement team members to understand
the external audit requirements and their responsibilities for addressing these
requirements and communicating the results to the client, the internal audit team
and the external audit team. See an example of a Summary of Financial Audit
considerations user plan in Appendix C-7.
Project Documentation Standards: Prior to performing any work on the
engagement, we determine the form and content of the workpapers If the client is a
firm client, and the work to be performed in the risk assessment is to be relied
upon by the external audit team, then documentation standards promulgated by the
firm should be adhered to for the engagement. The risk assessment should also
incorporate firm standard for workpaper documentation as prescribed by the
ISAAS Policies and Procedures Workbench notes database. Although we strive for
3-19
ethodologyStage 2
workpaper efficiency, our workpapers should contain evidence of the procedures

performed which is sufficient enough to allow a reviewer to reperform the
procedures if necessary.
Status Reporting Procedures: To ensure the proper level of executive involvement
and supervision, we establish internal status reporting procedures. These include
when, where and how often the we update the project team on our progress. In
addition, the client may have certain expectations and concerns regarding status
reporting and issue resolution. These expectations are also communicated to the
engagement team.
Use of Technology/Tools: The tools to be used to complete the risk assessment are
identified during the planning phase. The tools can include firm products(i.e.
EYCheckPoint, business process mapping tools, EY/AWS) or client preferred risk
assessment tools. If a client tool or methodology is adopted by the E&Y risk
assessment team, then the team leader or local ISAAS champion may need to
assess the quality of the clients risk assessment methodology and tools.
Other Administrative Matters: Ensure that the client has designated an appropriate
work area. The area should ensure privacy and confidentiality of company information
and the engagement team.
2.1.2 Identify Key Client Personnel to be Involved/Interviewed
We obtain managements input regarding key client resources who should be involved in
the risk assessment process. Based on our knowledge of the client, the industry, and our
previous experience with risk assessments, we may have to guide them through the
identification process or provide them with suggestions regarding key personnel to be
interviewed. As a minimum, consider involving the following types of client personnel:
Senior Management: Identify the clients key decision makers (generally the
clients Chief Financial Officer, Chief Information Officer, Director of Internal
Audit, and other key executives) to participate with key members of our team and
client management responsible for the internal audit function in the assessment of
business requirements. For integrated audits, we ordinarily have the coordinating
partner and possibly other members of the external audit team participate.
Business Managers: Identify the clients key Mega and Major business process
owners for assessing the business requirements and IT resources. For clients that do
not manage their businesses with a process orientation, those with responsibility for
the processes may be more difficult to identify. In these cases, identify the functional
managers who are responsible for key aspects of each business process.
IT Management: Identify key IT management personnel and functional responsibilities
that support the IT processes. These personnel are ordinarily responsible for the
application and management of the IT resources and key IT processes.
2.1.3 Develop Risk Assessment Workplan
Depending on the size of the engagement, expected client reporting and client team
involvement, a workplan should be developed that details significant engagement
worksteps. An example plan is contained in Appendix C-2.
3-20
2.1.4 Determine Timeframe and Budget for Risk Assessment

Develop Risk Assessment Budget
As we determine the scope and timing of the engagement, we must also ensure our fees
support the budget of personnel and hours. Engagement economics, staffing, hours and
pricing models will differ between clients depending on internal and external
circumstances.
We develop a preliminary budget for the risk assessment defined in the co-development
of expectations. This preliminary budget provides an estimate of the total number of
hours required as well as staffing levels and experience need to complete the assessment.
We also consider the number of hours required of ISAAS specialists (e.g., Network,
SAP, Continuity, eCommerce). Considerations in developing the budget include:
number and level of personnel involved,
number of locations, domestic and international, to visit (time and travel cost if
local staff support is not appropriate or available),
depth and breadth of risk assessment, and
number of hours required of ISAAS specialists.
Determine Timeframe
As we set the timeframe for the risk assessment, we need to consider several factors:
Availability of Client PersonnelTiming consideration needs to be made to
compensate for vacations, holidays, significant company events, financial closings,
etc.
Number of LocationsDepending on the client organization, we may need to
perform interviews and evaluations at a number of sites, domestically and
internationally. This needs to be agreed to in the co-development of expectations
with the client.
Availability of E&Y PersonnelAvailability of staff and firm experts is

considered in the timing of the risk assessment.
3-21
ethodologyStage 2
Activity 2.2Understanding the Entitys Business Goals, Strategies, Objectives

and Critical Success Factors
Introduction
Developing our understanding of the client business goals and objectives enables us to
focus the scope of our work on the areas where IT is most important to the business. This
understanding also enables the project team to assess the impact of any observations
made in subsequent stages of the engagement.
Due to the nature of this activity, the facilitator needs to have experience with the client
or in the clients industry. The engagement team should consider involving the
coordinating partnerfor current clientsor an executive from IAS with relevant
industry experience to assist in facilitating the session.
The goal of this activity is not to evaluate or question the clients business direction. We
are gaining an understanding of the business to ensure that our risk assessment is focused
and performed in the appropriate context. The results of this activity are documented and
incorporated into the workpapers with the risk assessment and should be communicated
to the entire engagement team.

2.2.1 Identify relevant information held by E&Y from Stage 1Co-develop of
Expectations of the project and from other internal departments.
2.2.2 Confirm and build our understanding with senior client management.
Principal Worksteps
2.2.1 Identify relevant information held by E&Y
Use the knowledge acquired from Stage 1Co-develop of Expectations to prepare a draft
summary of the business goals, objectives, strategies and critical success factors.
Consider using the ASC Industry Process/Business Risk template as a starting point.
Depending upon specific circumstances, the engagement team may decide to use only the
output from Stage 1, rather than to perform additional work in this area. The decision as
to the level of detail required should be based on the professional judgment of the ISAAS
executive and the specific engagement requirements. If the entity is already a client of
the firm, give consideration to whether sufficient relevant information exists within other
E&Y engagement documentation. Examples of this may include:
AuditInformation collated from Audit Process Activity 7 (Understand Business
Goals, Objectives, Strategies and Critical Success Factors). This information is
likely to be documented using the ASC Industry Process/Business Risk template as
the example in Appendix B.
Internal Audit ServicesInformation from activities related to modeling the
business (Understand Business Goals, Objectives, Strategies and Critical Success
Factors).
3-22
Corporate FinanceBackground information on the client.

Consulting ServicesBackground information on the client.
TaxBackground information on the client.
If client acceptance procedures have been performed by another E&Y practice on a
separate engagement, this indicates that E&Y is likely to hold information on the entity
and the engagement team should consult that information.
2.2.2 Confirm and Build Understanding
Senior management is responsible for determining the goals and objectives, strategies
and critical success factors of the business. Therefore, it is critical to ensure appropriate
meetings are held with relevant client management. Even where other E&Y practices
have relevant information it will be necessary to meet with the client to ensure that the
information is factual, current and relevant to our engagement.
Useful questions to confirm our understanding of the business might be:
Goals & Objectives
What is the mission statement of the business?
What is the overall goal of the business and its components?
What are the specific objectives set by the company?
What performance measures are used as a basis for executive remuneration?
Strategies
Does a formal business strategy exist? (If so, review the document to ascertain
what the strategies are.)
What are the business strategies used to achieve the business objectives?
What investments/significant changes is the company making to achieve its goals?
Critical Success Factors
What initiatives must be achieved if the strategy is to be successfully
implemented?
If only a critical few of these key results could be achieved, which ones would
they be? And why?
See example documentation of business objectives, critical success factors, etc. in
Appendix C-3.
3-23
ethodologyStage 2
Activity 2.3Understand the Mega & Major Business Processes and Related IT
Requirements
Introduction
Understanding the entities mega and major business processes and how these relate to
the critical success factors of the business enables us to identify the key business
processes. Determining how and what IT supports the key business processes will
provide an understanding the importance of IT to the business. This understanding allows
us to perform a more business focused IT risk assessment and direct our workplans to
provide the most value and comprehensive risk focus to the client.

2.3.1 Identify the mega and major business processes by using guidance from industry
standards documents and discussing the business processes with management.
2.3.2 Identify which of the major business processes are Key by matching the major
business processes to the critical success factors of the business.
2.3.3 Document how IT supports the mega and major business processes.
Principal Worksteps
2.3.1 Identify the mega and major business processes
We obtain business process documentation directly from the client or from available
E&Y resources, such as IAS or external audit, or select a normative business model for
the industry that relates to the entity. These models are typically available from industry
PowerPacks and in the ASC Industry databases on Lotus Notes. Gain a high level
understanding of the clients documents or customize the normative industry models using
the information collected during co-development of expectations.
The purpose of this workstep is to enhance our understanding of the business for
purposes of our IT risk assessment. Our intent is not to perform a business risk
assessment or model the business. Therefore, our documentation and inquiries should be
at a high level.
Confirm who the owner of each business process is and obtain the following information:
Process NameThe name should reflect the common language that the client uses
Purpose/ObjectiveWhy the process exists
Owner of the ProcessWho is responsible for ensuring the process achieves is
objective
Beginning and EndingThe boundaries of the process
Inputs and OutputsWhat is required to perform the process and what is
produced from the process that can be passed on to other processes.
Summarize the information. See examples of major and mega process documentation in
Appendix C-3.
3-24
For clients that do not manage their businesses with a process orientation, identifying the
business process owners may be more difficult. In these cases, identify the functional
managers who are responsible for key aspects of each business process. For example, in
such a client, we may correlate the major processes to organizational components (e.g.,
department, division, subsidiary), and their functional managers. The following
illustrates one way to relate major business processes to functional departments:
Department
Process
X
Y
Z
2.3.2
Identify the key business processes
It is essential that we understand which of the major business processes are most
important (key) to the business. This is necessary in order to focus our efforts on these
processes. The key business processes can be identified by developing an understanding
of which major processes have the greatest impact on the achievement of the clients
critical success factors.
One proven method of identifying the clients key business processes is the use of a
matrix of the processes and critical success factors to assess the effects of a number of
major processes on the clients critical success factors. See and example of the matrix in
Appendix C.
In less complex clients, it may be possible to understand the relationships without using a
matrix. Alternative methods may be used (e.g., making this correlation at the mega
process level). Professional judgment should be applied when determining the final
approach to be undertaken.
2.3.3 Understand how IT supports the mega and major business processes and its
potential impact on the business.
In workstep 3.2, we identified the key business processes and gained an understanding of
why they are critical to the success of the business. Our next step is to understand the
role that IT plays in enabling and/or ensuring that the key business processes are
successful. In order to understand the impact and importance of IT, we must understand:
Where are the key business processes supported by it?
What is the potential impact to the business if IT is not functioning as required?
Have there been any previous issues with IT not meeting the business
requirements?
3-25
ethodologyStage 2
Understand How IT Supports the Key Business Processes

We meet with the business process owners and confirm our understanding of the
business process, key inputs and outputs, objective of the process, etc. We then gain an
understanding of ITs role in the business process. Key questions that we might ask
include:
Is the process highly automated?
Is success of the process reliant on IT and, if so, how or why is it reliant on IT
(e.g., the process performs complex calculations, it produces information key to
the decision making process, etc.)?
Does IT perform significant control functions or calculations as part of the
process?
What business information requirement (i.e., availability, confidentiality, integrity,
efficiency or effectiveness) of IT is most important to the process and why?
Understand ITs Potential Impact on the Business
After we understand how and what IT resources support the key business processes, the
next step in performing the risk assessment is to understand the potential impact to the
business if IT is not functioning as necessary.
Impact can be defined in a number of different ways, some of which are monetary.
Other detrimental impacts could include: damage to public image, embarrassment,
damage to key customer/supplier relationships, non-compliance with regulatory
requirements, loss of service, etc.
In addition to understanding the nature of the impact, we have to understand the potential
severity of the impact. Generally, for consistency we rate potential severity as high,
medium or low. However, high / medium / low can mean different things to various
clients or to business units within the same client. Therefore, we must discuss and define
impact ratings with the client before we perform the risk assessment.
Questions to ask regarding the potential impact include:
What are the likely business consequences if the enabling IT does not meet the
needs of this business process (e.g., monetary loss, damage to relationships,
regulatory non-compliance)?
If the computer systems were unavailable, how long could the process continue to
operate?
Would a discontinuity in this process halt the functioning of other key processes?
Additional interview questions and business impact templates are included in Appendix C-4.
Understanding Previous Issues
We make additional inquiries of the business process owners to determine if there have
been any previous issues related to availability, confidentiality, integrity, efficiency and
effectiveness. Sometimes previous issues or situations highlight existing, potential or
uncontrolled risks.
After completing our interviews, the information should be summarized in to an overall
assessment for each business process.
3-26
Activity 2.4 Identify the IT Resources and Related Processes

Introduction
In Activity 3, we develop a high level understanding of the entitys mega and major
business processes and supporting IT environment from the business prospective. To
help us complete this understanding, we also identify the specific technology platforms
and infrastructure that support the business processes. We obtain entity-level information
about the clients IT environment (e.g. platforms, processing locations) by focusing on
those computer applications and technology that support the clients mega and major
business processes.
We may identify significant business risks based upon our discussions with the IT
resource owners, and if we do, we consider these risks. For example, an entitys IT
strategies may be significantly out of alignment with its business strategies, resulting in a
risk that the companys IT infrastructure cannot support the future processing
requirements resulting from the business planned growth. Or IT management may be
planning significant changes in the infrastructure of which the business process owners
are not specifically aware.
After documenting the IT resources, the project team needs to consider how the IT
processes are implemented to manage the IT resources effectively. The project team
should consider the policies and procedures that the IT organization has in place, both
formal and informal, to:
Develop the IT strategy and plans,
Develop, deliver and maintain the IT infrastructure,
Operate the IT environment,
Monitoring and control the IT processes.
In addition, it is very important to gather information about whether any significant
changes are planned for the IT processes or the IT environment. Discussion with key IT
management is critical for learning this information. Additionally, review of the IT
strategic plan is helpful in determining the changes that are planned.

2.4.1. Identify and Document the IT Resourcesdevelop a combined
hardware/software map of the IT infrastructure to the organizations mega and
major business processes.
2.4.2. Understand and Document the IT Processes at a high leveldevelop an
understanding of the principle processes that the IT organization uses to meet the
business requirements.
3-27
ethodologyStage 2
Principal Worksteps
2.4.1
Identify and Document IT Resources
In addition to documenting IT from the business process perspective, we identify and

document IT resources from the IT organizations perspective. This assists us in gaining
a more complete understanding of the entitys IT resources and organization. As a result
this workstep, we may also identify additional risks which need to be addressed in our
audit plan (i.e., that were not previously identified in our interviews of the business
process owners).
The IT resources to consider, include:
Peopleunderstanding the IT organization and structure and how it supports the
business and IT processes.
Dataunderstanding high-level data structure, maintenance and administration.
Applicationsidentifying applications and mapping them to the appropriate
business process. Mapping applications to the business processes identifies
software concentrations within the business processes and helps us understand
how software supports the business. We also map the applications to the
supporting technology to identify the interrelationships between critical software
and associated hardware platforms. We obtain information such as the name and
description of each application system supported, the location of each piece of
hardware that supports the respective system, whether the system is purchased or
developed internally, and the date of any planned changes. For Ernst & Young
LLP external audit clients, this information should already be documented within
the Technology Summary forms.
TechnologyWe document the supporting technology and map it to both the
applications and business processes to identify the specific hardware
concentrations within business processes and applications. We obtain the name of
each piece of hardware and the number of systems on each piece of hardware that
support each major business process.
Facilitiesunderstanding the number and location of processing facilities. This
may impact our risk assessment and plan of audit.
See Appendix C-5 for sample templates. In addition, this information could be
documented in EY/Checkpoint.
While we are gathering information on IT resources, we may identify potential areas of
risk that werent identified during the business impact assessment. Issue to consider
include:
People
Is the IT organization structure consistent with the business requirements?
Does there appear to be adequate segregation of duties?
Do individuals appear qualified?
3-28
Data
Have there been previous data integrity issues?
Is data concentrated in one or a few databases, or throughout several
databases?
Applications
Do a few applications support several business processes?
Are there significant off-line or desktop systems in the business units?
Are applications new or old based on industry comparison?
Have there been recent implementations or are any planned?
Technology
Is the client using the latest technologies or older versions?
Have there been availability or connectivity issues?
Have there been recent implementations or are any planned?
Do a few systems support several applications or business processes.
Facilities
Are systems/resources concentrated in a few locations or many

2.4.2
IT Processes
IT processes normally are a key enabler of an entitys business processes and often
significantly affect how management controls its business processes. Our objectives in
this activity are to:
Obtain a high-level understanding of the clients IT processes that support the
clients business processes and consider any business risks we identify.
Obtain an understanding and preliminarily evaluate the design of the controls
related to IT processes that affect our risk assessments for significant business
process IT requirements.
To assist us in understanding the IT processes and how they support the clients business
processes, we use the E&Y Information Technology Process ModelA Major Process
View. The major IT processes in this model are: Planning the IT Environment,
Developing and Delivering IT Solutions, Operating the IT Environment, and Organizing
and Monitoring IT Processes.
Factors influencing the importance the client places on developing controls in the
information technology processes include the nature, materiality, and volume of
information processed; the risk to the organization of poor business decisions based on
inaccurate or unreliable information generated by the information systems; the presence
or absence of manual controls around the IT processes; and the degree of disruption that
would occur if the client was forced to operate without certain information systems for
any length of time.
3-29
ethodologyStage 2
Factors which may influence our risk assessment, or indicate potential risk related to
certain IT processes, include:
Level of change expected in the environment (Planning, Developing and
Delivering),
Unusual number of failed projects or amends after implementation (Developing
and Delivering),
Poor response time or connectivity issues (Operating),
Above average IT spending (Planning, Monitoring),
Significant business changes, e.g., mergers, acquisitions, expansion, downsizing
(Planning, Developing and Delivering, Operating)
3-30
Activity 2.5Document Risk Assessment and Validate with Management

2.5.1
Document results/overall risk assessment conclusions
Conclude the results of completing the risk assessment summary. This should include a
demographic view of the Major Processes and their relative risk for each auditable unit.
For each auditable unit identified, considerations need to be included for
industry/product segment attributes, management business objectives and overall
company conduct and goals. The resulting output is an overall risk assessment for each
auditable unit that serves as a basis for allocating audit resources and preparing the
annual audit plan.
2.5.2
Prioritize risk areas
By applying client environment, business objective, and industry attributes, along with
overall experience among ISAAS professionals participating in the risk assessment, we
should be able to prioritize the results of our risk assessment. Additional factors to
consider include: financial exposure (i.e., materiality), quality of internal control systems
at both the entity level and application/process level (given either our preliminary
assessment or understanding based on prior experience), changes in management
structure, prior audit results, time or significant events since last audit, and location risk.
2.5.3
Validate with Management
While we perform a number of procedures and assist in the development of the risk
assessments as described in this activity, the scope of our internal audit services, the
internal audit risk assessment and the frequency of internal audit activities remain the
responsibility of the client. Therefore, we present the results of our work to client
management responsible for the internal audit function and discuss its effect on the
annual audit plan. Validating the information gathered and findings produced to date is
important to ensure that that client supports our analysis that will be used in finalizing
the scope the risk analysis.
3-31
M ethodologyStage 3
Stage 3Prepare Annual IT Audit Plan

Introduction
We assist client management responsible for the internal audit function in developing the
annual IT audit plan. The annual IT audit plan is primarily based on the risk assessment
developed during Stage 2. It defines the specific IT audits to be performed, how
frequently the audits are to be performed (e.g., every one, two, or three years), the scope
of the IT audits, the resources required for the projects, and the estimated total hours
required to complete the projects.
This plan should be reviewed and approved by the appropriate client management. In
subsequent years, the audit plan is updated as required to reflect significant changes in
the clients risk profile resulting from changes in the clients business operations,
changes in IT infrastructure or processes, changes in client needs or regulatory
requirements.

In order to prepare the IT Audit Plan, we perform the following activities:
3.1. Understand Managements Audit Coverage Expectations to help select areas for
evaluation.
3.2. Prioritize Audits and development of the audit strategy and preliminary budget and
timeline.
3.3. Understand Engagement Economics to determine the total available resources
and hours for the overall engagement based on the specifications set forth in our
engagement letter.
3.4. Agree Audit Plan from executive management of the client.

