Protiviti - Report Writing and Communicating To The Audit Committee - 20181204 PDF
Protiviti - Report Writing and Communicating To The Audit Committee - 20181204 PDF
Protiviti - Report Writing and Communicating To The Audit Committee - 20181204 PDF
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
1 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
PART 1 – INTERNAL AUDIT
REPORTS
INTRODUCTION TO INTERNAL AUDIT REPORTING
Internal Audit (IA) reporting may be the biggest challenge in the audit process.
An audit report presents results of an examination or review within the organization and is
considered to be the core deliverable of audit services.
Each organization has unique reporting practices and expectations that affect the format,
frequency and depth of their communications.
Key Considerations:
• The audit report is often the main, routine vehicle through which
senior management understands the value that internal audit
delivers.
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
3 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
AUDIT REPORTING ISSUES
Some typical reporting issues are:
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
4 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
AUDIT REPORTING CHALLENGES
Stakeholders dissatisfaction
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
5 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
APPLICABLE IIA STANDARDS
Reporting to Senior Management and the Board
The chief audit executive must report periodically to senior management and the board on the internal
2060 audit activity’s purpose, authority, responsibility, and performance relative to its plan. Reporting must also
include significant risk exposures and control issues, including fraud risks, governance issues, and other
matters needed or requested by senior management and the board.
Quality of Communications
2420
Communications must be accurate, objective, clear, concise, constructive, complete, and timely.
Disseminating Results
2440
The chief audit executive must communicate results to the appropriate parties.
Overall Opinions
2450
When an overall opinion is issued, it must take into account the expectations of senior management, the
board, and other stakeholders and must be supported by sufficient, reliable, relevant, and useful
information.
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
6 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
TYPICAL ELEMENTS IN AN INTERNAL AUDIT REPORT
1 Title Page
2 Table of Contents
Executive Summary
• Report rating
3
• Audit issues
• Status of management remediation planning
5 Business Context
Audit Issues
• Issue owner
• Issue severity
• Issue & root cause
6
• Risk
• Supporting observations
• Recommendation
• Management agreement and Due Date
7 Appendices
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
7 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
DEVELOPING CONTENT OF AN AUDIT REPORT
Begin consideration for the audit report early on in the audit process.
Consider things like data elements, risk coverage, and the importance
and craft the messages during the planning phase
Review the final list of findings with management prior to the closing
meeting
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
8 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
FINAL REPORT VALIDATION
The process for Final Report Validation is as follows:
• The draft should go through 1-2 levels of internal review before it is sent to
the auditees.
• Allow sufficient time for the draft report to be reviewed by the auditees
prior to the closing meeting. This process is
Obtain validation from managers critical. This is
• Comments about observations and recommendations
usually when
• Specify for each recommendation’s deadline, person responsible for delays occur.
setting up and delivering action plan.
Final report
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
9 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
EXECUTIVE SUMMARY
EXECUTIVE SUMMARY
A strong executive summary will assist the reader by answering the following
questions.
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
11 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
EXECUTIVE SUMMARY – SAMPLE 1
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
12 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
EXECUTIVE SUMMARY – SAMPLE 1 (CONT.)
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
13 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
EXECUTIVE SUMMARY SAMPLE – 2
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
14 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
EXECUTIVE SUMMARY – EXAMPLE 3
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
15 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
FINDINGS AND OBSERVATIONS
See
KEY COMPONENTS OF A DETAILED FINDING Practice
Advisory
2320-2
• Issue Owner: Identify the process owner • Supporting Observations: Key relevant
overseeing the area at risk that is responsible details to understand the issue and
for addressing the issue. demonstrate the issue is based on observed
facts (i.e. breach in corporate standards, audit
• Issue Severity: Measure of issue’s impact to evidence, compensating control to support the
the business. issue severity).
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
17 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
QUALITY FINDINGS AND MANAGEMENT ACTIONS
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
18 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
FINDINGS RANKING
Individual audit finding rankings require the use of significant professional judgement. It is
important to have a clearly defined approach to audit ratings understood by the auditor and
auditees.