Summary of Areas to be Audited
Preliminary Budget and Timeline
Plan of Resources / Skill Sets Needed
Examples of these documents are located in Appendix D.
3-32
Stage 3 Activities
Activity 3.1 Understand Managements Expectations Regarding Risk Coverage
Managements expectations regarding our IT audit coverage are a critical component to
deriving our preliminary audit plan. Based on the results of information obtained in Stage
1 - Co-Develop Expectations and Stage 2 - Conduct Risk Assessment, we have obtained
information from management regarding their risk tolerance and processes that impact
the critical business objectives of the organization. The next step is to co-develop a
preliminary audit plan that meets managements expectations as well as aligns our IT
audit resources to those processes that are higher risk to the objectives of the
organization.
This information is best obtained by making specific inquiries of management. We
incorporate the feedback from these inquires in our audit plan for the following reasons:
The preliminary IT audit plan must be co-developed with management as they are
ultimately responsible for the internal audit function and have engaged us to
provide internal audit services to their organization.
The nature and scope of our work is determined solely by agreement between the
client and engagement team, and, generally the work is performed for the benefit
of the client.
Management serves as the liaison between the internal audit function and
management of the organization, external auditors, regulators and other third
parties, whose needs/requirements impact the audit plan.
Managements expectations regarding audit coverage will have an impact on the
prioritization of audits when allocating IT audit resources.
The results of the IT risk assessment should compliment managements
assessment of risk which will drive the audit areas selected for the current year
audit plan.
Management may expect the audit plan to incorporate areas of lower risk or
procedures for external auditors or regulators.
Since the preliminary IT audit plan needs to be co-developed with management, the
following questions should be asked to help us obtain sufficient understanding of the
client expectations regarding audit coverage:
How much risk exposure are you willing to accept?
Which audits will be performed on an annual basis or for the current year?
Are there any audits which can be cycled and what frequency best fits
managements comfort level (audit coverage for the moderate and lower risk
areas?)
What amount of audit hours need to be allocated to fulfill needs of external
auditors, regulators or other third parties?
Although the client may expect us to determine the answers to some of the above
questions, especially for integrated audits, we should ask if they have any specific
expectations in these areas.
3-33
M ethodologyStage 3
Activity 3.2
Prioritize Audits
3.2.1 Select Projects to Perform

After we understand managements expectations regarding risk coverage, we assist client
management in selecting and prioritizing the IT audits to be performed. The following
points influence our decisions during this process:
prior year internal audit plan and risk coverage;

external audit plan and integration requirements;
managements expectations regarding the audit coverage;
results of the risk assessment process;
previous audit results;
third party expectations;
geographical locations of projects;
client requests to include resources for discretionary projects;
resource availability; and
estimated engagement profitability.
With the above information, we begin the process of building the audit plan.
3.2.2 Identify Managements discretionary projects
Management may have also requested that the internal IT audit plan set aside some time
for the performance of management determined projects. Examples of these types of
projects include system conversion procedures, participation in Year 2000 status
meetings, etc. Usually management indicates that a percentage of budgeted hours or a
fixed amount of hours are to be designated for such projects. These resource needs are
typically set aside initially when putting together the audit plan with the remaining
resources being appropriately allocated. As these projects are hot buttons of
management, we assign a high priority to allocating resources for these needs.
3.2.3 Developing the audit strategy and preliminary budget
At this point, our prioritization of projects is complete. The next step is to develop an
audit strategy and develop preliminary budgets and timetables. We build the budget by
developing high-level workplans for each project and estimating the time to complete the
procedures. As the individual audits can incorporate a number of different services and
require different skill sets, we consider the number of hours required for different skill
sets and levels. For example, a Year 2000 review would require more experienced
resources than a operating system security assessment using one of our automated tools.
Although we are not creating detailed budgets in this phase, we still consider the nature,
the risk and the relative skill sets needed for the individual audits in developing the
preliminary budget.
We then allocate types and levels of resources required for each audit based on these
preliminary budgets. We will include the timeframe for each project within our budgets
to ensure resources are appropriately scheduled and client conflicts are detected early. A
sample Annual Audit Plan template is located in Appendix D-1 to assist in documenting
the audits to be performed during the year.
3-34
Activity 3.3 Understand Engagement Economics

While the scope of the annual IT audit plan must be responsive to managements risk
coverage expectations and needs, the plan also should be equally responsive to
engagement economics. After completing the preliminary audit plan and determining the
staffing mix for the engagement, the executive on the account will be able to compute the
estimated profitability of the engagement and determine whether or not the returns fall
within the desired profitability thresholds. One of the firm tools, Engagement Planning
Tool (EPT), can be used to help in the planning process to determine profitability and the
appropriate staffing mix. Other templates or matrixs can also be used to assist in initially
pricing work as well as estimating the profitability of the engagement (See examples in
Appendix D-2).
There are no defined profitability measurement thresholds, as each engagement has
unique characteristics that must be taken into consideration. However, early detection of
potential unfavorable engagement economics allows the engagement executives the
opportunity to re-challenge the timing, staffing, and scope of services delivered in the
preliminary audit plan over the contractual period to enhance the engagement economics.
If the results are not acceptable, the engagement team revisits the preliminary audit plan
to determine alternate strategies to develop an audit plan that takes the following into
consideration:
Managements expectations regarding audit coverage;
The results of the risk assessment;
Contractual fees;
The engagements desired profitability threshold.
If our desired profitability thresholds are not met, alternative strategies to improve the
estimated engagement economics could include:
Re-challenge the frequency of our lower and moderate risk audits;
Revisit the staffing mix;
Request management to allow us to bill administrative expenses and out of pocket
expenses, if not included in the contractual fees.
Activity 3.4 Agree Audit Plan
As discussed in Activity 1, the nature and scope of our work is determined solely by an
agreement between us and the client. Therefore, it is critical that we have incorporated
managements concerns into the preliminary audit plan presented. We walk through the
factors and thought process that were taken into consideration in building the plan.
Modifications to the audit plan are required based on the feedback received from the
client. Formal approval of the audit plan is typically gained before executing any of the
projects outlined in the plan.
The audit plan should be updated at a minimum on an annual basis to reflect changes in
the clients risk profile resulting from changes in the clients business or operations. In
addition, as events and circumstances occur that affect the clients business objectives,
management may request that we reallocate our audit hours to address certain areas that
may modify the current years audit plan. Any changes made to the audit plan should be
immediately communicated and approved by appropriate management.
3-35
M ethodologyStage 4
Stage 4Execute Audit Plan

Introduction
After performing the risk assessment and developing an audit plan, we must execute the
plan. When performing IT Internal Audit Services, our client has engaged us to report on
the adequacy of the control environment within the business processes, IT processes or
other specific areas. The execution of the audit plan provides the value of our Internal
Audit Services. Due to the fact that the execution of individual audits will vary by client
and scope, we cannot provide detailed workplans for each situation. Therefore, this
section and the principle activities should be used as a framework for executing each step
of the audit plan.

In order to execute the IT Internal Audit Services engagement properly, we identify
several activities to guide the team through the planning of the project to reporting the
results to the
4.1. Scope the IT audit project to provide clear guidance to the audit team and ensure
there is a common understanding of the project.
4.2. Understand the IT audit areas (major business process, IT process, application,
etc.) included within the scope of the engagement.
4.3. Identify and assess risks around the processes that could cause an organizations
objectives not to be achieved.
4.4. Identify and evaluate controls to give an initial assessment on their effectiveness at
preventing or detecting risk.
4.5. Design testing strategy and perform tests of controls to evaluate the effectiveness
of the controls.
4.6. Conclude and Report our findings and recommendations.

Scope Document
Detailed Project Plans
Detailed Documentation
Issues Summary
Detailed Findings and Recommendations Reports
Client Satisfaction Feedback
Examples of these documents are located in Appendix E and the ISAAS Workbench.
3-36
Stage 4 Activities
Activity 4.1
Scope the IT audit project
4.1.1 Revisit Original Risk Assessment

During the Risk Assessment activities, sufficient understanding of the organizations
business processes, IT processes and supporting technology was obtained to identify the
significant inherent risks that would cause the organizations business objectives not to
be achieved. We should use this information to help us scope the IT audit engagement.
For example, we will be able to identify critical success factors, IT resources (data,
application systems, technology, facilities, people), critical sub-processes and high-level
controls from our Risk Assessment that will be important to properly scope the
engagement.
This information should be revisited and assimilated prior to meeting with client
management to develop and agree the scope of the audit. It should be the basis of
discussions during this scoping meeting.
4.1.2 Revisit Audit Strategy
When developing the scope of the IT audit project, also revisit the audit strategy
developed within Stage 3 Prepare Annual Audit Plan as this will provide initial direction
for the scope. A high-level audit strategy will have been developed, documented and
agreed with client executive management, during this Audit Planning process. Our
strategy may have outlined:
The nature of the audit, e.g. high-level process wide review or detailed risk and
control analysis in a particular part of the process.
Which sub-processes were to be the focus of the IT audit.
A particular part of the process that executive client management wants included
or excluded from the scope.
Any additional work necessary to meet integrated audit requirements.
4.1.3 Develop Preliminary Audit Scope and Meeting Agenda
Using our high-level process understanding and the audit strategy, a preliminary IT audit
scope should be developed to detail:
Areas, such as the major process and associated sub-processes, hardware and
software, to be included in the IT audit.
Nature of the audit work to be performed.
Timescales and protocols for the IT audit.
Who will perform the IT audit.
An example scope document can be found in Appendix E-1. (Depending on the nature
of our fee and billing arrangements, we may choose not to include budget and hour
information).
As we are required to meet with management to develop and agree upon the IT audit
scope, it would be pertinent to develop an agenda for the meeting.
3-37
M ethodologyStage 4
The agenda will differ from client to client and from audit to audit, however, it should
generally cover the following areas:
Attendee introductions;
Purpose of the audit;
Changes in the environment since initial risk assessment;
Proposed scope of engagement;
Additional changes required in the proposed scope;
Requirements of the client;
Key client and Ernst & Young contacts;
Timing of review and deliverables;
Questions and concerns of management.
4.1.4 Meet with Client Management
The agenda should be briefly discussed and agreed at the beginning of the meeting. From
this meeting, we should have an initial agreement on the project-level expectations
regarding the audit scope, specific deliverables and communication protocols. During the
meeting, we also identify any issues or conflicts in the organization that could hinder the
efficiency or effectiveness of the audit project. The meeting should also be used to gain
an understanding of managements risk and control awareness. Although this may not be
directly audited or reported it will provide useful insight when undertaking the audit.
4.1.5 Finalize IT Audit Scope
Update/Prepare Project Plan
Prior to performing the risk assessment, we should have obtained a signed Letter of
Understanding from the client. If we have not obtained this document, we must prepare a
Letter of Understanding before commencing our work. See the discussion of the Letter of
Understanding in Stage 1 - Co-develop Expectations with Client. For each specific audit
project, we should update or develop a project plan which should include the following:
Major process and associated sub-processes or specific area to be included in the
IT audit.
Anything that will be excluded from the audit.
Nature of the audit work to be performed.
Fieldwork start and completion dates.
Draft and final reporting protocols and deadlines.
Who will perform the audit.
This document should be shared with Client Management to ensure that all expectations
are consistent.
Confirm Required Resources
Depending on the size of the IT audit engagement, members of the project team may
perform various roles in executing fieldwork. A planning meeting should be held with
the audit team members to plan the audit and agree roles and responsibilities. We also
will outline the budget for the review and provide team members with performance
expectations and goals. We may want to hold a team orientation meeting to discuss the
3-38
details of our project plan and role assignments. This meeting would provide the team
direction on the objectives, scope, and timing of the project.
Activity 4.2 Understand the IT audit areas
4.2.1 Revisit Risk Assessment
During the Risk Assessment activities, sufficient understanding of the organizations
business processes, IT processes and supporting technology was obtained to identify the
significant risks inherent that would cause the organizations business objectives not to
be achieved. This understanding should have been updated to reflect discussions
undertaken during Activity 1 - Scope Audit Project.
It is necessary to determine the level of further analysis that is required to develop a full
understanding of the risks and related controls to ensure that the time allotted for the
audit project is not spent inefficiently, e.g. documenting a process to an unnecessary
depth of detail.
We may develop a high-level plan around what further information is required for us to
obtain our understanding. Essentially, we are required to understand how the process or
control area actually does what it has been designed to do and how it achieves its
objectives.
4.2.2 Acquire Information from Client Management and Staff
Having developed a plan outlining what additional information is required, we need to
interview appropriate client personnel for us to obtain the additional information which
was outlined above. It is likely that more than one meeting will be required to fully
develop our understanding to the appropriate level. In recognizing this it is important that
a top-down approach is taken to these meetings, e.g. meet with management first, before
moving to the staff. We must also always be cognizant of tests of controls that can be
performed at the same time that we are obtaining our high-level understanding. We will
typically be required to go back to these individuals, however, it will be more efficient to
test some controls at the same time we are obtaining our high-level understanding.
4.2.3 Document Understanding
To facilitate identification of risks and controls and to confirm our understanding of the
major process and associated sub-processes, we should document our understanding of
the processes. Caution must be used when doing this as it can be unnecessarily
inefficient to document too much detail or to try to perfect our understanding.
When reviewing IT processes, we can document our understanding using the
Documentation of IT Controls form used as part of the Ernst & Young Audit
Methodology. Efficiencies will be gained in integrated audits by using these external
audit forms and templates. In addition, we need to consider other audit process
considerations which may be beneficial in an integrated audit. Normally accepted
methods of capturing our knowledge include process diagrams, narrative notes, as well as
control analysis forms (CAF). Firm tools such as Permit and the ISS toolkit are also
acceptable. There are significant benefits to both E&Y and our clients, if we capture this
information in a consistent manner/structure.
3-39
M ethodologyStage 4
Process Flow Diagrams

There are a number of diagramming techniques available to document processes. One of
the most commonly used, is process data flow diagramming. An example process flow
diagram can be found in Appendix E-3.
Even where diagrams are used some supporting narrative notes will be required to
supplement the diagrams. Typically, information on objectives, critical success factors
and key performance indicators, should be documented in narrative style.
Narrative Notes
When documenting our understanding of the audit area, it is important to structure the
narrative notes. Information that may need to be included (as applicable) in the narrative
notes includes:
Purpose
Objective
Critical success factors and key performance indicators used to monitor these
factors
Process Beginning
Inputs - what data is used by the process and what is the data source
Key Transformations that take place with the data received
Outputs - what data is passed from the process and where does the data go
Process Ending
Supporting Information Technology systems
Reliance on human resources
See an example document in Appendix E-4.
Activity 4.3
Identify and Assess Risk
4.3.1 Identify Risks

The amount of work to be performed depends on the extensive nature of the risks
identified during the IT Risk Assessment process and updated during the scoping of the
audit.
Review Known Risks
The first step in identifying the risks is to review the risks already identified for the
process or sub-processes.
Analyze these risks with respect to the business objectives, process objectives and
critical success factors to determine whether any further high-level risks may exist.
Identify Additional Risks
Using your understanding (process flow diagrams or narrative notes), specifically the
inputs, outputs, key transformations, how IT enables the process and how people enable
the process, identify what risks could cause the objectives not to be achieved, by asking:
What will prevent achievement of the objectives, or what must go right?
What can go wrong which could prevent the process or area under review from
achieving the business requirements?
Could any external events affect the process?
3-40
4.3.2 Assess Risks

After identifying the most significant risks, we must assess the risks to help us focus on
identifying controls for the higher risk areas. To do this, we consider both the impact and
likelihood of the risk arising to help us prioritize the controls which will be identified and
reviewed.
For example, if the control objective is to ensure continuous service that satisfies the
business requirement, we may have identified unavailability of computer systems due to
damage by fire as a risk. For most organizations, the impact of a fire to the computer
facilities will have a high risk as the business could be seriously damaged. The likelihood
of a fire, however, will be lower due to the fact that the risk is not likely to occur.
Due to the high impact of the risk, we may assess the overall risk as high. Therefore, we
will want to prioritize our work to ensure we identify and evaluate the controls which
help reduce the likelihood of the risk, as well as the recoverability controls in place in the
event the risk occurs. Once we have assessed the risks identified, it is important to
discuss and agree these with management.
4.3.3 Agree Risk Assessment With Management
Depending on the size of the engagement and the depth of the identification of risks, we
may want to consider agreeing the existence of the risks identified and our assessment of
each risk with management.
Agree Risks Identified
Discuss with management, or arrange for management to review, each of the risks
identified and obtain agreement that the risk exists. Where management disagree with the
risk, draw their attention to our process understanding and explain the logic for deriving
the risk.
Agree Risk Assessment
Discuss and outline inherent risk, e.g. the worst possible impact and likelihood of the
risk, irrespective of any control that management may have.
Walk-through each risk, discussing the rationale for the likelihood and impact selection
and get managements agreement.
Listen very carefully and assess any differences of opinion that management may have
regarding the risk. Where our assessment is incorrect, based on managements
argument adjust the assessment accordingly.
Activity 4.4
Control Identification and Evaluation
4.4.1 Identify Controls

Management incorporates into its processes various control and monitoring activities
designed to manage risks to ensure that objectives are achieved and to alert them to areas
where they are in danger of not achieving their objectives. Our objective becomes to
identify the controls in place over the identified risks (as appropriate).
We may have already identified the controls in place in previous activities. For example,
during Activity 2 - Understand the IT Audit Areas we may have already documented
controls in place. If further information is needed, additional walkthroughs may be
necessary to ensure that controls have been identified. To perform a walkthrough, we
3-41
M ethodologyStage 4
would follow a transaction or control through the process to ensure that our
understanding as to the intended functioning of the control procedure is correct and
document the process and results. At this point, we may want to meet with the
appropriate process owners to confirm the completeness and our understanding of the
key controls.
The information we gain about controls during our inquiries of client personnel should
be detailed enough to enable us to identify the controls, understand how the various
controls are performed, who performs them, and what data, reports, files, or other
material are used in performing them. Furthermore, we determine what physical
evidence, if any, is produced as a result of performing the controls and what the best
method is for testing the controls. Once we have identified the controls, any required
testing of the effectiveness of the procedures can begin.
4.4.2 Evaluate Effectiveness of Controls
Evaluate Individual Controls
From our understanding and/or walkthroughs, we may have enough information to
initially evaluate the individual controls. Therefore, before performing additional tests of
controls, we evaluate whether the process and related controls identified are likely to be
effective in achieving the relevant objectives. Consider each risk in turn and evaluate
each control that has been identified as mitigating the risk. Consider the effectiveness of
the control in respect of the likelihood or impact of the risk:
Does the control prevent or detect the risk?
What is the nature (manual or IT) of the control?
Is the control effective and if this control was the only one operating would it
mitigate the risk in its own right?
Is the control effective, but only when it operates in conjunction with other
controls?
Is the control ineffective at mitigating the risk?
Evaluate Combination of Controls Over Each Risk
Having identified and evaluated individual control effectiveness, consider how effective
the combination of controls is over each risk. This is achieved by considering the mix of
controls, their respective effectiveness, type and nature. Attempt to identify any scenarios
where the risk could occur, even if the controls operate effectively.
Optimal Control Mix
Even if the controls are effective, they may not be the most efficient or effective controls
possible. View the controls over the risks to consider if a more efficient and effective
way of providing the same (or better) coverage over the risk exists.
4.4.3 Raise Issues and Agree with Management
In making our preliminary evaluation, we may identify certain weaknesses in the design
of controls that we should bring to managements attention. Even though we may
identify additional issues regarding the operation of controls in Activity 5 - Design
Testing Strategy and Perform Tests, we may bring issues to managements attention as
3-42
they are identified. To facilitate this communication, we may use an Issue Summary
template (see example at Appendix E-5) to document the issue, develop our
recommendation to improve the design of the control, and communicate the issue to
management for follow-up and corrective action.
We also need to consider communicating issues to the integrated audit team, specifically
the external audit team when issues may impact our evaluation of risk and controls
related to the financial audit. However, client management should be consulted prior to
any communication of issues to the financial or external audit team.
Activity 4.5
Design Testing Strategy and Perform Tests
4.5.1 Develop Audit Program

Depending on the scope of the audit engagement and our evaluation of the effectiveness
of controls, we may need to design and perform tests of operating effectiveness. If we
will be designing tests of controls, it is important to develop an audit program to ensure
that we are evaluating the controls which we preliminarily evaluated as effective over the
significant risks and that we perform the most efficient and effective tests. The audit
program will also outline the specific tasks and give guidance to all members of the
engagement team. Specific workplans can be found within the ISAAS Workbench - ISAAS
International Knowledge Network which can be customized depending on the client and
scope of the engagement.
Determine Which Controls to Test
In Activity 4 - Control Identification and Evaluation, we already evaluated the
effectiveness of controls at mitigating risk. Judgment is required when determining
which controls to test. If a control is preliminarily deemed effective at mitigating risks,
then the only factor that would cause a control not to be tested is whether the risk is
considered insignificant. Typically controls over low significance risks will not be tested.
Ineffective controls are also typically not tested. Even though we are not testing
ineffective controls, we will want to ensure we have all relevant information regarding
the process to provide meaningful client service recommendations. Therefore, additional
conversations may need to occur with the client to ensure all mitigating controls have
been identified and that our understanding of the control procedures is appropriate.
If we are performing an integrated audit, external audit requirements will also impact
which controls we need to test. During Stage 1- Co-Develop Expectations, and
throughout the engagement, we should communicate with the external audit team
regarding their control identification, evaluation and testing needs.
Nature of the Tests
Determine the most efficient and effective technique to apply in our testing. Inquiry is
usually not a sufficient test of a control and must be accompanied by an additional type
of testing.
3-43
M ethodologyStage 4
The following matrix briefly describes the types of tests we perform:

Type of Testing
Explanation
Advantages
Disadvantages
Re-performance
Re-performing the actual control

procedure to compare our results
with the client results obtained and
actions taken by management.
Precision
Time-consuming and
unless errors are
discovered which were not
detected by management,
does not necessarily
produce high quality
evidence.
Verification
Tracing items to source

documentation for evidence of
control operation.
Can be focused
onto potential
problem areas
May be difficult to obtain

independent and reliable
evidence.
Observation
Observing the operation of a

control. This is particularly
important where there is no
permanent record of activities.
Direct evidence of
the operation of
control procedures
is obtained
Based on a single point in

time and may not be
representative as the
control may be applied
more rigorously for the
auditors benefit.
Inquiry
Discussing through corroborative

inquiry how the control is
performed, who performs the
control, and what procedures are in
place to ensure the control
operates effectively.
Tests the
understanding of the
individuals who
perform the control
Little supporting evidence

produced.
Analytic
Procedures
Data interrogation techniques can

be used very effectively for large
volumes of transactions or data.
Often more efficient

than re-performance
and verification.
May be difficult to obtain

correct data and time
consuming to create
necessary analysis.
Can cover entire

population.
The audit program should be reviewed by the engagement manager prior to

commencement of the testing.
4.5.2 Execute Tests
Our tests should be executed in accordance with the defined Audit Program. The
objective of each test is to determine that the control operates as understood. It is crucial
when testing the control to continually challenge - could the risk arise, with this control
operating as the test indicates? When performing each test, ensure that sufficient and
reliable evidence is obtained that the controls have operated efficiently and effectively.
3-44
Control Exception or Failures:

Situations may arise in the testing that indicate the control being tested did not operate as
intended. There are 3 steps to deal with control exceptions:
Step 1 - Understand the Nature of the Control Exception
Discussing the control failing with the person who performed the control or
management of the process to understand the nature of the failure:
Is the failure factually accurate?
Is it isolated or recurring?
Does it apply to the entire population or a particular subset?
Does it apply to a particular period of time?
Is the failure one of performance or documentation?
Step 2 - Extend Testing
Typically the control sample should not be extended, other than to verify the
explanation provided when following up the failures with the client. There may also
be value in extending the control sample to determine the impact of the failure.
Step 3 - Consider any Compensating Controls to Address the Risks
Revisit each risk that the control operates over and identify if other controls will
compensate for the control failure. If there are compensating controls that provide
coverage of the risk, consider performing some control testing of these controls.
4.5.3 Evaluate Results
Having completed the control testing, conclude as to whether the control operates
effectively in respect of each risk that the control mitigates.
4.5.4 Communicate Issues
We previously co-developed expectations with the client and outlined the communication
protocols. One of the topics which should have been determined is the process of
communicating any issues found. We need to ensure we properly document and present
issues to management based upon their expectations.
Issue Summary
Where controls are tested and exceptions or testing failures were found, an Issue
Summary should be developed and discussed with appropriate client personnel. The
discussions are critical to ensure confirmation of factual accuracy of the issues. This also
ensures that the client communicated all mitigating controls for each risk. See an
example Issues Summary in Appendix E-5.
Present Issues to Management
Issues identified should be presented to management, for example through a meeting.
Where there is a disagreement regarding factual accuracy, the conversation should center
around the risk and whether there are any other controls in place over the risks, that may
have been missed. As part of our final deliverable, we will develop the issues into
recommendations for management to consider.
3-45
M ethodologyStage 4
We also need to consider communicating issues to the integrated audit team, specifically
the external audit team when issues may impact our evaluation of risk and controls
related to the financial audit. However, client management should be consulted prior to
any communication of issues to the financial or external audit team.
Activity 4.6
Conclude and Report
4.6.1 Perform final working paper review

The final working paper review is critical to the preparation of a quality audit report. The
review is used to determine if the working papers were prepared in accordance with
ISAAS Policies and Procedures and AICPA Consulting Standards, and if they support
the scope of the audit, the work performed, and the conclusions of the audit.
Although working papers are reviewed throughout the project, a final working paper
review should be performed. The workpaper review must be performed by, at a
minimum, the Manager on the engagement. (See further discussion of working paper
review standards in the ISAAS Policies and Procedures Workbench in Lotus Notes.) The
purpose of the final working paper review is to determine that:
the work performed was in accordance with the scope as defined in the Letter of
Understanding and detailed in the audit program;
the scope of our internal audit work is sufficient to support the audit report;
the internal audit work has been performed in accordance with professional and
firm standards;
the significant judgments and conclusions for the audit were appropriate;
the work performed, the results, and conclusions are adequately documented;
the work performed, the results, and conclusions support the findings and
recommendations included in the audit report.
Evidence of this review is documented on the Review and Approval Summary for
Consulting Engagements. This form and discussion on working paper review
requirements can be obtained in the ISAAS Policies and Procedures Workbench
4.6.2 Draft report of findings and recommendations
Based on the results of procedures performed and as documented in the Issues Summary,
we draft an appropriate report of our findings and recommendations. Our findings and
recommendations report typically includes the following:
Finding(s)
Background information as to the finding (optional)
Impact or risk of the finding(s)
Recommendation(s), including proposed corrective action or improvement agenda
Issues for implementing the recommendation (optional)
Benefits to be derived from implementing the recommendation
Management response (optional)
The format of the report should follow the expectations co-developed with the client
prior to the engagement. Sample reports can be found in the ISAAS Knowledge
Network.
3-46
4.6.3 Conduct closing meeting with the client

We meet with the client to discuss the results of the audit project as well as the draft
report. This closing meeting provides us with an opportunity to demonstrate to the
auditable units management the value we provided while performing our audit.
4.6.4 Issue final report
We incorporate any mutually agreed changes to the report resulting from the closing
meeting. We issue our final report to client management based upon the communication
protocols established in Stage 1 - Co-Develop Client Expectations. For integrated audits,
we make our final reports available to the external audit team for information and
coordination purposes.
4.6.5 Obtain Client Satisfaction Feedback
We assess the clients perception of the quality of our services by obtaining formal and
informal feedback on our work. Obtaining immediate feedback regarding whether we
met expectations is important in helping us assess areas where we have met or exceeded
client expectations, as well as areas where we may need to improve. If we use a formal
client satisfaction survey, it ordinarily should be short and easy to complete and be
quantitative in nature so that we can consistently measure our overall performance. See
an example feedback template at Appendix E-6.
4.6.6 Update the Risk Assessment
Based on the results of the audit project, we update the risk assessment of the applicable
auditable unit and/or process initially made in Stage 2 - Risk Assessment. In updating the
risk assessment, we consider the results of the audit and their effect on subsequent risk
assessments. We also consider what effects, if any, the results have on the external audit
considerations. For integrated audits, appropriate documentation and reports should be
distributed to the external audit engagement team.
4.6.7 Perform Project Administration
At the end of each project, the project manager is responsible for completing certain
project administration tasks. These include, but may not be limited to:
Performing a budget to actual analysis for the individual project with an
explanation of any overruns.
Ensuring that the workpapers are complete, and review comments have been
removed and that workpapers are appropriately logged and filed.
Ensuring that any overall status reports or issue tracking mechanisms in place are
appropriately updated.
Ensuring staff receive performance reviews.
3-47
M ethodologyStage 5
Stage 5: Communicate Results

Introduction
During Stage 1Co-Develop Client Expectations, we agree on protocols for
communicating our audit results to client management responsible for the IT internal
audit function, executive management and the Audit Committee. On larger engagements,
we may meet the Audit Committee periodically. At a minimum, executive management
must formally approve the Risk Assessment (Stage 2) and Annual Audit Plan (Stage 3)
prior to executing a substantial portion of the audit plan.
Throughout the year, we communicate the status of executing the audit plan and a
summary of the results of our audit projects, including significant findings. We use our
value scorecard to communicate the value provided to the client in performing our audits.
Summary of Stage 5 Work Activities

5.1 Understand communication protocols agreed with executive management and the
audit committee during the co-develop client expectations meeting.
5.2 Prepare for executive management/audit committee meetings.
5.3 Communicate results to executive management/audit including the value we have
delivered.
5.4 Complete the relevant quality control procedures to be performed at least annually
(if any).
5.5 Complete billing procedures.
Stage 5 Activities
Activity 5.1 Understand Communication Protocols
The type and frequency of communication with executive management and the Audit
Committee is developed during Stage 1Co-Develop Client Expectations. The following
is a list of considerations, along with suggested timing, for meeting with executive
management and the Audit Committee:
We typically meet with executive management and the Audit Committee
periodically throughout the year, along with client management responsible for the
internal audit function, to report on the status of our work and to communicate
significant findings.
Client Service Charter (Stage 1)We discuss client expectations at least annually
at the FY Q1 meeting.
Risk Assessment (Stage 2)We review the annual risk assessment of the
organization, which is the basis for establishing the annual audit plan (typically
FY Q3 meeting for the following years audit plan).
3-48
Annual Audit Plan (Stage 3)We assist client management responsible for the
internal audit function in obtaining formal approval of the audit plan annually
(typically FY Q4 meeting for the following years annual audit plan). On a
quarterly basis, any significant changes to the annual audit plan are reviewed and
approved by executive management and the Audit Committee.
Status of Audit PlanWe review the status/completion of the annual audit plan at
each meeting.
Summary of Audit ResultsWe provide executive management and the Audit
Committee a summary of our significant audit findings. We agree with the client
the type of summary findings and recommendations they would like us to prepare,
as well as any other desired special communications.
Value ScorecardWe present our value scorecard to communicate the value we
have provided to the client through our services. Possible categories of value
include: idea generation, project assistance, revenue enhancements, cost savings,
and time savings. A sample Value Scorecard template is included in Appendix B
and is provided electronically in the IAS PowerPack.
Activity 5.2 Prepare for Executive Management/Audit Committee Meetings
In order to increase the effectiveness of meetings with executive management and the
Audit Committee, we need to be well prepared to meet our clients expectations.
Although the agenda for these meetings is agreed with the client, a sample Audit
Committee calendar documenting various discussion topics for quarterly meetings is
included in Appendix F. Due to the importance of these meetings, we should plan and
budget for adequate preparation time. In some situations, we need to perform a
significant number of activities prior to the meeting, such as sending meeting
notifications, making meeting arrangements, gathering presentation handouts from other
meeting participants, preparing our own materials and distributing these materials in
advance of the meeting.
Preparing for the Audit Committee requires direct participation of executives and
coordination with client management responsible for the internal audit function. In
addition, we ordinarily provide the appropriate client executive management with a copy
of our presentation materials prior to distributing them to the Audit Committee.
Activity 5.3 Communicate Results
We meet to present and discuss the material described in principal Activity 1 with
executive management and the Audit Committee on a periodic basis. The executives
attending the meetings with executive management and the Audit Committee should be
familiar with our audit results and be prepared to answer questions regarding the scope of
our work, our findings and recommendations. Ordinarily, we also discuss the value we
have provided, as documented in our Value Scorecard.
We should be responsive in following up on client requests coming out of the Audit
Committee meeting and request them to provide suggestions for future meeting
presentation topics.
3-49
M ethodologyStage 5
Activity 5.4 Complete the Relevant Quality Control Procedures

We complete the applicable quality control procedures described by the Internal Audit
ServicesPolicies and Procedures Manual and the ISAAS Policies and Procedures
Workbench, if any.
Activity 5.5 Complete Billing Procedures
During Stage 1 - Co-Develop Expectations, we discussed fee and billing arrangements
with executive management. For example, for some faxed-fee arrangements, the client
may request even billing throughout the year, while others may request billing on a
percentage of completion basis. Regardless of the billing method, we should prepare and
submit the bills on a timely basis to ensure that we are properly managing cash flow and
our receivables balance.
3-50
Appendix A-1
Stages
IT Internal Audit Services Project Routemap

Co-develop Expectations
with Client
Conduct Risk
Assessment

needs
Plan the risk

assessment
Understand the client's

business at a high level

business goals,
strategies, and critical
success factors
Deliverables*
Activities
Determine the scope of

the engagement and risk
assessment
of the mega and major
methodology
business processes
and obtain agreement
of IT resources and
from the client
related IT processes
and define client billing
procedures
Validate our
understanding of IT and
risk
Strategy Memorandum
Summary of business
goals, objectives and
mega and major
processes
Summary of how IT
supports the business
High-level IT Process
documentation
Fee estimation for risk

assessment
Relationship and
communication protocols
Value Scorecard
Prepare Annual
IT Audit Plan
Understand
managements audit
coverage expectations
Prioritize audits
Understand
engagement
economics
Agree audit plan with
client
Major Stages & Activities with Deliverables
Execute Audit Plan
Communicate Results
Understand
communication
protocols
Scope the IT audit

project
Understand the IT
audit areas
Prepare for meeting

with Executive
Management or Audit
Committee
Identify and assess

risks
Identify and evaluate
controls
Meet with Executive

Management or Audit
Committee
Design testing
strategy and perform
tests
Complete relevant
quality control
procedures
Conclude and report
Plan of resources / skill

sets needed
Summary of areas to be
audited
Preliminary budget
Preliminary timeline
Scope document
Detailed project plans
Detailed documentation
Summary reports to
or Audit Committee
Detailed findings and

recommendations reports
Client satisfaction feedback
Risk Assessment
* NOTE: Internal deliverables are in italics; all others are external.
Privileged and Confidential.

No part of this may be reproduced or transmitted
without permission of Ernst & Young LLP.
!@#$
A-1
Appendix A-2 IT Risk Assessment Framework

Overview
The purpose of this appendix is to explain the elements of Ernst & Youngs IT Risk
Assessment Framework. This appendix should be used as a reference tool in executing
the IT Internal Audit Services Methodology, particularly Stage 2 - Conduct the Risk
Assessment.
As noted in Stage 2 - Conduct Risk Assessment, risk management and risk assessments
are based not only on the control objectives of a company, but also on the business
objectives. Therefore, our IT Risk Assessment approach includes the following key
elements:
Understanding the business, the business process requirements and the business
impact of IT (Stage 2, Activities 2&3)
Understanding how and what IT resources have been implemented to support the
business processes (Stage 2, Activity 3)
Understanding how the IT processes are implemented to manage the IT resources
(Stage 2, Activity 4)
This approach can be summarized in the following diagram:
Our methodology combines the three elements of an IT risk assessment within the
delivery concepts of CobIT. The risk assessment approach includes a business
requirements assessment, to assess the overall business risk environment, along with an
IT resource and IT process assessment. The IT resources and processes are then mapped
to the business processes, so that the auditor can combine IT and business processes to a
single view. Based on the results of the assessments and experienced auditor judgment, a
risk assessment is completed. The risk assessment is then leveraged into Stage 3 Prepare the Annual IT Audit Plan.
!@#$
A-2.11
ppendix A-2
What are Business Goals & Objectives?

Management establishes goals for a business or business unit(s) to satisfy its key
stakeholders influences. Examples of goals include:
Earning high returns for its investors.
Increasing value for its shareholders.
Delivering quality and value to its customers.
Developing productive relationships with its suppliers.
Providing a secure and rewarding environment for employees and management.
Earning the respect of the community in which it operates.
Goals are multi-faceted and may not be easily quantifiable. To be effective, many clients
translate their goals into a set of objectives that are specific, measurable, and attainable
over a realistic period of time. The business objectives depend on the markets in which
it operates and other environmental factors, in addition to stakeholders influences.
GOALS
Business Objectives:
Specific
Measurable
Attainable
Realistic
Timely
What are Business Strategies?
After defining goals and objectives' management generally develops and implements a
strategic plan to achieve them. A successful strategic plan helps to realize significant
opportunities for the business. Strategies are generally built around an understanding of
the markets in which the client operates and its competitive position in those markets, as
well as an understanding of the effect of the clients key stakeholders on the business
and other environmental factors.
Strategies may not be the result of a formal process and may not be summarized in
written plans or other documents. Even in the smallest companies, however, the
management generally knows the results the client is trying to achieve (i.e., its
objectives) and how it plans to achieve them (i.e., its strategy).
There are a number of alternative strategies a client can adopt to achieve a given
objective. For example, if the objective is to enter a new market within a specified time
period, alternative strategies to achieve this objective include the acquisition of existing
companies, the formation of joint ventures, or the establishment of new production
facilities.
2A-2.2
!@#$
What are Critical Success Factors?

For each of the clients important business strategies, we consider whether the client has
identified the key results that must be achieved if the strategy is to be successfully
implemented. We call these key results critical success factors.
Gaining an understanding of the Critical Success Factors will enable us to later identify
the clients critical business processes (i.e., those business processes that have the
greatest effect on the clients business results or attaining the critical success factors).
This will enable us to focus our work on the critical business processes and the IT that
supports them. This helps us determine if IT is aligned with the business and form one
of the inputs to confirming which IT sub processes are most important to the business.
Market and Environmental Factors
The market and business environments in which the entity operates significantly affect
business risk. By understanding how the client operates within its markets and how
significant market forces and other environmental factors affect its business, we are
better able to identify and respond to the business and the associated IT risks.
Market forces include competitors, customers, and suppliers. Other environmental
factors consist of, among other things, capital markets, laws and regulatory
requirements, accounting practices and reporting obligations, and social, economic, and
political considerations.
The purpose of understanding the market and environmental factors is to:
Identify and understand those market forces and other environmental factors that
may have a significant effect on the clients business and IT risks.
Consider how these market forces and other environmental factors affect the
relative importance of the IT sub processes.
Our focus of attention and the extent of our efforts in gaining an understanding of the
clients market forces and other environmental factors differ depending on the clients
industry and size, and other factors (e.g., its position in the market). For example, for a
client in the computer hardware manufacturing business, we may be more concerned
with its competitors and suppliers technological advances, whereas for a financial
institution, we may be more concerned with trends in the capital markets.
What are Business Processes?
An entity will design and implement business processes to execute their strategies.
Mega processes are defined as the highest level processes identified by an organization
and usually consist of four to six processes that form the core operations of the business.
Major business processes are defined as sub-divisions of a mega process that represent a
collection of sub-processes. A collection of major processes take on the complete
processing of the mega process.
!@#$
A-2.33
ppendix A-2
Mega
Major
Sub
Major
Sub
Sub
Sub
Activity
What are Key Business Processes?

Key business processes are those major business processes that relate directly to the
achievement of the clients critical success factors (i.e., those business processes that
have the greatest effect on the clients business results).
Our identification of the clients key business processes is based on our understanding
of the clients business and our professional judgment, confirmed by discussions with
the clients key management. A process is key if its objectives and/or outputs are directly
related to the achievement of a critical success factor. On the other hand, a process
would not be classified as a key business process if the objectives of the process do
not directly relate to the achievement of the critical success factors.
Business Information Requirements and Potential Business Impact of IT
As noted above, our IT risk assessment framework is business process focused.
Therefore, in order to perform an effective IT risk assessment and design an IT audit
plan which provides the most value to the business, we must understand the business
requirements of IT. In general, business requirements can be classified into five
categories:
Availability
Confidentiality
Integrity
Effectiveness
Efficiency
Each of the five business information requirement categories is an element in meeting or
categorizing the business requirements. Management must asses the potential risks to
these requirements to adequately develop a plan to mitigate or monitor the risk elements.
The five information requirement categories within our model are defined as follows:
4A-2.4
Availability
Information is available when required by the business process,

now and in the future. It also relates the safeguarding of
necessary resources and associated capabilities. Resource
!@#$
availability includes all IT resources as defined as people, data,

applications, system software, hardware and facilities.
Confidentiality
Sensitive information is protected from unauthorized disclosure.