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
19 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
FINDINGS SAMPLE – 1
One host (xyzcompany.com) is running an insecure and non-encrypted version of the Post Office Protocol (POP3) service.
Data and connections to the service are transmitted in clear text.
Risk
Data transmitted without encryption could be intercepted by a malicious (unauthorized) user and used to try accessing other
applications or systems.
Recommendation
Short Term: Determine if a valid business purpose exists for the POP3 service. If the service is not required, disable it. If it is
required, change it to POP3S for encrypted SSL communication.
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
20 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
FINDINGS SAMPLE – 2
Relates to Best
Action Target
Issue Risk (s) Practice Implementer
Plan Date
Recommendation
Legal exposure may
Per policy, contracts exist due to
should be reviewed by inadequate/improper
Legal and approved by terms and conditions in
Executive Management PO or contract.
prior to execution. Unable Procurement
to obtain requested Contract changes may will work with
contracts as they were not not be documented, IT to
formally executed as reviewed, approved and determine the
1 contracts. Reviewed the entered in the system feasibility of R10
supplier selection detail (per policy and DOA). implementing
from the RFQs related to a system-
strapping and lubricants in Contracts may no based PO
place of a contract, but longer be competitive checklist that
evidence of executive (price, performance, CY
would ensure John Doe
management approval etc.) or in alignment Q120XX
appropriate
was not maintained for the with Corporate approvals are
selection decision. strategies, goals, and obtained and
objectives. all PO
In the place of a formal requirements
Legal exposure may are included
contract with a supplier,
exist due to on POs prior
POs should contain
inadequate/improper to sending to
payment terms and
terms and conditions in suppliers.
applicable terms and
2 PO or contract. R14
conditions. Out of 20 POs
sampled, 10 did not
Contract may not be
contain payment terms. 5
current or valid
of the 10 POs also did not
(expiration date)
contain terms of delivery.
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
21 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
FINDINGS SAMPLE – 3
Observation #1 – Manual Process Steps Outside of SAP GRC
Observation:
Access management processes contain multiple manual activities that are managed outside of the scope of the SAP GRC
application. Key observations include:
• SAP roles are manually mapped to XYZ Company positions and job roles – this mapping is stored in an offline database
that has not been well-maintained since initial SAP go-live. Over time, the alignment of SAP roles to XYZ Company
positions and job roles has become disconnected and resulted in manual procedures to determine appropriate access
for end users. Significant time and effort has been put towards trying to determine a standardized alignment of roles
and responsibilities across the enterprise to enable appropriate training and SAP access, but variability of what people
actually do has created significant challenges to achieving a model that is sustainable.
• End users are required to complete SAP training modules before they are granted access to SAP production systems.
This requirement significantly impacts users’ ability to get timely access to SAP, as multiple emails and follow ups are
typically required to inform all appropriate personnel of training completion so access requests can be manually fulfilled.
• There currently is no process in place to update employees’ access when they change positions within the company.
After discussions with IT and the business, it was noted the user’s manager is currently responsible to request the
appropriate role removals, but this does not happen on a regular basis.
Root Cause:
The process design requires multiple manual steps that results in the delay of SAP access moves, adds, and changes.
Severity:
Critical
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
22 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
THE RECOMMENDATION
RECOMMENDATIONS
A well-developed recommendation demonstrates Internal Audit’s knowledge of the business
context and adds value to the organization.
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
24 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
RECOMMENDATIONS SAMPLE – 1
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
25 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
RECOMMENDATIONS SAMPLE – 2
Benefits of Challenges For Time Cost People
Recommendation Related Observations
Implementation Implementation Impact Impact Impact
C. Adopt standard 1. No current project plan • Increased • Lack of Low Low Moderate
project management exists for the visibility for experience with $ ▲▲
techniques into the implementation. A high- management into project
ABC Co. project, level plan was developed the status of the management
including the initially, but was not implementation. processes in the
development of maintained throughout the current IT
project plans, project. • Increased focus organization.
status/issue 2. There is not a on a successful • Existing project
reporting, and comprehensive list of issues implementation. resources may
resource scheduling. and expected resolution resist increased
dates currently maintained. • Increased ability formalization and
• This should primarily Additionally, there is not a to respond to accountability.
be the responsibility priority assigned to current issues and
of the project issues. franchise
manager that is 3. There is no formal detailed requests.
identified in rollout plan to implement
Recommendation B. Application Z at the • Increased
franchises. Sequencing the accountability for
• Regularly published order of implementations at resources
status reports should the franchise locations has through the
be covered with not been formally developed documentation of
Executive and past implementations formalized tasks.