This includes security design, application access control design,
internal and external access and influences, regulatory
requirements and knowledge sharing.
Integrity
Information is accurate and complete as well as valid in

accordance with business values and expections. The integrity of
information includes an assessment of the origination of
information and the final management and use of the
information as it relates to the financial, operational and
regulatory compliance of an organization.
Effectiveness
Information is relevant and pertinent to the business process as

well as delivered in a timely, correct, consistent and usable
manner. The effectiveness of an IT process must include
elements of the organizational role of the IT department with the
entity, the management structure in the conduct of business,
policies and procedural guidance, and change management.
Efficiency
Information is proved through the optimal use of resources, both

IT and the organization as a whole. This includes how the
organization leverages the business processes and how closely
the IT strategic plan is aligned with the overall entities business
plan.
IT Risks
For each of the business information requirement categories, there are several factors
which may affect the ability to meet the business needs, i.e., these are the risks, or
potential what can go wrong factors for each business information requirement
category. This next section will summarize the IT risk components for each business
requirement category. It is not meant to be all encompassing, but rather a framework to
work from in completing a risk assessment. Industry variables, changing technology and
the use or implementation and integration of technology into an entitys business
processes can affect the classification of the IT risk components by category or extend
the content of the components. IT risks are characterized as follows:
Business Information
Requirement
Availability
!@#$
Potential IT Risk
Component
Hardware Stability
Operating System Stability
Application Stability
External Factors, i.e. Telecommunications,
Environment
Network Stability
Overall system uptime/downtime
Throughput
Capacity
Accessibility
A-2.55
ppendix A-2
Infrastructure Design
Business Continuity Plan
Confidentiality
Security Design
Regulatory Requirements
Security/Penetration
Firewalls
Web Security
Encryption
VPN
Application Security Controls User Profiles
Knowledge Sharing
E-mail Provisions
Security Policies & Procedures
Integrity
Unauthorized access
Employee empowerment
Application functionality and controls
Operational controls
Segregation of Duties
Inappropriate decision making tools
Effectiveness
Successful in supporting business requirements

(From Management View)
Adequate capital structure
Proper skillsets
Efficiency
Timeliness
Cost/Benefit Effective
Optimal use of resources
We consider the IT Risk components in performing the IT Risk Assessment, prioritizing

the Audit Plan and executing the Audit Plan.
Definition of IT Resources
IT resources are all the data, applications, technology, facilities and people which have
been implemented to meet the business requirements. The resources are managed by the
IT processes (see later discussion of IT processes), and should be designed to actively
reduce, monitor and mitigate the IT risks as they relate to the business.
The IT resources are integrated into the IT processes and business processes. The five
categories of IT resources are:
Objects in their widest sense (i.e., external and internal),
Data
structured and non-structured, graphics, sound, etc.
6A-2.6
Application
Systems
Application systems are the sum of manual and

programmed procedures integrated into the business
which enables business processes
Technology
Technology includes hardware, operating systems,

database management systems, networking, multimedia,
etc.
!@#$
Facilities
All resources to house and support information systems
People
People include staff skills, awareness and productivity to

plan, organize, acquire, deliver, training, support and
monitor information systems and services
The dependency on the IT resources within the risk/control paradigm of meeting

business requirements can also be illustrated as:
Data
Application Systems
EVENTS
INFORMATION
Business Objectives
Business Opportunities
External Requirements
Regulations
Risks
Effectiveness
Efficiency
Confidentiality
Integrity
Availability
TECHNOLOGY
FACILITIES
message
input
service
output
PEOPLE
IT Processes
The five business information requirement categories are the general structure used to
classify the IT related business risks identified in our understanding of an entity. We
then gain an understanding of the processes that IT management has put in place to
manage the IT resources and mitigate risk to the business requirements, e.g., what
processes has management implemented to ensure data and application availability?
To assist us in understanding the clients IT processes and how they and implemented to
support IT resources in meeting the business requirements, E&Y has developed the
Information Technology Process ModelA Major Process View. This view supports
the definition of how an IT department is organized and how its working structure is
defined to meet the business demands of the entity.
y
nc
ie
fic
iv
Ef
ct
Organizing and Monitoring IT Processes
IT
Objective: To manage these major IT processes above.
Re
so
ur
ce
s
fe
Ef
In
te
gr
en
ity
es
lit
tia
en
fid
on
Planning the
Developing and
Operating the
IT Environment Delivering IT
IT Environment
Objective: To
Solutions
provide and maintain
Objective:
To
acquire,
Objective: To
develop, deliver, and
the operation of the
ensure that IT plans
maintain new or
IT environment
are properly aligned
while ensuing the
enhanced business
with the business
availability,
solutions involving IT
goals, objectives,
confidentiality,
and
architecture
to
enable
and strategies.
integrity of
the organization to
information systems
meet its changing
business requirements. to meet the business
requirements.
PEOPLE
DATA
APPLICATIONS
TECHNOLOGY
FACILITIES
IT Processes
us
in
R es
eq s
ui Inf
re or
m m
A
en at
va
ts io
ila
n
bi
lit
y
This is more simply illustrated as follows:
!@#$
A-2.77
ppendix A-2
The major IT processes are:

Planning the IT
Environment
The objective of this major IT process is to ensure that the

entitys IT plans are properly aligned with its goals,
objectives, and strategies. A proper alignment directs the
deployment of resources and the delivery of services to
enable an organization to capitalize on the business
advantages of IT.
Developing and
Delivering IT
Solutions
The objective of this major IT process is to acquire, develop,

deliver, and maintain new or enhanced business solutions
involving the IT architecture (i.e., hardware, software,
communications, and information) to enable the organization
to meet its changing business requirements. This process
typically includes such client activities as defining and
analyzing the requirements for projects, determining the
approach to meeting those requirements, and implementing
the selected approach.
Operating the IT
Environment
The objective of this major IT process is to provide and

maintain the operation of the IT environment while ensuring
the availability, confidentiality, and integrity of information
systems to meet the business requirements. In some cases,
we may find that certain aspects of the IT environment are
operated by individuals who are not part of the formal IT
organization. For example, we may find that individuals in
user departments have responsibility for a local area network
that processes or controls access to applications. This process
may have business risk implications, such as those involving
the clients backup and recovery procedures, systems
documentation, and business continuity plans.
Organizing and
Monitoring IT
Processes
The objective of this major IT process is to manage the three

preceding major processes. This major IT process monitors
the overall IT resources and priorities to ensure alignment
with IT strategies and to optimize the entitys return on its IT
investment. This major IT process could have important
business risk implications, such as those involving the
processes the client uses to ensure IT personnel have
adequate skills to respond to rapidly changing environments.
Each of the IT process categories contains many sub-processes that support or describe
the major process. For purposes of this methodology, we are using the 34 IT Process
areas defined by COBITTM as a framework, because it is the most widely accepted
framework for IT processes. These 34 IT Processes are grouped under the four (4)
major IT areas as defined in other E&Y methodologies. We do not intend this
methodology to be a vehicle by which we sell COBITTM, or to recommend its use to
the client over any other framework. Accordingly, other frameworks and guidance
may also be appropriate for the particular IT Internal Audit Services engagement.
Those frameworks, whether of another firm or of the organization for whom we are
performing IT Process work, may be substituted for the references to and use of the
8A-2.8
!@#$
COBITTM framework. If that approach is adopted by the engagement team, one of the
first steps in scoping the engagement should be to determine the IT process framework
used by the client (if any) and determine the extent to which the client would rather we
use that framework rather than COBITTM . IT processes are characterized as follows:
Category
Sub-component (Characteristics)
Planning the IT
Environment
IT Strategic Planning
Information Architecture
Technological Direction
IT Organization & Relationships
management of IT Investment
Communication of the Strategy
Management of Human Resources
Compliance with external requirements
Management of Projects
Quality Management
Developing and
Delivering IT
Solutions
Identifying appropriate technology solutions

Acquiring & Maintaining Software
Acquiring & maintaining Technology Architecture
Developing and maintaining IT Procedures
Install and accredit systems
Manage changes
Operating the IT
Environment
Define service levels

Manage Third-party services
Manage performance and capacity
Ensure continuous Service
Ensure Systems Security
Identify and attribute costs
Educate & train users
Assist & Advise IT Customers
Manage the configuration
Manage Problems & incidents
Manage Data
Manage Facilities
Manage Operations
Organizing and
Monitoring IT
Processes
Monitor the three major processes

Assess Internal Control Adequacy
Obtain independent assurance
Provide for an independent audit or quality assurance
process
Operating the IT
Environment
Define service levels

Manage Third-party services
Manage performance and capacity
Ensure continuous Service
Ensure Systems Security
Identify and attribute costs
Educate & train users
!@#$
A-2.99
ppendix A-2
Assist & Advise IT Customers

Manage the configuration
Manage Problems & incidents
Manage Data
Manage Facilities
Manage Operations
Organizing and
Monitoring IT
Processes
Monitor the three major processes

Assess Internal Control Adequacy
Obtain independent assurance
Provide for an independent audit or quality assurance
process
We should then identify the process owner(s) of the major IT processes. The process
owner(s) usually can be readily identified through inquiries of senior management, the
senior IT executives, or the owners of business, or through observation of the
functioning of the major IT processes. We obtain a high-level understanding of the
clients major IT processes through discussions with the IT process owners. As part of
gaining our high-level understanding of these processes, we ordinarily gain some
understanding of the controls related to the IT processes. We discuss with the process
owners how they manage the processes and how they identify risks relative to the
achievement of the business goals, objectives, and strategies (i.e., business risks). We
also discuss how they ensure IT supports the major business processes financial
reporting, operations, and compliance objectives. For entities in which these processes
are not centralized, we determine which process owners to include in our discussions.
We may identify significant business risks based upon our discussions with the IT
process owners, and if we do, we consider these risks. For example, an entitys IT
strategies may be significantly out of alignment with its business strategies, resulting in a
risk that the companys IT infrastructure cannot support the future processing
requirements resulting from the business planned growth.
10
A-2.10
!@#$
Appendix B-1
Integrated Audit Considerations
Many of our IT IAS and internal audit outsourcing engagements are part of an integrated
audit. In an Integrated Audit, our IT IAS and internal audit procedures are an extension
of our external audit arrangement. Therefore, portions of the IT internal audit work may
be performed for, and relied on by, those performing the external audit. In these
situations we, as well as our clients, derive benefits from our coordinating our internal
and external audit efforts. When we are performing integrated audits, we discuss internal
audit and external audit integration requirements with the coordinating partner and other
engagement team members, as appropriate, in Stage 1 - Co-Develop Expections. We
also refer to applicable portions of the Ernst & Young LLP Audit Process (Audit
Process) for additional guidance. Those portions of the Audit Process most likely
applicable in these situations include:
Audit planningIn many situations, we will want to coordinate our co-development
of client expectations and audit planning efforts, as well as agree on team goals and
objectives, with the external auditors. As part of their planning procedures, the
external audit team ordinarily receives materials from the Assurance Support Center
that would assist us in learning about the clients business and industry. We also
might want to review these documents. These materials typically include a Business
Intelligence Memorandum, industry-segment value chain and mega/major process
models. (See Activities 1, 2 and 3 of the Audit Process.)
Internal control at the entity level and consider the risk of fraudIn addition to the
understanding we need for internal audit purposes, we are often involved in
obtaining or updating our understanding of the clients internal control at the entity
level and the risk of material misstatement due to fraud to assist the external
auditors. The components of internal control, which we evaluate at the entity level,
include the control environment (manual and IT controls), risk assessment,
information and communication, control activities, and monitoring. The risk of
fraud from an external audit perspective includes material misstatements to the
financial statements due to fraudulent financial reporting and misappropriation of
assets. (See Activity 4 of the Audit Process.)
Understand, evaluate and test routine data processes and processes of the financial
statement closeWe often coordinate with the external auditors our work related to
accounting processes (both manual and automated), which are referred to in the
Audit Process as routine data processes, non-routine data processes, estimation
processes and the process of closing the books. While these procedures might be
encompassed within the scope of our IT business process focused work and
application reviews, additional procedures may be required to meet the needs of the
external auditors. (See Activities 9 and 10 of the Audit Process.)
Understand, evaluate and test the information technology processesIn most
situations we will want to coordinate performing the work steps in the Audit Process
related to how information technology (IT) supports the business and other
processes in achieving their financial reporting, operating and compliance
objectives. In moderately to highly complex IT environments, ISAAS professional
ordinarily assumes the role of the IT specialist in the audit process. Accordingly, the
!@#$
B-1.1
1
ppendix B-1
same individual(s) might be used for both internal and external audit purposes. (See
Activity 8 of the Audit Process.)
Combined risk assessmentThe combined risk assessment for purposes of the
external audit is focused on assessing the combined inherent and control risk for
significant financial statement accounts. It is used by the external auditors to
determine the nature, timing and extent of substantive audit procedures necessary to
hold their audit risk to an acceptable level. The risk assessment described in this
document is directed toward the companys IT processes and how IT supports the
business processes, with the objective of determining the risk areas to focus on for
IT internal audit purposes. While the objectives of these two risk assessments differ,
the work performed by IT internal auditors is an input into the external auditors
combined risk assessment. Therefore, we ordinarily coordinate how information
gathered and assessments made by IT internal auditors about inherent and control
risk are communicated to the external auditors for purposes of their combined risk
assessment. (See Activities 3 and 11 of the Audit Process.)
Analytical proceduresThe scope of our internal audit work might include
analytical procedures, especially data analysis procedures. The work steps included
in the Audit Process to plan, execute and evaluate analytical procedures ordinarily
are also applicable to analytical procedures performed during internal audit work.
(See Activity 13 of the Audit Process.)
Tests of detailsThe scope of our internal audit work might include tests of key
items, representative samples, other tests of underlying data or a combination of the
preceding types of tests of details. For example, we might confirm certain balances
or transactions to test for existence. (See Activity 14 of the Audit Process.)
Additional business process analysisAs further described in this document we
might also want to determine the root cause of errors that we identify in order to
assist the client in fixing a problem or improving a process. This is often performed
as a separate engagement. (See Activity 15 of the Audit Process.)
2B-1.2
!@#$
Appendix B-2
client name
Client Service
Charter
!@#$
B-2.11
ppendix B-2
client name
Establish Relationship Protocols

Our Team
Risk Focus
Value
Scorecard
Communication
Protocols
Special
Projects
e
2B-2.2
!@#$
client name
Establish Relationship Protocols

Risk Focus
Our Team
Subject Matter Expertise
Communication
Protocols
Executive Management/
Audit Committee
Reporting
Value Scorecard
Components
Other IA Measures
Frequency of Communications
Processes
Geographic Areas
Functional Units
Special Projects
!@#$
B-2.33
ppendix B-2
client name
Understanding Your Business Goals and Objectives

Current State
Future State
Key Performance
Indicators
Critical Success
Factors
Business Risks
4B-2.4
!@#$
client name
Understanding Your Business Strategies and Risks

Critical Success
Factors
Key Performance
Indicators
Business Risks
!@#$
B-2.55
First Bank System Checkpoints to Audit Success
An integrated methodology to bring value to FBS while efficiently and effectively executing our audit strategy
Objective
1. Identify client needs based on discussions with FBS management
related to business risks, objectives, strategies and critical success
factors.
2. Understand Mega and Major business processes and business
process controls.
3. Identify audit team based upon required competencies and team
roles. Orient the team to client needs, client business and team goals.
4. Complete appropriate planning documentation.
Deliverables
1. Prepare planning documentation including:
a. Identification of Mega and Major processes and identification
of important business controls
b. Overview of business risks, objectives, strategies and critical
success factors
c. Summary of meeting with FBS high level management
d. Summary of internal planning meetings
e. Key date schedule
f. Client assistance letter
g. Audit program
h. Audit strategies document
i.
Organizational chart (obtain from client)
j.
Prepare time budget using FBS Time Tracker
Success Definition/Measurement
1. Client and E&Y objectives are met and deliverables prepared
according to key date schedule.
2. Audit strategy incorporates FBS senior managements concerns.
Partner approval prior to starting fieldwork.
3. Team meeting prior to fieldwork to discuss team expectations and
areas of audit focus.
Objective
1. Execute the plan (within budget) coming out of planning phase
within calendar parameters.
2. Summarize findings and communicate timely.
3. Provide positive educational experience to staff.
Objective
1. Analyze individual or groups of audit results (data) and synthesize
into audit findings (information).
2. Escalate Needs Improvement or worse issues as soon as they
become a possibility.
Deliverables
1. Audit Program completion.
2. Audit results/Findings summary.
3. Written staff feedback.
Deliverables
1. Prioritized outline of audit findings validated by client for factual
accuracy and completeness.
2. Senior management meetings for Needs Improvement type issues.
1. Met CSF.
2. Met or exceeded budget. Budget versus actual per Time Tracker.
3. People - Client feedback questionnaire.
4. Client satisfaction survey.
5. Increase staff interest in FBS. Relationship management meetings
quarterly with senior management and monthly Parrin meeting.
1. Audit findings are in proper business context.
2. Audit findings are in proper priority (i.e., significant or other).
3. Evaluation/analysis phase of audit completed at or under budget.
4. Partner/Principal input obtained in this phase.

1. Timely escalation of Needs Improvement or Unsatisfactory issues.
2. Escalate client work requests that are out of scope.
3. Coordinate with ISAAS and other disciplines.
4. Tracking of time and expense.
5. Monitor performance in field and communicate performance real
time.
Best Practices
1. More senior management involvement in field.
2. Client update meetings.
3. Standardized time system for all FBS projects.
4. Partner through manager (i.e., experienced) involvement in audit
summarization debrief.

1. Spend more time thinking and strategizing and less time writing
[90 - 10 Rule].
2. Client leadership (e.g., auditee and supervisor) involved throughout
the audit and during the evaluation phase.
3. Timely escalation of issues at FBS client and E&Y.
Best Practices
1. Spend more time thinking and less time writing [90 - 10 Rule].
2. Think at 1 to 2 levels higher than the client/auditee.
3. Facilitated, focused debrief sessions.
4. Achieve the proper balance between client satisfaction, people and
profitability.
5. Complete the heavy lifting before reporting - the report should be
90% complete before reporting phase begins.
Objective
1. Efficient and effective audit report delivery process.
2.
Reports perceived to have value by client.
Deliverables
1. Concise report which is responsive to the key issues noted during
the audit.
2. Internally focused assessment (KPIs - see below).
1. Fifteen-day report issuance rule.
2. Adherence to the ten-page rule.
3. Efficiency ratio # of drafts (dependent upon engagement hours,
rating, etc.).
4. Client report card.
1. Timely executive involvement.
2. Effective client closing meeting.
3. Successful handoff from evaluation segment to reporting phase.
Best Practices
1. Adherence to process model.
2. Define all team roles.
3. Dont give away value - limit report to audit issues, not consulting.

1. Timely partner involvement and approval of audit plan.
2. Execute planning and entire audit according to key date schedule.
3. Client assistance delivered to client one month prior to fieldwork.
4. Communication of expectations and significant audit information to
all team members.
5. Honor other peoples schedules.
6. Timely ISAAS involvement.
Best Practices
1. Develop template for letter addressed to FBS senior management to
confirm timing and initiate meeting.
2. Meetings with senior management and middle management should
identify key business issues.
3. Team internal meetings should be used to transfer knowledge
obtained through planning process prior to fieldwork.
4. Utilize the EY databases and external resources to enhance our
understanding of the current environment, risks and potential
opportunities within the business being audited.
5. Utilize administrative staff to transcribe meeting notes.
6. Consider how we can better utilize technologies in our audits (i.e.,
ACL).
Planning
Execution
Evaluation/Analysis
Bringing value to FBS and the Audit Process
Reporting
Appendix B-4 Strategy Memorandum

To:
From:
Subject:
ABC Company IT IAS Audit Files

John Smith
ABC Company IT IAS Strategy Memorandum
5/15/99
The purpose of this memorandum is to document our understanding of the scope and approach of
the ISAAS work to be performed at ABC Company for the IT Internal Audit Services.
Background
ABC Company and its predecessors have been in business since 1877. A mutual company with
headquarters in Metropolitan, South Dakota, ABC is licensed to sell in 48 states and the District of
Columbia. The company offers life insurance and annuities, group life and disability insurance,
pension products and reinsurance services.
Scope of Assignment
ABC Company has contracted with us to perform IT Internal Audit Services and performance of a
risk based audit approach. We will perform an initial risk assessment which will include the
corporate operations as well as operations of all third party administrators. The objective of the risk
assessment process is to actively identify the Companys critical information systems resources and
business processes and apply certain risk factors to each. These risks are then individually analyzed
and ranked to allow for prioritization and proper allocation of information systems corporate audit
resources based upon the determination of relative risk. Risk assessment is accomplished by using
a uniform process and criteria for consistently defining and measuring risk across all areas.
Fully identifying all auditable areas requires regular and on-going communication with operating
company management. The scope of the discussions with management focus on understanding the
business and its operations. A thorough understanding of the business will require meetings with
functional heads of Accounting, Actuarial, Marketing, Human Resources, Finance, Operations
(Claims, Policy Service, and Underwriting) and all Information Systems functions. The process
identified above is utilized for assessing all areas of the Company utilizing information systems.
During the risk assessment process, each major operating areas system development plans and
priorities are obtained. This information will be incorporated into and considered in the rating of
the Control Risk factors since significant application and system changes may have a significant
impact on the internal control environment.
We will utilize a standard format for documenting our understanding and subsequent risk
assessment and IT audit plan.
Key Deliverables
We will develop a written report detailing our risk assessment. In addition, we will deliver an oral
presentation to the Executive Committee of our risk assessment.
Timetable
The draft risk assessment will be delivered to client management by 6/10/99. The oral presentation
will be given by 6/20/99. The audit plan for the remainder of the year will be agreed upon by
6/30/99.
!@#$
B-4.1
ppendix B-4
Staffing and Budget

The risk assessment will be performed by ISAAS Manager and ISAAS Senior and will be managed
by ISAAS Partner. The overall budget for the initial risk assessment will be 80 hours.
Responsibilities
The ISAAS personnel noted above will be responsible for the overall quality and delivery of the
ISAAS services. Billing of the ISAAS time and expenses will be performed by the Audit Billing
Executive of this client.
Prepared by:
Senior
Reviewed by:
Manager
Reviewed by:
Partner
2B-4.2
!@#$
Appendix B-5
ABC Company
IT Risk Assessment
Sample Client Assistance Listing
1. Current Company organization chart including all divisions/locations within scope.

2. Listing of significant technology in place (hardware, software, and major applications).
3. Strategic Business Plan and IS Strategic Plan
4. Policies and procedures for:
a) Application development/program changes
b) Requesting and granting user access to systems
c) Dial-up access to facility
d) Monitoring and follow-up of security violations
e) Internet use
f) Software licensing
5. Disaster recovery plan/Business continuity plan
6. Network and Communication Diagrams
!@#$
B-5
Appendix B-6
Ernst & Young L.L.P.
ISAAS
Project Management Worksheet
ABC Inc.
CLIENT NAME:
ENGAGEMENT DESCRIPTION:
LISTING TYPE:
John Megabucks
AUDIT PARTNER:
ENGAGEMENT RELATIONSHIP MANAGER:
Bob Dole
ENGAGEMENT MANAGER:
- Risk Assessment
FIXED COST QUOTED:
RESOURCE ASSIGNED:
RATE PER HOUR:
21%
8%
35%
8%
3%
4%
4%
6%
3%
5%
3%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
Planning
Documentation Review
Interviews
Post Interview Meetings
Interview Summary Write Up
Review Internal Audit Review Plan
Follow Up
Report Writing & Review - Draft
Report Writing & Review - Final
Presentation Development - Draft
Presentation Development - Final
ADMINISTRATIVE SURCHARGE:
Partner
475
Sr. Manager
358
10
10
Manager
281
10
Senior
182
10
Staff #1
133
20
40
20
10
10
4
8
18
$8,550
8%
$855
$9,405
22
$7,876
9%
$788
$8,664
56
$15,736
23%
$1,574
$17,310
BUDGETED
HOURS
10
2
2
10.0%
50
20
84
20
8
10
10
14
6
12
6
0
0
0
0
0
0
0
0
0
0
0
0
0
4
4
FEES AT 100 % OF STANDARD:

TOTAL BUDGETED HOURS
TOTAL BUDGETED FEES
PERCENTAGE OF HOURS
ADMIN RECOVERY
TOTAL LOADED FEES
Note:
Rate include a 5% busy season charge.
2B-6
96
$17,472
40%
$1,747
$19,219
48
$6,384
20%
$638
$7,022
VALUATION
PERCENTGE
90%
85%
80%
70%
60%
50%
0
$0
0%
$0
$0
0
$0
0%
$0
$0
VALUED
AVG RATE
FEES
PER HOUR
$50,416
$47,615
$44,814
$39,213
$33,611
$28,009
$210
$198
$187
$163
$140
$117
0
$0
0%
$0
$0
CONTINGENCY
0
$0
0%
$0
$0
ADMIN
$5,042
$4,762
$4,481
$3,921
$3,361
$2,801
240
$56,018
100%
$5,602
$61,620
TOTAL
FEES & ADM
$55,458
$52,377
$49,296
$43,134
$36,972
$30,810
!@#$
Appendix C-1
Engagement Team Organization and Requirements
Engagement Partner or Leader: The engagement partner or leader is responsible for
the overall effectiveness of the engagement. Responsibilities include:
Managing relationships with key client personnel
Leading or taking a primary role for project scoping and pricing
Ensuring development of an effective workplan
Involvement in the analysis of the results of each stage of the project
Leading or taking a primary role in developing the recommendations and the
deliverables
Lead involvement in presenting deliverables.
Engagement Manager: The engagement manager is responsible for the day to day onsite activities of the engagement. Responsibilities include:
Managing day-to-day relationships with key client personnel
Developing the project scope and workplan
Identifying and scheduling engagement project team members
Leading engagement activities such as interviews, information gathering, and
information analysis
Involvement in key interviews and ensuring interview and information gathering
activities are properly conducted and recorded
Developing project analysis, recommendations and deliverables
Presenting deliverables to client
Monitoring and managing costing and billing activities and matters.
Engagement Team (Staff): The engagement project team is selected based on skill
requirements for the engagement scope. The project team should be comprised of an
appropriate mix of senior and staff consultants. Responsibilities include:
Understanding the engagement scope and workplan
Developing interview schedules and information request lists
Participating in key interviews with the engagement manager
Leading certain interviews
Collecting and compiling data and information for analysis
Assisting in analysis of data and information
Assisting with the preparation of the deliverables
Assisting as necessary with presenting deliverables to the client.
!@#$
C-1.1
1
ppendix C-1
Project Quality Advisor/Pre-Issuance Reviewer: An engagement project quality

advisor should be selected to provide guidance which will ensure highest quality service
delivery. The quality advisor ideally should have experience in delivering IT internal
audit services. The quality advisor may be the engagement leader or manager, or may
serve in an advisory only role, depending on the needs for the particular engagement
and project team. Responsibilities include:
Understanding the engagement scope
Understanding client issues
Providing guidance regarding workplan development
Assisting with the data and information analysis and consulting with the project
team to guide compilation of results
Providing guidance for the process of developing deliverables, or reviewing the
deliverables after development
2C-1.2
!@#$
Appendix C-2
Activities and Worksteps
Budget
Due Date
Worker
Status
1. Plan the Risk Assessment

Identify and orient the project team
Identify key personnel to be involved/interviewed
Develop risk assessment workplan
Determine timeframe and budget for risk assessment
2. Understand the Business Goals, Strategies,
Objectives and Critical Success Factors
Identify relevant information held b E&Y
Confirm and build our understanding
3. Understand the Entitys Mega and Major Business
Processes and Related IT Requirements
Identify the mega and major business processes
(list specific processes)
Identify the key major business processes
(list specific processes)
Document how IT supports the mega and major
business processes
4. Understand the IT Resources and Related IT
Processes
Identify and Document the IT resources
Identify and Document the IT processes
5. Document Risk Assessment and Validate with
Management
Document risk assessment conclusions
Prioritize risk areas
Validate with management
Total Hours for Project
!@#$
C-21
Appendix C-3 Sample Business Process and Critical Success Factor Documentation
Draft for Discussion Purposes
The Hospital for Sick Children
Business Process Risk Review
!@#
!@#$
C-3.1
A ppendix C-3
Business &
Corporate
Development
Information and
Diagnostic
Services
Academic
and Clinical
Development
High
Moderate
Low
!@#
Child
Health
Services
Human
Resources
Research
Direct and guide the organization

Provide governance
Perform organizational planning and design
Manage quality, risk and performance
Perform and manage operational planning
Develop and maintain the market
Market the organization
Manage contracts
Manage relationships
Manage Education
Manage Research
Deliver health care services
Provide Patient Care
Provide diagnostic services
Provide and manage pharmaceuticals
Provide food and nutrition services
Manage health care delivery
Develop and maintain system policies
Manage strategic partnerships
Manage clinical resources
Support the organization
Manage regulatory and legal matters
Manage financial operations
Manage human resources
Manage environmental services and plant operations
Manage information systems, technology and knowledge
Maintain health records
2C-3.2
!@#$
!@#
Mega Process
Description
Set the strategic direction, policies and guidelines for the organization as a whole.
Build new and repeat business with community relations, including activities such as marketing, research and education.
Deliver patient care.
Manage the delivery of patient care.
Administer, physical, financial and human resources for the organization as a whole.
!@#$
C-3.33
A ppendix C-3
Major Process
Purpose

Objective
!@#

Provide governance
Define the organization's purpose, direction and structure.
Perform organizational planning
Manage Quality, Risk and Performance
Perform and manage operational

planning
Formulate and obtain governing approval for strategic plans

including viable services.
Manage the entire organization and each of its functions and
or processes.
Manage the volume of service delivery and support services
for the organization for each of its functions and processes.
Maintain or enhance presentation of organization to its
current and potential customers and external constituents.
Negotiate contracts with insuring entities.
Communicate with customers, business and research

organizations.
Maintain and enhance educational program for professional
staff, inpatients and outpatients.
Maintain and enhance research programs to ensure
development of new interventions and treatments.
Inspire public trust and meet social accountability and fiduciary

obligations by ensuring that quality of care standards and standards of
conduct meet acceptable levels.
Implement strategies and plans that address stakeholder needs.
Establish and monitor critical indicators considering management and
governing body's internal control philosophy.
Establish and monitor the volume of service delivery and support
services performed by the organization.

Manage contracts
Manage education
Manage research
Identify customer needs and develop effective message that

differentiates provider and stimulates demand for services.
Execute financially beneficial patient service contracts, evaluate
financial benefit and effect on competitors.
Retain customer business and / or maintain a positive business
relationship.
Identify, obtain and provide educational resources required by
professional care givers / employees and inpatients and outpatients.
To excel in basic and clinical research that leads to improved
understanding, prevention, treatment and cure of children's diseases.

Provide patient care
Provide inpatient and outpatient care.
Provide diagnostic and laboratory services for inpatient and

outpatient care.
Provide pharmaceutical distribution in inpatient care.
Provide nutritional services for inpatient and outpatient care.
4C-3.4
Manage patient outcome, provide treatment in most time and

resource effective manner.
Manage diagnostic services, to ensure most time and resource
effective use is made of equipment in delivering patient care.
Manage pharmaceutical distribution in relation to patient care to
ensure appropriate treatment.
Manage nutritional services, to provide treatment in most time and
resource effective manner.
!@#$
Major Process
Purpose

Objective
!@#

Develop a plan for delivering medical services to patients.
Manage strategic partnership
Establish, maintain and enhance the system of providers.
Align medical resources with system strategic plan.

Manage environmental services and
plant operations
Manage information systems,
technology, and knowledge
Address day-to-day legal matters, obtain regulatory approval

as required, and resolve malpractice issues.
Address day-to-day financial issues including investment,
financial reporting, general disbursements.
Acquire, train, evaluate and compensate employees.
Process to manage and maintain facilities, equipment and
supplies.
Develop and maintain technology and systems.
Process to manage and maintain health record information
for inpatient and outpatients.
Achieve quality outcomes, promote cost effective use of resources,

improve the health status of individuals and the community.
Use strategic alliances to provide viable services more effectively than
competitors.
Manage utilization thereby containing health care costs while
remaining dedicated to being on the leading edge of patient care.
!@#$
Operate consistent with legal standards, protect provider from

litigation.
Maximize profitability, ensure accountability, protect assets, maximize
collections.
Maintain qualified personnel needed to meet objectives.
Procure needed resources to operate and maintain facilities, and
equipment.
Provide and support information technology infrastructure with tools
and systems to meet information and knowledge management.
To ensure that adequate health records are maintain to effectively
document, diagnose, and provide patient care, as well as allow
regulatory reporting.
C-3.55
A ppendix C-3
!@#
1. Lead in the delivery and exemplary patient care and development of new interventions and treatments
Enhance care delivery methods and processes by working

with new partners in care
Develop and implement more effective and efficient
methods, modes and processes of delivering patient care
Identify and implement new and innovative therapies,
treatments and technologies to improve clinical outcomes
Improve health care system functioning by collaborating
with others to effect system changes
Manage IS, technology and knowledge
Manage environmental & plan operations
Support the
organization
Mange research
Mange education
Manage contracts
Major Process
Provide Governance
Ranking
(H/M/L)
Direct and guide the Develop and maintain the Deliver health care Manage health
organization
market
services
care delivery
2. Become the preeminent research enterprise for children's health worldwide

Enhance the scientific quality of research at HSC
Extend the scope of research at HSC
Integrate research into the fabric of HSC and apply to the
ongoing care of children
Strengthen the financial base for research
6C-3.6
!@#$
!@#
Support the
organization
Mange research
Mange education
Manage contracts
Major Process
Provide Governance
Ranking
(H/M/L)
organization
market
services
care delivery
3. Build an outstanding education and knowledge dissemination capability

Attract the best students and trainees by providing
outstanding academic training and experience
Ensure staff are current and fully qualified to fulfill
professional obligations
Become a center of excellence in the provision of external
continuing education
Enhance impact of HSC's family education and health
promotion activities
Collaborate with others in the measurement and evaluation
of education / training activities
4. Support, develop and retain staff and attract the best recruits
Foster an environment that values and supports staff in their
efforts to achieve HSC goals
Develop support, motivate and maximize performance of all
staff
Retain, attract and recruit the best people for HSC
!@#$
C-3.77
A ppendix C-3
!@#
Increase HSC's ability to shape, implement and be resilient to

change
5. Lead and work cooperatively with visible responsive networks and partnerships
Enhance HSC's ability to identify, evaluate and participate
effectively in a range of internal and external networks

and partnerships
Lead and sustain selected networks and partnerships to
effect change
Leverage the strength of networks and HSC's role within
them to influence public policy on child health and
research
6. Continue to improve, measure and evaluate the value and effectiveness of what we do
Integrate measurement, evaluation and continuous
improvement into the fabric of HSC

Develop and implement the system and tools required to
demonstrate the value of accountability for what we do
Support the
organization
Mange research
Mange education
Manage contracts
Provide Governance
Ranking
(H/M/L)
Major Process
organization
market
services
care delivery
7. Enhance existing and develop new sustainable sources of funding
8C-3.8
Enhance and diversify HSC's government funding base
!@#$
Major Process
27 Goals
!@#$
Build a portfolio of positive cash flow business

opportunities
Partner with HSCF in building its endowment
Maximize opportunities to reduce costs
Become the health care industry partner of choice
10
6
3
3
10
2
4
4
5
4
4
7
8
3

1
4
11
1
13
organization
market
services
care delivery
Mange research
Mange education
Manage contracts
Provide Governance
Ranking
(H/M/L)

!@#
Support the
organization
Goal dependent on major process purpose and objective being satisfied.
C-3.99
A ppendix C-3
Major Process
Risk

Likelihood
!@#
Impact

Provide governance
Manage quality risk and performance
Litigation and or regulatory issues arise from failed governance

Lack of organization direction and missed opportunities
Internal interpretation of mission is inconsistent
Poor communication with community can lead to loss of business
Punitive and financial risk associated with failing to detect, correct and
prevent violations of health care fraud and abuse regulations and other laws
due to lack of corporate compliance
Inability to develop sound tactical plan can lead to poor financial
performance
Inability to develop and monitor sound strategic plan can lead to lack of
organizational direction
Divergent results not identified in time for corrective action
Insolvency
Lack of effective strategic planning will result in the organization failing to
appropriately assess their external environment, the competitive position and
their core competencies to develop a strategy consistent with the direction set
by the organization's governing body
Inability to define and promote a high standard of internal control policies can
lead to loss of financial, operational, and administrative data integrity
Employees are not focused on strategic plan
Inconsistent implementation of plan
Risk that key indicators of quality, risk and performance are not established or
are not measured, resulting in lack of internal metrics by which to implement
corrective action or measure success

Manage contracts
10
C-3.10
Markets change faster than marketing strategy

Failure to manage can lead to loss of patients and market share
Unintended assumption of risks
Lack of leverage in negotiations
Inadequate sources of information to analyze contracts / lines of business
Inability to control certain utilization / costs
Loss of key physician relationships to competitors
!@#$
Major Process
Risk
Manage education
Manage research
!@#
Likelihood
Impact
Inadequate sponsorship for corporate initiatives
Failure to understand the stakeholder needs
Loss of affiliation with educational institutions
Approval of research proposals that do not have significant scientific merit
and have an unacceptable balance of benefit relative to risk
Information provided to participants of trials does not adequately disclose that
benefits, risks and impositions associated with participation
Failure of investigators to adhere to the rules and regulations of regulatory
bodies during the implementation of trials
Increasing dependence of academic health science centers on support from
the private sector may induce their leaders to be unduly deferential to private
sponsors which could influence the extent to which they support and defend
important values such as academic freedom
Research contracts being entered into by professional staff without the
hospital being party to the contract or reviewing and approving the contract
Not obtaining the maximum research funding
Not producing the best research programs and providing successful research
projects.


Malpractice actions if provider incorrectly diagnoses patient

Loss of licensure
Malpractice actions as provider pursues efficient course of treatment
Inability to control certain utilization costs
Perceived lack of quality / image/reputation can cause customer

dissatisfaction and loss of business
Failure to meet specific customer requirements
Lack of leverage in negotiations due to limited size
Inability to control utilization costs
Industry consolidation
Resistance of customers, unions, other to allocation of volume
Inability to substitute resources (eg. FTEs)

!@#$
C-3.11
11
A ppendix C-3
Likelihood
Major Process
Risk
Inability to control utilization and costs

Customer dissatisfaction
Inability to generate acceptable return
Government regulations
Inability to control utilization and costs
Inability to substitute resources
Inability to generate acceptable return
Medical malpractice risk
Loss of provider relationships to competitors
Lack of timely response may perpetuate legal issues or loss of business

Non-legal personnel are unaware that their actions could result in legal issues
Noncompliance with regulations can lead to fines penalties and or loss of
license
Risk of insufficient resources available to meet maturing liabilities
Inability to provide accurate financial information to make timely business
decisions
Inaccurate financial reporting can lead to regulatory or legal issues
Loss of revenues
Errors in billing
Risk that the billing and collections process is not effective, resulting in poor
financial results and negative community image.
Risk that financial statements are materially misstated due to an inadequate
control structure due to lack of financial and accounting internal controls
Lack of adequately trained personnel can cause deterioration in service and
loss of business
Loss of key employees
Poor facility management can lead to over / under capacity relative to
utilization needs
Inadequate information and knowledge sharing system can result in
perceived lack of quality service and loss of business
Organizations resources can be inappropriately tied to projects that are not
aligned with organization goals
Lack of data confidentiality
Risk of loss, alteration, or theft of critical business information due to lack of
!@#
Impact
Manage environmental and plant operations
Manage information systems, technology and

knowledge
12
C-3.12
!@#$
Major Process
Risk
!@#$
!@#
Likelihood
Impact
authorization security
Risk of a significant disruptive occurrence to an organization's operations,
such as an interruption of critical functions, systems, resources, or loss of vital
records due to lack of business continuity planning
Information system is not configured to match the actual business processes
leading to unexpected financial and operational results due to lack of
business process integrity
External threat due to connectivity to the external environment. Dial-up
solutions, Internet connectivity, network connections to business partners, etc.
all provide a potential avenue for exploitation to penetrate into the internal
network. Hacking tools are more available today than ever and are quite
simple for the novice user to operate. Due to lack of information system
security
Operating systems are mis-configured resulting in vulnerable conditions and
placed into production prior to vulnerability testing. The ability to exploit
these vulnerabilities poses a high risk to the infrastructure
Lack of asset management resulting in multiple points of risk concern such as
unknown software or unknown modems attached to the network. A poor
account of assets results in an effective risk assessment of what is to be
protected and how much to spend to protect it.
C-3.13
13
A ppendix C-3
Catastrophic
VH
VH
VH
Major
Moderate
Minor
Insignificant
4
3
2
1
T
L
VL
VL
1
Low
T
L
VL
VL
2
Unlikely
H
T
L
VL
3
Moderate
VH
H
T
L
4
Likely
VH
VH
H
T
5
High
Impact / Severity
!@#
Very High = Urgent action to be

taken that will reduce the level of
risk to tolerable or less.
High = Detailed action plan
required that will reduce the level
of risk to tolerable or less
Tolerable = Managed by keeping
under review and through
continued good practice
Low= Managed through
continued good practice.
Very low= No action required
Likelihood / Probability
Impact
Rating
Description
Catastrophic
Major
Moderate
Minor
Insignificant
Loss of ability to sustain on-going operation. A situation that would cause the organization to cease operating.
>50% loss of service capability or
>30% reduction in funding
30-50% loss of service capability or
20-30% reduction in funding
<5% loss of service capability or
<5% reduction in funding
Probability
Rating
5
4
3
2
1
High
Likely
Moderate
Unlikely
Low
14
C-3.14
Description
>80% probability of occurrence

60-80% probability
40-60% probability
20-40% probability
<20% probability
!@#$
Appendix C-4 Example Business Process Impact Analysis

How Important is Information Confidentiality?
BUSINESS RISK
of unintended or unauthorized disclosure of
information (worst case).
Competitive Disadvantage
BUSINESS IMPACT RATING
ADDITIONAL COMMENTS
1: Business Threatened
2: Serious Damage
3: Significant Damage
4: Minor Impact
5: Negligible
1
How damaging would it be if information is

disclosed to a competitor?
Direct Loss of Business
Could business be lost if information is disclosed?
Public Confidence
If information is disclosed what damage could
there be to customer confidence; public image; or
shareholder or supplier loyalty?
Additional Costs
Could extra costs be incurred if information is
disclosed?
Legal Liability
Could disclosure of information result in a breach
of legal, regulatory or contractual obligations?
Staff Morale
If information is disclosed could there be a
damaging effect on staff morale or motivation?
Fraud
If information is disclosed, could goods or funds
be improperly diverted?
1: Essential
2: Very Important
3: Important
4: Useful
5: Nice to Have
ASSESSMENT
TOTAL SCORE
In summary, taking into account the ratings noted

above and any other consequences what is the
importance of the information confidentiality to the
business process?
!@#$
C-4.1
1
ppendix C-4
How Important is Information Integrity?

BUSINESS RISK
of errors in information or deliberate manipulation of
information to perpetrate or conceal fraud (worst
case)
Management Decisions
Could incorrect business decisions be made as a
result if errors in or unauthorised changes to
information?
Could orders or contracts be lost as a result of
errors in or unauthorized changes to information?
Fraud
Could fraudulent diversion of goods or funds arise
from or be concealed by unauthorised changes to
information?
Public Confidence
What damage could there be to public confidence,
public image or reputation, shareholders or supplier
loyalty as a result of errors in or unauthorized
changes to information?
Additional Costs
Could additional costs arise through unauthorised
changes to, or errors in, information e.g. Through
the need to investigate integrity problems, or to
restore the integrity of lost or corrupted data?
Legal Liability
Could legal, regulatory or contractual obligations be
breached if there are errors in or unauthorized
changes to information?
Staff Morale
Could there be a damaging effect on staff motivation
e.g. if staff cannot rely on information?
Business Disruption
Could the business otherwise be disrupted as a
result of errors in or unauthorised changes to
information?
ASSESSMENT
TOTAL SCORE
importance of the information integrity to the
business process?
2C-4.2

2: Serious Damage
4: Minor Impact
5: Negligible
1
2
3
4
5
1: Essential
2: Very Important
3: Important
4: Useful
5: Nice to Have
1
2
3
ADDITIONAL COMMENTS
!@#$
How Important is Information Availability?

BUSINESS-RISK
of data or systems being unavailable.
ADDITIONALCOMMENTS
2: Serious Damage
4: Minor Impact
5: Negligible
Duration of Outage
Management Decisions
1
Hour
1
Day
2-3
Days
1
Week
1
Month
Could decision making be adversely

affected by an application being
unavailable?
Could loss of business result from
information being unavailable?
Public Confidence
Could customer confidence, public image
and reputation, or shareholder or supplier
loyalty be damaged if an application is
unavailable?
Additional Costs
What additional costs could arise through
an application being unavailable?
Legal Liability
Could legal, regulatory or contractual
obligations be breached through a loss of
the availability of an application?
Recovery
How costly would it be to recover from the
backlog in processing if an application was
unavailable?
Staff Morale
Could there be a damaging effect on staff
morale or motivation if the availability of an
application was disrupted?
Fraud
Could fraudulent diversion of goods or funds
!@#$
C-4.3
3
ppendix C-4
BUSINESS-RISK
ADDITIONALCOMMENTS
arise from or be concealed by an application

being unavailable?
Business Disruption
Could the business be otherwise disrupted
by an application being unavailable?
ASSESSMENT
TOTAL SCORE
1: Essential
2: Very Important
3: Important
4: Useful
5: Nice to Have
1
In summary, taking into account the ratings

noted above and any other consequences
what is the importance of information
availability to the business process?
4C-4.4
!@#$
How Important is Information Effectiveness?

ASSESSMENT OF EXPOSURE DUE TO
ADDITIONAL COMMENTS
2: Serious Damage
4: Minor Impact
5: Negligible
Timeliness
If information is not available what would be

the impact on your business within:
1 Hour
1 Day
2-3 Days
1 Week
1 Month
Correct
If incorrect information is produced what is the
impact on your business ?
Consistent
If information is not reported in a consistent
manner what is the impact on your business?
Usable
Is it is not possible to easily use the
information obtained from the information
systems what is the impact on your business
Relevant
If the information produced is not relevant to
your needs what is the impact on your
business?
Opportunities
If IT does not maximize the available business
opportunities what is the impact to your
business?
ASSESSMENT
TOTAL SCORE
1: Essential
2: Very Important
3: Important
4: Useful
5: Nice to Have
1
In summary, taking into account the ratings

noted above and any other consequences, what
is the importance of the information technology
effectiveness to the business process
!@#$
C-4.5
5
ppendix C-4
How Important is Information Efficiency?

ASSESSMENT OF EXPOSURE DUE TO
ADDITIONAL COMMENTS
2: Serious Damage
4: Minor Impact
5: Negligible
Costs?
If IT costs are excessive, what is the impact to

your business?
Most productive
If IT resources are not used productively what is
the impact to your business?
Most economical
If IT resources are not used efficiently what is the
impact to your business??
Overall
IF IT does not provide information through the
most productive and economical use of resources
what is the impact for your business?
1: Essential
2: Very Important
3: Important
4: Useful
5: Nice to Have
ASSESSMENT
TOTAL SCORE

importance of the information technology
efficiency to the business process?
6C-4.6
!@#$
Appendix C-5
ABC Company
Software to Hardware Map
November 1998
System Name
Accounts Payable (APPO)
Check Printing (McCormick and Dodge)
Accounts Receivable (COOP)
General Ledger (Millenium)

Invoicing (COOP)
Manufacturing Quality Assurance (COOP).
Government contract compliance
Gentrax (EDI)
Payroll /Human resources (SHRIS)

Labor Systems
Purchasing (SICS)
Materials Requirements Planning (SICS)
Capacity Requirements Planning (SICS)
Master Production Schedule (SICS)
Job Instruction Sheet (JIS)
Shop Floor Control
Tool and Gauge Management System
(TGMS)
Advanced Quality System (AQS)
Electronic Non-Conforming System
!@#$
Description
Voucher and vendor information
Check Printing
Tax information, credit issued, authorization, credit
memos, customer account and payment history,
customer information, aging, credit limits
Debit/credit entries
Pricing on shipment data
Reviewing and reporting on product quality
A group of programs that are utilized for reporting
and tracking product to comply with government
contract requirements
EDI is used between customers and most
vendors. Electronic funds transfer (EFT),
purchase orders (PO), PO changes, invoices and
shipping notices. ANSI x12 for domestic and
Edifax for international.
Benefits and payroll administration. Purchased
from Computer Associates.
Group of programs separated between plants and
employee classification. Used for tracking time
and expenses. These programs feed into the
SHRIS application.
Purchasing of raw materials and components, also
for general purchasing. Keeps track of inventory.
Projection of raw materials requirements for
production.
Tool for assessing production capacity.
Production scheduling tool
On-line assembly instructions for use by
production employees
Routes products to appropriate point on the
production line.
Keeps track of tool and gauge usage, calibration,
location and maintenance
Quality control tool used for ensuring product
quality.
Tracks disposition of non-conforming materials or
product including required paperwork.
Locations
Source
Implement
IBM
Unix
Unix
UNIX
Date
Mainframe Digital Solaris SUN
N/A
X
N/A
X
N/A
X
Rockford
Rockford
Rockford
Custom
Package
Custom
Rockford
Rockford
Rockford
Rockford
Package
Custom
Custom
Custom
N/A
N/A
N/A
X
X
X
X
Rockford
Package
2Q 99
Rockford
Package
N/A
Rockford
Custom
N/A
Rockford
Custom
N/A
Rockford
Custom
N/A
Rockford
Rockford
Rockford
Custom
Custom
Package
N/A
N/A
N/A
X
X
X
Rockford
Custom
N/A
Rockford
Package
N/A
Rockford
Package
N/A
Rockford
Package
N/A
Novell Win NT
PC
4
4.11
St. Alone
X
C-5.1
ppendix C-5
System Name
Cost Accounting Management System
(CAMS).
Automated Manufacturing Systems
Lotus Notes
Unigraphics
Catia
SCINET
OPCA Scheduler
Openview
CICS
IMS
MVS OS390
NT 4
Novell 4.11
Unix HPUX
Unix Sun Solaris
Unix Sun OS
Unix Digital
ACF2
NDS
Auto Secure (Platinum)
Network Dial in
Mainframe Dial
SQL Database
TMC
Databases DB2 and IMS
Macafee
Firewall
PBX Communications
2C-5.2
Description
General cost accounting for the manufacturing
process.
Applications that are specific to an automated
machine and may reside on a stand alone
machine.
E-mail and database application that is used for
product support and communication of service
bulletins to customers
CAD system for designing new products as well as
manufacturing.
CAD system for designing new products as well as
manufacturing.
Customer Support
Mainframe Scheduler
Change control tool used for controlling changes to
the mainframe environment.
Mainframe transaction processing
Mainframe transaction processing
Mainframe operating system
NT Server operating System
Novell network and server operating system
HP Openview for system management
Engineering
Engineering
Run Machines
Mainframe Security
Novell Security
UNIX Security
US Robotics Net Server - Radius connection uses
network authentication. Reachout is used for
remote control of workstation.
Advantis (IBM Global network uses passport
software).
Data base that contains management reports from
various systems
Management reporting tool for use with SQL
database
MFG. uses Both
Antivirus
Interlock
Phone system (Rolm)
Locations
Source
Implement
IBM
Unix
Unix
UNIX
Date
Mainframe Digital Solaris SUN
N/A
X
Novell Win NT
PC
4
4.11
St. Alone
Rockford
Package
Rockford
Package
N/A
Rockford
Package
N/A
Rockford
Package
N/A
Rockford
Package
N/A
Rockford
Rockford
Rockford
Package
Package
Package
N/A
N/A
N/A
X
X
X
Rockford
Rockford
Rockford
Rockford
Rockford
Rockford
Rockford
Rockford
Rockford
Rockford
Rockford
Rockford
Rockford
Package
Package
Package
Package
Package
Package
Package
Package
Package
Package
Package
Package
Package
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
N/A
X
X
X
Rockford
Package
N/A
Rockford
Package
N/A
Rockford
Package
N/A
Rockford
Rockford
Rockford
Rockford
Package
Package
Package
Package
N/A
N/A
N/A
N/A
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
!@#$
ABC Company
Software Business Process Map
November 1998
Mega Process
Major Process
Product/
Process
Concept
Determination
System Name
Accounts Payable (APPO)
Check Printing
Accounts Receivable
(COOP)
General Ledger (Millenium)
Invoicing (COOP)
Manufacturing Quality
Assurance (COOP).
Government contract
compliance
Gentrax (EDI)
Payroll /Human resources
(SHRIS)
Labor Systems
Purchasing (SICS)
Materials Requirements
(SICS)
Capacity Requirements
Planning (SICS)
Master Production
Schedule (SICS)
Job Instruction Sheet (JIS)
Shop Floor Control
Tool and Gauge
Management System
(TGMS)
Advanced Quality System
(AQS)
Electronic Non-Conforming
System
Cost Accounting
Management System
(CAMS).
Automated Manufacturing
Systems
Lotus Notes
Unigraphics
Catia
SCINET
OPCA Scheduler
Openview
CICS
IMS
MVS OS390
NT 4
Novell 4.11
Unix HPUX
Unix Sun Solaris
Unix Sun OS
Unix Digital
ACF2
NDS
Auto Secure (Platinum)
Network Dial in
Mainframe Dial
!@#$
New Product
Design
Product/
Translation
Process
Development
Product
Testing
Select
Marketing
Strategy
Gain New Business

Communicate
Sell
Image and
Product
Product
Order
Processing
Procurement
Procurement Purchasing Receiving
Planning
Material
Storage and
Distribution
Production
Product Delivery
Production Conversion Distribution Invoicing
Planning
Product
Service
After Sales Support

Product
Collection
Performance
Support
Various
Support
Processes
Executive
Total
Various
Total
Executive
Processes
Processes
Systems
Support
1
1
1
1
1
1
1
3
1
1
3
1
1
1
1
1
8
1
2
4
2
1
1
1
1
1
1
1
4
4
1
1
1
1
1
1
1
1
1
3
1
2
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
3
3
2
2
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
C-5.3
ppendix C-5
Mega Process
Major Process
System Name
SQL Database
TMC
Databases DB2 and IMS
Macafee
Firewall
PBX Communications
Total Systems Process
Support
4C-5.4
Product/
Process
Concept
Determination
New Product
Design
Product/
Translation
Process
Development
Product
Testing
Select
Marketing
Strategy
Gain New Business

Communicate
Sell
Image and
Product
Product
Order
Processing
Procurement
Procurement Purchasing Receiving
Planning
Material
Storage and
Distribution
Production
Product Delivery
Production Conversion Distribution Invoicing
Planning
11
Product
Service
After Sales Support

Product
Collection
Performance
Support
Various
Support
Processes
1
1
1
1
1
1
30
Executive
Total
Various
Total
Executive
Processes
Processes
Systems
Support
1
1
11
2
2
1
1
1
1
93
!@#$
Appendix C-6 Sample Risk Assessment
MEGA PROCESSES
MAJOR PROCESSES
Financial / Qualitative Market Analysis

Gain Business/ Select Services
(Acquire and maintain patient volume) Contract Management
Promote Business
Acquire / Allocate Volume
Manage Clinician Resources
Risk
Importance
SOURCES OF RISK
(H=high,
M=med., L=low)
Inability to retain market competitive pricing, lost reimbursement
H
Unintended risk assumption, lack of negotiation leverage, lost contract payments
M
Ineffective marketing, managed care leverage, tax-status restrictions
L
Industry consolidation/inability to substitute resources andcontol utilization
H
Loss of key physicians, low clinician utilization, lack of
mgmt expertise in non-acute
M
environments
1999/2000 Planned
Project Descriptions
Chargemaster review includes code assignment and
maintaince of CM
Managed care contracting includes compliance with contract procedures/payments
Tax return compliance audit and consistency/standardization of returns
Due diligence acquisition process review
Home Health Service Process Assessment
Improper registration procedures or system, downstream data re-work, higher

level of claim denial
Decreased quality of care due to aggressive cost containment, malpractice risk,
excesssive costs
Loss of revenue, Medicare/Medicaid, JCAHO
regs, dissatisfied patients, noncompensated care
Process review of revenue cycle including: registration, charge capture, and billing
Lab operational review
Medical necessity for PT/OT services
Discharge Patient
Additional costs for longer LOS, inadequate documentation at discharge,

interorganizational transfer
FACIS - automated database screening for sanctioned personnel

Radiology and pharmacy documentation and billing process
Collect Payment/Financial
(Manage billing and receivables to include medical records)
Establish Payment Method

Capture/ Code Patient Charges
Invoice Payor/ Patient
Accounts Receivable Management
Excess indigent patients/ bad debt, third-party reimbursement/settlement

Improper/frauduelent coding (Medicare/Medicaid), loss of revenues
Fraudulent billing, errors in billing,charge accumulation system adequacy
Liquidity & cashmangement issues, collection agency performance,
capitated
contract lossess
H
H
H
H
Cost report reimbursement optimization study

Medical records review tests for completeness, accuracy and confidentiality
72 hour rule includes test for non-compliance and review of policies/procedures
Accounts receivable review includes establishment of reserves, aging, collection efforts
Executive
(Set the strategic direction,
policies, and guidlines for
the organization as a whole)
Manage Regulatory and Legal Matters

Maintain External Relationships
Manage Investor Relations
Establish Policies and Procedures
Insufficient risk management/self-insurance systems, healthcare fraud/abuse

Joint ventures/affiliations/consolidations
Change in use of tax-exempt bond proceeds -jeopordize exemption of bonds
Inefficient control structure, inadequate policies and procedures, media focus on
high profile issues
Manage Network Synergy
Breakdown of network relations, Inability to provide full continuum of care,
uncontrolled capitation
Manage Corporate Compliance Programs Non-compliance and insufficient understanding of currentregs, physicians without
credentials, tax issues
H
H
H
H
Revenue cycle including: registration, charge capture, and billing (physician practice)
Unrelated business income for joint ventures tax assessment
Qualified use of tax-exempt bond proceeds review
Intermediate sanctions policy and procedures review
Physician practice tax review and physician exit strategies
Corporate compliance plan effectiveness
HR (Physician andEmp. Resources)/

Payroll
Financial Reporting / Budgeting
Purchasing
Accounts Payable/Disbursements
Physician recruitment/retention/physician organizations (private

enurement), Stark
(fraud and abuse)
Non-compliance with GAAP, material misstatements/inaccurate budgets
Corporate non-compliance, fraud & abuse - purchasing & vendor relationships
Corporate non-compliance, fraud & abuse - A/P & Disbursements
Private enurement exposure, includes reasonableness of physician compensation
M
H
M
Outsourced services contract and compliance review/tax implications

Contracted lab performance review
Accounts Payable includes compliance with policy and test for duplicate payment
System Maintenance
Data Security
Contingency Planning
Operations Management
Application Systems
Vendor support, internal systems development life cycle

Outside intruders / internal errors / mistakes
Lack of plan or inadequate planning
Physical security, IT operating procedures
User errors, poor controls
H
H
H
H
H
Change Management controls review

Data security review
Business continuity plan review
Operations management review
Application reviews
- Radiology and Pharmacy
Provide Service Excellence
Patient Admitting & Registration
(Deliver patient care)
Manage Utilization
Provide Patient Care (inpatient/outpatient)
Support the Organization
Information Systems
(Information systems, security, and
related software and hardware)
!@#$
C-6
Appendix C-7 Summary of Key Financial Audit Considerations

FBS Bank
Summary of Key Financial Audit Considerations
December 31, 1998
Account Classification
Commercial Loans (Commercial, Financial Institutions,
Real Estate Mortgage, Real Estate Construction, Leases,
Corporate Card, Purchasing Card, Asset-Based Lending)
and Interest Receivable
Principal Audit Strategy
Primary Audit(s)
Final
Reconsider
Project
Sign-
Risks
Manager
off
Review Credit Exams reports to determine compliance with loan underwriting

standards and authorization procedures.
Test a sample of new originations for presence of proper loan documentation
(legal documents and approvals).
Test a sample of new originations for presence of proper lease documentation
(legal documents and approvals).
As of an interim date, test the reconciliation process of the entire area.
As of an interim date, test the reconciliation of the total commercial loan
portfolio on the general ledger to the ancillary systems.
Confirm loans and leases * as of an interim date, including any participations
purchased.
Review loan suspense accounts at interim date for unusual items or stale
reconciling items.
Test the calculation of interest income, the posting of interest income, the
amortization of premiums/discounts and the proper set up and accretion of
loan fees for all commercial loan categories.
Credit
Retail (Commercial
Loan Service Center
cycled)
Leasing
Leasing
Commercial
Financial Statements
Commercial
Commercial
Commercial
Test the deferral of loan fees under FAS 91.

Review documentation of loans made to related parties and evaluate whether
loans were made on the same terms as those made to unrelated parties (refer to
proposed audit committee materials).
Corporate/Interim
Review reasonableness of RPT disclosures at year-end.

Perform an analytical review on yields and average balances.
Credit
Corporate/Quarterly
Reviews
Test the aging of account balances, reset dates and the interest income and
accrual posting on the Total system (Corporate Cards)
Test the aging of delinquent account balances, reset dates and interest income
and accrual posting on the lease accounting system
Test the aging of account balances, reset dates, and interest income and accrual
posting on the AFS system (commercial, financial institutions, real estate,
asset-based lending)
Review the residual value estimation process for leased assets to determine
whether any additional write-downs need to be made in accordance with FASB
13.
Credit
Payment System
Leasing
Retail (Commercial
Loan Service Center
audit cycled)
Leasing
*Refer to separate analysis of confirmation procedures for additional details.
!@#$
C-7.1
ppendix C-7
FBS Bank
December 31, 1998
Consumer Loans (Residential Mortgages, Home Equity
Loans, Consumer Cards, Automobile Loans, Revolving
Lines of Credit, Student Loans) and Interest Receivable
Primary Audit(s)
Final
Reconsider
Project
Sign-
Risks
Manager
off
Review changes to underwriting standards to determine implication to

allowance for credit losses
Review the underwriting override approval process and volume of overrides.
Review credit examination reports to determine adherence to underwriting
standards for consumer products
Test compliance with underwriting standards.
Test the aging of outstanding loan balances, reset dates and interest income and
accrual posting on the Mtech and IMPAC systems (consumer cards and
revolving lines of credit).
accrual posting on the Shaw (automobile, residential mortgage, home equity
loans, student loans).
accrual posting on the LOC (overdraft protection line of credit).
Confirm sample of loans * as of an interim date and review sample of general
ledger reconciliations.
As of an interim date, test the reconciliation of the consumer loan portfolio on
the general ledger to the ancillary systems.
As of an interim date, test the reconciliations of residential mortgage, student
loans, revolving credit and automobile loan and related accrued interest
accounts.
As of an interim date test the reconciliations of revolving credit and consumer
credit cards and related accrued interest accounts.
As of an interim date test the reconciliations of indirect automobile loan and
related accrued interest accounts.
Review loan activity from confirmation date to year-end and investigate unusual
activity.
Perform an analytical review on the yields and investigate for any unusual
trends.
Review the lower of cost or market valuation for residential mortgage loans
held for sale and evaluate the need for any adjustments, if material.
ACAPs Audit
ACAPs Audit
Credit
Consumer Loan
Compliance
Payment System and
Mtech audits
Installment Loan
Accounting &
Operations and Shaw
Audit
Retail Service Center
Retail Asset
Confirmations
Retail Asset
Confirmations
Retail Service Center

Payment Systems
Indirect Lending
Retail Assets
Confirmations
Corporate/Quarterly
Reviews
Retail Mortgage
2C-7.2
!@#$
FBS Bank
December 31, 1998
Other Significant Areas

Review the year-end trust fee accruals to determine the accuracy of the fee
accrual and for proper cut-off.
Review off-balance sheet accounts for reasonableness and inquire regarding any
unusual balances
Inquire of Bill Cox regarding the year-end reconciliation process of any issues
or out of balance situations.
Completion of Year 2000 internal audit.
Completion of all documented Activity 8 audit procedures, as documented in
the Activity 8 Scope & Approach Memo.
Inquire of significant items discussed during the general ledger close process as
of year end.
Client Relationship Executive inquiry of senior management - - see separate
matrix.
Primary Audit(s)
Final
Reconsider
Project
Sign-
Risks
Manager
off
Trust
Corporate/Financial
Statements
Corporate/Financial
Statements
BTC
BTC
Corporate/Financial
Statements
!@#$
C-7.3
Appendix D-1 Sample Annual Audit Plan

Year 1
E&Y
Notations
Tax/IAS
ABS
IAS
Tax
Tax
Tax
Tax
ABS
IAS
IAS
IAS
ABS/IAS
IAS
ABS
IAS
IAS
IAS
Tax
IAS
IAS
IAS
IAS/Tax
Description of project
Regional / Corporate
Special projects (as requested by management)
Acute Care Facilities
Process review of revenue cycle
- Registration
- Charge Capture
- Billing
Chargemaster review includes code assignment and maintaince of CM
72 hour rule includes test for non-compliance and review of
policies/procedures
Accounts receivable review includes establishment of reserves, aging,
collection
IBNR Process review
Accounts Payable includes compliance with policy and test for duplicate
payment
Private enurement exposure, includes reasonableness of physician
compensation
Medical records review tests for completeness, accuracy and
confidentiality
Payroll cycle review for accuracy, approvals and compliance with
procedures
Managed care contracting includes compliance with contract
procedures/payments
!@#$
Type of
Project
Estimated Cost
Per Project
# of
Projects
Total
Cost
$10,000
$14,000
$15,000
$ 8,000
$30,000
$ 5,000
$20,000
$15,000
$70,000
1
2
2
1
1
1
0
1
1
$10,000
$28,000
$30,000
$8,000
$30,000
$5,000
$$15,000
$70,000
$$24,000
$24,000
$24,000
$24,000
$36,000
$29,000
$ 6,000
0
1
1
1
0
0
2
2
$$24,000
$24,000
$24,000
$$$58,000
$12,000
$55,000
$48,000
1
1
$55,000
$48,000
$30,000
$28,500
1
0
$30,000
$-
$ 5,000
$5,000
R,C
$30,000
$-
$28,000
$-
R,O
$34,500
$-
$23,000
$-
R,O
R,C
C
R,C
R
R
R,O
C
Enity
One
Enity Enity Enity Corporate

Two Three Four
Enity
1
1
1
1
1
1
1
1
1
1
R,O
1
1
1
R,O
C
R,O
C
O
R,O
1
1
1
1
1
1
1
R,O
R
D-1.1
ppendix D-1
IAS
R,O
IAS
Tax
IAS
Physician Practices
Revenue cycle including: registration, charge capture, and billing
Home health service process assessment
R,O
R
R,C
1
1
1
1
1
1
1
1
1
1
1
ISAAS
ISAAS
ISAAS
ISAAS
ISAAS
ISAAS
ISAAS
ISAAS
Information Technology
Information technology risk assessment
General controls review (acute care)
General controls reveiw (physician practice)
Accounts payable application review
Application specific reviews as determined by the risk assess.
representative projects include
- Accounts receivable
- Laboratory
- Radiology and pharmacy
$18,000
$18,000
$38,500
$ 5,000
$24,000
2
2
0
$77,000
$10,000
$-
R,O
$40,000
$51,200
$12,800
$16,000
$16,000
1
1
2
1
0
$40,000
$51,200
$25,600
$16,000
$-
R,O
R,O
R,O
$16,000
$16,000
$16,000
0
0
0
$$$-
31
$713,800
R
R
R
1
1
Totals
E&Y
Notations
IAS
ISAAS
TAX
ABS
D-1.2
2
1
1
Type of Project
Interal Audit Services
Information Systems Assurance and Advisory Services
Tax Services
Health Care Advisory Business Services
R
O
C
Risk
Operational
Compliance
!@#$
Year 2 & 3
E&Y
Notations
Tax/IAS
ABS
IAS
Tax
Tax
Tax
Tax
ABS
IAS
IAS
IAS
ABS/IAS
IAS
ABS
IAS
IAS
IAS
Tax
IAS
IAS
IAS
IAS/Tax
IAS
Description of project
Regional / Corporate
Special projects (as requested by management)
Process review of revenue cycle
- Registration
- Charge Capture
- Billing
Chargemaster review includes code assignment and maintaince of CM
72 hour rule includes test for non-compliance and review of
policies/procedures
Accounts receivable review includes establishment of reserves, aging,
collection
IBNR Process review
Accounts Payable includes compliance with policy and test for duplicate
payment
Private enurement exposure, includes reasonableness of physician
compensation
Medical records review tests for completeness, accuracy and
confidentiality
Payroll cycle review for accuracy, approvals and compliance with
procedures
Managed care contracting includes compliance with contract
procedures/payments
!@#$
Type of
Project
R,O
R,C
C
R,C
R
R
R,O
C
Enity
One
Enity Enity Enity Corporate

Two Three Four
Enity
2
2
2
2
3
3
3
2
2
R,O
3
3
3
3
R,O
C
R,O
C
O
R,O
2
2
R,C
R
R,O
$10,000
$14,000
$15,000
$8,000
$30,000
$5,000
$20,000
$15,000
$70,000
2
2
$20,000
$28,000
1
1
1
1
0
$30,000
$5,000
$20,000
$20,000
$-
2
2
2
2
1
2
1
1
$$48,000
$48,000
$48,000
$24,000
$ 72,000
$29,000
$6,000
$55,000
$48,000
2
1
$110,000
$48,000
$30,000
$28,500
1
2
$30,000
$10,000
$ 5,000
$60,000
$30,000
$60,000
$28,000
$28,000
$34,500
$34,500
$23,000
$18,000
1
0
$ 18,000
$-
R,O
Total Cost
$$24,000
$24,000
$24,000
$24,000
$36,000
$29,000
$ 6,000
# of
Projects
2
2
2
2
2
3
2
2
2
R,O
Estimated Cost
Per Project
2
2
3
D-1.3
ppendix D-1
IAS
Tax
IAS
ISAAS
ISAAS
ISAAS
ISAAS
ISAAS
ISAAS
ISAAS
ISAAS
E&Y
Notations
IAS
ISAAS
TAX
ABS
D-1.4
4
Physician Practices
Revenue cycle including: registration, charge capture, and billing
Home health service process assessment
Information technology risk assessment
General controls review (acute care)
General controls reveiw (physician practice)
Accounts payable application review
Application specific reviews as determined by the risk assess.
representative projects include
- Accounts receivable
- Laboratory
- Radiology and pharmacy
R,O
R
R,C
R
R
R
1
1
2
3
R,O
R,O
R,O
R,O
$38,500
$ 5,000
$24,000
0
0
1
1
$$$24,000
$24,000
$40,000
$51,200
$12,800
$16,000
$16,000
2
1
0
4
0
2
32000
$51,200
$$64,000
$$32,000
1
2
$16,000
$32,000
31
$1,071,700
$16,000
$16,000
$16,000
Type of Project
Interal Audit Services
Information Systems Assurance and Advisory Services
Tax Services
Health Care Advisory Business Services
R
O
C
Risk
Operational
Compliance
!@#$
Sample Annual Audit Plan
Project Descriptions
The following descriptions outline the scope and approach of the projects in the three year plan. A separate
report, including findings, recommendations and management responses will be issued at the conclusion of
each project.
Regional/Corporate
Document the components of the acquisition or joint venture process. Review the effectiveness of key process
components, specifically, evaluation, financial and qualitative analysis, and negotiation. Evaluate the controls
over these processes. Test the accuracy of historical financial and qualitative projections versus actual results.
Assess the adequacy of documentation related to the medical necessity of physical and occupational therapy
services provided to Medicare residents of skilled nursing facilities (SNFs). Test for adherence to guidelines
which require that therapy services be reasonable and necessary, and provide a specific and effective treatment
for the patients condition.
Perform a diagnostic review of existing corporate compliance program effectiveness. This typically involves
sampling and auditing the knowledge and performance of personnel critical to the organizations Corporate
Compliance program; specifically, to determine the effectiveness of training programs and overall compliance
with Office of Inspector General (OIG) standards. This review will be prepared in accordance with the OIG
model program for Hospitals.
Review policies and procedures in place to monitor the qualified use of tax-exempt bond financed facilities,
given recent regulations issued by the U.S. Department of Treasury.
Review intermediate sanctions policy and procedures including a list of disqualified persons and the guidelines
used to create the list. Review documentation confirming how a rebuttable presumption of reasonableness was
established for applicable transactions and documentation identifying how the intermediate sanctions policies
tie in to other corporate policies.
Review the structure of joint venture relationships to ensure tax exposure items associated with unrelated
business income and private enurement are adequately addressed and supported by appropriate documentation.
Tax return compliance process audit and consistency/standardization of returns
Review the tax return compliance processes, including assessing the technical accuracy of the returns,
reviewing the charity care and community benefit reporting of each health care entity and ensuring consistent
disclosure and reporting among the entities in the WFSI system.
Screen health professionals and contracted companies through over 200 governmental databases including
records of sanctioned healthcare personnel and institutions. The databases include individuals and entities with
disciplinary actions and sanctions at all levels of government, including federal, state, and other quality
assurance entities.
!@#$
D-1.5
5
ppendix D-1
Special Projects (as requested by management)
Special projects represents a percentage of the overall IA budget (typically 10%) which is available at
managements discretion for EY support on an as-needed basis to address timely issues; performing an audit in
support of a corporate compliance hot line call is a typical project of this type.
Process review of revenue cycle including registration, charge capture, and billing
A review of policies and procedures for the registration, charge capture, and billing process. Evaluation of the
internal control environment includes a review for complete and accurate patient information collection and
proper dissemination of information. A review of select accounts will help to identify if all charges are
captured, documented and billed correctly.
Evaluate the efficiency and effectiveness of laboratory operations and the laboratory results reporting system.
Review for the existence of and compliance with internal controls surrounding the reliability and integrity of
information produced by the lab system. Assess the controls over timeliness, completeness and accuracy of the
capture and entry of patient charges.
Review the charge process to verify that patient charging is consistent with policies and procedures. Tests of
charges for accuracy, completeness and timeliness. Verify that all documentation is included and supports the
charges. Review internal management reports for sufficient/timely information and the follow-up process, if
applicable, for resolution of outstanding items.
Chargemaster review includes code assignment and maintenance of CM
A process approach to review, assess and enhance revenue generation through the proper design and
maintenance of the Chargemaster. Includes departmental coding review for improved billing/reimbursement
and infrastructure development for Chargemaster support.
72-hour rule includes test for non-compliance and review of policies/procedures
Evaluate compliance with Medicares 3-day rule using quadruped's 72 Hour diagnostic tool. Using both
inpatient and outpatient billing data, this tool identifies claims for non-physician services performed within
three days of admission. The effectiveness of the policies and procedures will be evaluated based upon the
results of this analysis.
Comprehensive review of the cost reporting process, designed to increase reimbursement. Includes ensuring
appropriate reporting of pass-through items based upon the most recent interpretation of the regulations,
identifying opportunities to update the cost reporting process to more accurately reflect appropriate
allocations between inpatient/outpatient services and correcting the report to adhere to appropriate
Regulations as they apply.
Accounts receivable review includes establishment of reserves, aging and collection
A review of policies and procedures for the accounts receivable process. Document and evaluate establishment
of reserves. Verify that the collection process is effective and functioning as intended. Review the receivable
reports and investigate significant changes in aging categories.
IBNR process review
Document claims processing within the organization specific to Incurred But Not Reported (IBNR) claims.
Evaluate the controls and policies/procedures in place to minimize the charges which have not yet entered the
claims processing flow. This will include an analytic review of claims data in an effort to identify root causes,
areas of high risk and associated cost.
Accounts payable includes compliance with policy and test for duplicate payment
Evaluation of the system of internal controls including detailed tests of completed invoices, review for
supporting documentation, proper authorization and tests for duplicate payments. Includes a review of
6D-1.6
!@#$
controls over check stock. Other tests include using computer assisted audit techniques to identify unusual
payments for a more focused analysis.
Private enurement exposure includes reasonableness of physician compensation
Review contracts for compliance with regulations and hospital policy based upon a review of payments for
non-clinical services, advances, services performed and referral incentives.
Medical records review tests for completeness, accuracy and confidentially
Review medical records for accuracy, timeliness, and accessibility. Review for sufficient information to
identify a patient, support diagnosis, justify treatment and document results accurately. Review the records to
ensure they are confidential, secure, current, authenticated, legible and complete.
Payroll cycle review for accuracy, approvals and compliance with procedures
Review payroll policies and procedures. Evaluate controls to help ensure payroll changes are accurate and
properly authorized. Detailed tests will include using diagnostic tools to review pay rates, hours worked,
employee address records and tax identification information. Other tests to include a review of controls over
payroll check stock.
Managed care contracting includes compliance with contract procedures/payments
Review and evaluate the managed care contracting process including adherence to policies and procedures.
Evaluate controls for identifying participant eligibility and coverage. Assess utilization review process
including how payments and write-offs are monitored for timeliness and accuracy. Computer assisted audit
tools and analytics will be employed to model expected payments relative to actual payments, highlighting
areas of increased exposure and opportunity.
Review select contracted services to ensure the services are performed in accordance with agreed upon terms.
Review for accurate and timely billing, as well as continued compliance monitoring procedures. Assess the tax
implications of the agreement.
Evaluate the laboratorys compliance with the contract. Determine if policies and procedures are in place and
operating effectively. A high level review of the laboratory operations and the billing system will be
performed.
Physician Practices
Revenue cycle including registration, charge capture, and billing
A review of policies and procedures for the registration, charge capture, and billing process. Evaluation of the
internal control environment includes a review for complete and accurate patient information collection and
proper dissemination of information. A review of select accounts will help to identify if all charges are
captured, documented and billed correctly.
Review operational results of physician practices to ensure tax exposures related to deficits are minimized and
exit strategies are documented and implemented.
Home Health Services Process Assessment
Review home health care policies and procedures, evaluate internal controls with emphasis on segregation of
duties, controls over cash and billing procedures. Also includes review for effectiveness of information systems.
!@#$
D-1.7
7
ppendix D-1
Information Technology risk assessment
Review of the IT inventory including hardware, operating systems, applications, network and
telecommunications. Based upon the inventories, IT will have discussions with local and corporate
management regarding risks and concerns related to these specific IT areas.
General Controls review
Review of the controls that support the data center and related activities. Specifically, these reviews cover:
physical security of the data center, logical security controls, operations management, IT administration and
strategy, systems development and maintenance and business continuity planning.
General Controls review (physician practice)
Similar to the general controls review noted above, IT would select a sample of physician billing offices and
perform a general controls review and also determine the level and controls surrounding the interfaces to
corporate or hospital based systems.
Accounts Payable application review
This review will consist of evaluating system controls within the A/P application. Typical controls include:
invoice input, reporting controls, application level security, change management and backup/recovery
procedures.
Application specific reviews as determined by the risk assessment
Representative projects may include accounts receivable, laboratory, radiology and pharmacy
8D-1.8
!@#$
Appendix D-2 Engagement Economics Template

Ernst & Young L.L.P.
ISAAS
Project Management Worksheet
ABC Inc.
CLIENT NAME:
ENGAGEMENT DESCRIPTION:
LISTING TYPE:
John Megabucks
AUDIT PARTNER:
ENGAGEMENT RELATIONSHIP MANAGER:
Bob Dole
ENGAGEMENT MANAGER:
- Application Review
FIXED COST QUOTED:

RESOURCE ASSIGNED:
RATE PER HOUR:
10%
23%
20%
11%
6%
3%
3%
9%
4%
9%
3%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
0%
Planning
Application Security
Interface Testing
Edit Check Testing
Reconciliation Review
Physical Security of Forms
Output Distribution
Report Writing & Review - Draft
Report Writing & Review - Final
Presentation Development - Draft
Presentation Development - Final
ADMINISTRATIVE SURCHARGE:
Partner
475
Manager
281
Senior
182
10
20
10
16
10
9.5%
Staff #1
133
BUDGETED
HOURS
14
32
28
16
8
4
4
12
6
12
4
0
0
0
0
0
0
0
0
0
0
0
0
0
4
4
4
2
4
$1,900
3%
$181
$2,081
20
$5,620
14%
$534
$6,154
BUDGETED
FEES
$3,728
$5,042
$4,510
$2,620
$1,260
$532
$532
$1,792
$1,290
$2,580
$1,512
$0
$0
$0
$0
$0
$0
$0
$0
$0
$0
$0
$0
$0
FEES AT 100 % OF STANDARD:

TOTAL BUDGETED HOURS
TOTAL BUDGETED FEES
PERCENTAGE OF HOURS
ADMIN RECOVERY
TOTAL LOADED FEES
50
$9,100
36%
$865
$9,965
66
$8,778
47%
$834
$9,612
0
$0
0%
$0
$0
VALUATION
PERCENTGE
90%
85%
80%
70%
60%
50%
!@#$
0
$0
0%
$0
$0
0
$0
0%
$0
$0
VALUED
AVG RATE
FEES
PER HOUR
$22,858
$21,588
$20,318
$17,779
$15,239
$12,699
$163
$154
$145
$127
$109
$91
0
$0
0%
$0
$0
CONTINGENCY
0
$0
0%
$0
$0
ADMIN
$2,172
$2,051
$1,930
$1,689
$1,448
$1,206
140
$25,398
100%
$2,413
140.0
$25,398
$27,811
TOTAL
FEES & ADM
$25,030
$23,639
$22,249
$19,468
$16,686
$13,905
EXPENSES
D-29
Appendix E-1 Sample Scope
ABC Company
Accounts Payable Application Review
Proposed Audit Scope
4/29/99
I.
Objective
The primary purpose of this review will be to perform a post implementation review of the
Accounts Payable application. The review will focus on testing specific agreed upon business
controls and processes.
II. Proposed Scope

1. Follow-up review of issues noted in the pre-implementation Accounts Payable review
conducted in 1998:
Group security assignments and settings

Password administration for default IDs
Procedures for addressing pending status checks and invoices
Use of the application audit trail utility
2. Identify and quantify all individuals with authority, or the potential, to create and approve
their own checks.
3. Identify and quantify all individuals with authority to perform payment cancellation
procedures and related control weaknesses surrounding payment cancellations. Specifically
inquire as to controls in place for generating replacement checks.
4. Review the implementation plan for the application upgrade (Year 2000 compliant version),
and SYBASE to Microsoft SQL Server conversion.
5. Review process for approving invoices.
6. Review all aspects of the check printing and distribution process.
7. Since timely reconciliation is an integral part of the control environment, review the
procedures for cash reconciliations.
8. Identify and review the controls in place over the approved vendor database.
9. Identify and research other application workflow issues as identified.
III. Timing
The review will begin on Monday, May 12 with a draft report delivered by early June. We will
provide a weekly update of time incurred and will communicate any issues as they arise.
IV. Budget
We currently estimate the total hours of the engagement at 160. We will not exceed this time
without first discussing any situations with you. The estimated rate and hour breakdown is as
follows:
!@#$
E-1.1
1
ppendix E-1
Staff Level
Estimated
Hours
Sr. Manager
249.00
498.00
Manager
20
195.00
3,900.00
Senior
78
126.00
9,828.00
Staff
60
93.00
5,580.00
160
2E-1.2
Hourly
Rate
Estimated
Fees
19,806.00
!@#$
Appendix E-2 Engagement Agenda
THE
THE ABC
ABC COMPANY
COMPANY
IT
Internal
Audit
Accounts
Payable
IT Internal Audit Accounts Payable Application
Application Review
Review
Agenda
Agenda 4/29/99
4/29/99
A)
A) Ernst
Ernst &
& Young
Young LLP
LLP Team
Team
John
John Megabucks,
Megabucks, ISAAS
ISAAS Partner
Partner
Bob
Bob Dole,
Dole, ISAAS
ISAAS Manager
Manager
Bo
Bo Diddly,
Diddly, eSS
eSS Senior
Senior Consultant
Consultant
B)
B) Changes
Changes in
in Accounts
Accounts Payable
Payable Process
Process or
or IT
IT Environment
Environment
C)
C) Proposed
Proposed Scope
Scope of
of Engagement
Engagement (See
(See Attachment)
Attachment)
D)
D) Requirements
Requirements of
of ABC
ABC Company
Company
E)
E) Key
Key Contacts
Contacts
F)
F) Timing
Timing
G)
G) Questions
Questions or
or Concerns
Concerns
!@#$
E-2
1
Appendix E-3 Process Flow Diagram
ABC Company
Check Distribution Process
Mailroom hand delivers the checks to the
department contact.
Contact signs a log that lists the number of

checks they received.
Contact delivers the checks to the requesting

individuals in their department.
Not at their desk
At their desk
Contact leaves a voice mail for the requestor to

come pick up their checks.
Requestor signs a log, maintained by the

Contact, that lists the number of checks they
received.
Requestor places the stuffed envelope in the

out tray to be mailed.
Requestor lists the date and time they mail the

checks on the log that the Contact maintains.
NOTE: If checks are not mailed on the same day they are received, the requestor is required to store the checks in a locked
cabinet at their desk.
!@#$
E-3
Appendix E-4 Sample Narrative Notes
ABC COMPANY
NARRATIVE NOTES
MAILROOM CHECK DISTRIBUTION PROCESS
Objective:
Develop an understanding of the mailroom check distribution process for ABC

Company.
Methodology: Corroborative inquiry and observation with appropriate ABC Company personnel to
obtain an understanding of the process.
Results:
On March 4, 1999, we met with Cashier and Systems Analysis to review the check
printing and distribution process. This process consisted of the checks that were
processed the proceeding evening and the on-demand checks that were submitted in
the same day.
Mailroom Observation:
We observed how checks are sent to the mailroom, how checks are stuffed into
envelopes, and how the number of checks mailed are reconciled to the number of
checks Cashier printed to be mailed directly.
Checks are picked up from the tray in Cashiers area on the mailrooms second mail
run which takes place at 10:00 a.m.. The individual picking up the checks for
mailing, is not required to sign the check pickup sheet which lists the number of
checks picked up and who picked them up.
Once the checks have been picked up, they are ready to be stuffed into the envelope,
sealed, and mailed. Checks are stuffed automatically on a machine in the mailroom.
After the checks have been stuffed, the individual in the mailroom looks at the
address window on each envelope to ensure there is an address. During our
observation, there was one check that did not have an address.
When all of the checks have been stuffed, the mailroom calls Cashier and tells her
how many checks are going to be mailed and also any checks that need an address.
Once Cashier receives this information she informs the mailroom individual that the
amount of checks being mailed is correct. Any time a check needs an address, the
mailroom walks the check up to Cashier immediately for corrections to be made.
Next, the number of checks being mailed and the number of exceptions are written
in a log in the mailroom. Finally, the envelopes are sealed and ready to be mailed.
Reasons Checks Go Back to the Departments:
We discussed with Client Support and New Business Account Representative the
reasons behind them requesting to have their checks sent back to them once they
have been printed.
!@#$
E-4.1
1
ppendix E-4
Client Support
The primary reason Client Support requests to have some of her checks sent back to
her is because she needs to enclose a remittance along with the check in the
envelope. In addition, Client Support may have a check sent back to her because she
has to Federal Express it overnight. Finally, Client Support explained that she has
had minimal problems with checks consisting of the incorrect address after she
changes it in the application system. Therefore, she requests to have the checks back
for the ones that she has changed the address on to make sure they print correctly.
This issue may be an interface problem, because the system is picking up a
completely different address than the previous one or the one it was changed to.
New Business Account Representative
New Business explained that she requests to have checks sent back to her on a
regular basis, because she deals with the approval of applications. These approvals
may lead to withdrawals, postpones, declines, and not takens, which require a letter
to be sent along with the check so the individual receiving the refund check in the
mail does not get the check back before they receive the letter.
Check Storage Security:
Checks are delivered to the requesting departments by the mailroom. These checks
are placed in a tray that resides in the area of each department. During the day, the
requesting individual picks up their own check from the tray or someone will pick
up the check and place in a basket on the respective individuals desk. This process
leads to checks being left in trays and on desks overnight, etc.
2E-4.2
!@#$
Appendix E-5 Issues Summary
ABC Company
Issues Summary Example
Workpaper
Reference
B1
CONCERN
Corporate
Database
There are currently no formal documented

procedures for submitting requests,
maintaining test scripts and related
documentation, and logging program changes
for the Corporate Database.
MLC - See w/p A1-3
B1
Corporate
Database
There is currently no formal change log made

of all database changes, however, any major
change is briefly documented at the
beginning of the programs code.
MLC - See w/p A1-3
B1
Corporate
Database
It was noted that the current problem log

does not have a field or area which
documents problem resolution.
Verbally discussed
with client - problem
log does have a
problem resolution
field, however, it was
not printed on the
report we received.
D1
LAN
Program
Change
There are instances where the user

departments do not go through the IS
department (e.g. user departments purchasing
their own software). IS has educated and
encouraged users to ensure that the formal
process should be followed.
Verbally discussed
with client compensating controls
are in place.
D1
LAN
Program
Change
Before the new or changed code is moved

into production, the previous code is not
moved or copied. In other words, there are
no formal procedures in place for version
control or back-out of new or changed
program code.
MLC - See w/p A1-3
D1
LAN
Program
Change
It was noted during the review that the LAN

Administrators currently have the capability
to create LAN security groups without the
Security Administrators knowledge. In
addition, for the unauthorized groups that are
created, supporting documentation is not
consistently being prepared for each group
(e.g. Security Request Form).
MLC - See w/p A1-3
!@#$
ISSUE RESOLUTION
E-53
Appendix E-6 Client Satisfaction Survey

E
Audit Project:
Date:
Completed By:
CLIENT FEEDBACK
Your input is essential to our improvement and success. Please mark the box which best describes the level at which we
performed during the audit project. Please provide specific examples whenever possible in the space provided. Thank
you!
Not at all
During the audit process, did we:
Very much so
Suggestions/Comments
1. Clearly communicate the

timing, objectives and scope of
the audit
2. Facilitate an informative
opening meeting with you
3. Jointly agree on the scope of the
audit, including your specific
concerns
4. Execute the audit in an efficient
manner with minimal disruption
5. Conduct ourselves in a
professional manner
6. Keep you informed of our
observations and the status of
the project
7. Show that we were
knowledgeable of your
processes, risks and controls
8. Facilitate an effective closing
meeting with you that provided
no surprises
9. Report observations that
address your concerns
10. Make sensible
recommendations which
provide realistic and workable
solutions
11. Write a report that was easy to
read and understand, and
appropriately prioritized our
observations
!@#$
E-6.1
1
ppendix E-6
Not at all
During the audit process, did we:
Very much so
Suggestions/Comments
12. Clearly explain our assessment

criteria and apply it fairly to
the audit
13. Appropriately reflect your
challenges, achievements and
proactive actions in the report
14. Add value to your operation
We would appreciate any additional feedback you can provide. Thank you!
2E-6.2
!@#$
Appendix F Communicate Results

Audit Committee Subject Calendar
Subjects
Jan
Meeting Dates
Mar
Aug
Nov
Audit Committee
Review and approve minutes from prior meeting
Review Audit Committee Charter
Private discussions with:
Internal Auditor
Independent Public Accountant
Management (as necessary)

Review of year end financial results (including accounting, tax, and financial
reporting matters)
Review of regulatory filings (e.g., 10K) by:
Management
Independent Public Accountant
External Legal Counsel

Approval of Independent Public Accountants
Approval of Internal Audit Services provider
General Counsel
Review contingent litigation
Review regulatory matters, as appropriate
Other Management Members
Review compliance with Code of Conduct
Review risk management (insurance) coverage
Review corporate contingency plan
Review Treasury issues (e.g., risk management, foreign exchange, etc.), as
appropriate
Review information systems/technology issues, as appropriate
Internal Audit
Review Client Service Charter
Review Risk Assessment
Review Annual Audit Plan
Review status of Annual Audit Plan
Review significant audit issues
Review value ideas
Review list of audit reports issued
Review emerging business risks and risk management issues
Review managements follow-up and monitoring of findings and
recommendations
Independent Public Accountants
Review of annual reports, including management letter
Review of external audit plan
!@#$
F-1
1
Appendix G-1
SERVICE
OTHER PRACTICES
LAUNCH DATE
AABS -Internal Audit Services
May, 1999
SERVICE OVERVIEW
Service Description: Through teaming with Internal Audit Services, or working directly with a clients Director of
Internal Audit, we can provide a variety of IT internal audit services, including:
IT Internal Audit Services (Teaming)supplementing the existing IT internal audit resources with depth in
specific specialty areas to perform risk assessments, complete specific projects, provide knowledge transfer or
deploy resources in remote locations.
Outsourcingproviding the full IT Audit function from planning through execution and reporting.
BENEFITS
Value Proposition: Our IT Internal Audit Services are designed to assist clients in better aligning their IT internal
audit coverage with their key business risks. Through our investments in people, knowledge, technology and
methodologies, we can assist our clients in accelerating to world-class expectations. Specifically, we can provide:
More business insight from the IT perspectivewe leverage the knowledge and experience of thousands of
global IT risk professionals to provide clients with strategic and operationally focused recommendations in the
areas of IT risk management and technology enablement. We help accelerate a comprehensive improvement
agenda which cuts the time from assessment to solution dramatically.
More comprehensive risk coverageour business process oriented IT Risk Assessment focuses our
technology specialists on the areas most important to your business. We team with the client to develop a risk
approach for the key IT areas and assign professionals with appropriate industry experience and deep
technology skills to create an innovative assessment and testing solution.
Operate more efficientlyusing our people, state-of-the-art tools, technology, and knowledge resources your
IT risks are assessed, tested and communicated to management in a timely and comprehensive manner.
Together with the client, we focus on the process of designing an efficient and effective world-class internal audit
function, while meeting managements growing expectations.
Recent turnover among the CFO, Director of Internal Audit

Implementation of new technologies such as Enterprise Resource Packages (ERP), electronic
commerce, and enterprise systems management (ESM) packages
Significant business changes present some companies with problems in risk coverage. (e.g.,
acquisitions, global expansion, new business segments, consolidations, etc.)
Other possible common characteristics:

Company with an existing internal audit function
Large corporation with minimal IT internal audit staff
Financial institution or hospital with or without an IS Audit function
Multinational Operations
SUCCESS STORIES
Conglomerate - we provided specialized security and application control evaluations for several new systems
implementations
Pharmaceutical Company - we provided systems implementation reviews, one of which identified significant
project management and control issues and resulted in suspending the project
Multinational Insurance Company - recently outsourced the entire IT audit outsourcing function
Apparel Manufacturer - we provided IT teaming which resulted in obtaining the IAS outsourcing contract
RED
FLAGS
!@#$
G-1.1
1
ppendix G-1
COMMON OBJECTIONS AND ANSWERS

Independence - Independence is an issue for both internal and external auditors. In our teaming approach,
management and the Director of Internal Audit remain responsible for approving the risk assessment, audit plan, and
internal audit program. We help execute the risk assessment and audit plan. This separation ensures that independence
is preserved.
Training Ground for Leadership - To overcome this objection, do not push for full-outsourcing of IAS. Rather,
we should stress two important client benefits of working with Ernst & Young: (1) Teaming opportunities (2)
Knowledge Transfer
You dont know our Company - In some pursuits, the client will be concerned that Ernst & Young does not have a
sufficient detailed understanding of the business. We have several responses to this objection including:
(1) ASC (2) Process Models (3) Relationship Manager (4) Stable Core Team (4) Co-Develop Expectations
KEY FEATURES / QUALIFICATIONS
People - Our service delivery team includes nearly 2000 dedicated global IT risk professionals in over 135 countries.
Our professionals come from diverse backgrounds and include specialists in most platforms and software
environments. Our learning culture is designed to maintain our leading edge.
Methodology - Our IT risk assessment and delivery process is tailored in size and scope to meet your needs. We
focus on your key business issues and develop an audit plan to provide the most comprehensive risk coverage.
Knowledge - Ernst & Young is recognized by independent organizations for leadership in knowledge management.
Our investments in this area are impressive: The Center for Business Knowledge, Assurance Support Center,
KnowledgeWeb and internal training programs to name a few. This translates into leading-edge practices that provide
competitive advantage to our clients.
Technology & Tools - Our average technology investment per professional is over $25,000 per year. Our
proprietary risk assessment tools (e.g., Checkpoint, PERMIT) are based on industry business process models. We
have a comprehensive security workbench for industry benchmarking, assessment and implementation procedures.
Our software investments include SafeSuite, Cybercop, Axent, SAS, ACL and computer forensics tools. Finally, our
eSolution Centers provide us with lab environments to create innovative solutions (e.g., ERP sand boxes)
CLIENT LIST (Confidential)
Advo Inc.
Owens - Illinois
Bowater
PNC Bank
BP Oil - Europe
Russell Athletic
Fruit of the Loom
Stanley Works
Holiday Inns Worldwide
Time Warner
IKON Office Solutions
US Bancorp
IMC Global
Whirlpool
Maytag
Laidlaw (Canada)
McCormick
Rio Tinto (Australia)
McDonalds
Ciba Specialty Chemical (Switzerland)
McKessonHBOC
Skandia Insurance (Sweden)
PRODUCT CHAMPIONS / WHO TO CONTACT
ISAAS
IAS
Jerry DeVault, Sponsor (216) 861-2214
Sam Johnson, Service Delivery (216) 737-1680
Jamie Ross, Champion (216) 861-2297
Tom Sliwinski, Sales (216) 583-3865
Local IT IAS Champion
Local IAS Leaders
2G-1.2
!@#$
E R N S T & Y O U N G LLP
2000 Ernst & Young LLP.

All Rights Reserved.
Ernst & Young is
a registered trademark.
www.ey.com

TSRS - IAS - Sales & Methodology Toolkit

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

TSRS - IAS - Sales & Methodology Toolkit

Diunggah oleh

Hak Cipta:

Format Tersedia

A S S U R A N C E A N D A DV I S O RY

TABLE OF CONTENTS ____________________________________________________________ I-I

IT INTERNAL AUDIT SERVICES METHODOLOGY __________________________________ 3-1

STAGE 3PREPARE ANNUAL IT AUDIT PLAN .............................................................................................. 3-32

ConfidentialAll materials in this document are not to be distributed

1999 Ernst & Young LLP

IT Internal Audit Services

Practice Management Policies and Procedures

Integrated Audit Considerations

Program Sponsors and Resources

IT Internal Audit Services

Our Value Proposition

management and technology enablement. We help accelerate a comprehensive

Target Market for IT Internal Audit Services

United States IAS Client List & Engagement Information

National Internal Audit Services

Client References, Engagement Information, Fortune 500

IAS clients May99 with Fortune.xls

Low-potential IAS Target ISAAS-only Target

AABS Audit Client

Non-AABS Audit Client

AUDIT CLIENT BASE

NON-AUDIT CLIENT TARGETS

What To Look For

Difficulty addressing new

New Technologies - the

How are you considering the

Significant Business Changes some companies may have

Making The Sale

DIRECTOR OF INTERNAL AUDIT

If the DIA is supported by company management but is a fairly traditional

CHIEF FINANCIAL OFFICER

Prioritizing technology investments

CHIEF INFORMATION OFFICER

Service Pricing Guidelines

Execute Audit Plan

IT Internal Audit Services Sales Process

IT Internal Audit Services

The Qualifying Call

Qualify: Qualify the lead by answering several questions:

Credentialize: Demonstrate some of our potential value to familiarize the prospect

Introduction and Qualifying Script and probing questions

CredentializeBrief review of E&Y capabilities.

Determine Next Steps

The Expanded Capabilities Call

Determine Next Steps

The Co-Development Meeting:

Rules of Thumb for Co-Development

Share rather than tell

Never contradict each other

Let the client talk

Arrive on time and stay until the end

Do not appear to check-out after your component is complete

Challenge, do not confront

For additional information on client co-development sessions, refer to the IT IAS

Presentation and Talking Points

Frequently Asked Questions and Common Objections

Value Received by the Client

We provided management with recommendations for improved controls and

IT Internal Audit Services

IT Internal Audit Services Project Routemap

Understand the clients

Plan the risk