Management to help were decided on an ad hoc
ensure resources are basis.
provided in a timely 4. Little effort or focus has
manner. been placed on the
consideration of
dependencies for the project.
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
26 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
RECOMMENDATIONS SAMPLE – 3
High
R7 R17
R2
R29 R33
R40 R20
R15
R13
R16 R6 R11
R12
R1
R18
R4 Legend
R24
R25
R26 R34
Wave 1
Medium
Benefit
R8 R3 R9 Wave 2
R27 R14
R21
R37 R43 R5 Wave 3
R28
R39
R# Recommendation
R41
R10
R19 R22
R30 R42
R38
R32
R23 R36 R31
Low
R35
Ease of Implementation
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
27 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
OVERALL AUDIT RATING
OVERALL AUDIT RATINGS
Audit ratings are a useful tool for management to gauge the performance of individual auditable
units or areas against expectations.
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
29 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
OVERALL AUDIT RATING SAMPLE – 1
Rating Definition
Internal control systems are sufficiently comprehensive and appropriate to the size and complexity of the
Strong organization. Risks are effectively managed. Monetary risk associated with potential control failures is not
material. A few exceptions to established policies and procedures were identified.
While there may be some minor risk management weaknesses, these issues have been recognized and are
Satisfactory being addressed. Risks are effectively managed. Internal control systems may display modest weaknesses
or deficiencies, but they are correctable in the normal course of business.
Risk management practices are lacking in important ways and are a cause for more than supervisory
Needs Improvement attention. Risks may not be effectively managed. Weaknesses may include control exceptions or failures
that could have adverse affects on the organization if corrective actions are not taken.
Marginal risk management practices generally fail to identify, monitor and control significant risk exposures
Needs Significant in many material respects. The organization may have serious identified weaknesses that require
Improvement substantial improvement in internal controls or procedures. Risks are not effectively managed. Unless
properly addressed, these conditions may result in a significant impact to the organization.
Due to the absence of effective risk management practices, management is unable to identify, monitor or
control significant risk exposure. Internal control systems may be sufficiently weak to jeopardize the
Unsatisfactory
continued viability of the organization. Risks are not effectively managed. Deficiencies in risk management
procedures and internal controls require immediate and close supervisory attention.
30
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
OVERALL AUDIT RATING SAMPLE – 2
Rating Scale Description
• Overall risk program is reliable and requires negligible improvements.
1 • The risk management procedures are formalized and documented and clearly communicated and understood throughout the
business. Risk management system is robust and possesses the capacity and ability to consistently identify, document and
Effective assess existing and emerging risks.
• Risk controls effectively manage, mitigate and transfer existing and foreseeable risks and do not expose the business to
2 undue risk. Risk program does not expose the business to unwarranted financial loss or regulatory non-compliance. Audit
recommendations are generally housekeeping in nature.
• Overall risk program is adequate for the current level of risk within the business, but requires ongoing monitoring.
3 • The risk management procedures are formalized and documented, but not clearly communicated. Risk procedures need to be
clearly communicated and business needs to obtain assurance that procedures are understood. Although the risk
management system possesses the capacity and ability to identify, document and assess existing risk, specific improvements
Monitor
are needed to ensure accurate and timely incorporation of emerging risks.
4 • Risk controls adequately manage, mitigate and transfer existing risks but improvements are required as emerging risks and
changing conditions could lead to a weakened risk management capacity. Risk program does not expose the business to
immediate financial loss or regulatory noncompliance. The director must make improvements within 60 days.
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
32 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
PART 2 – COMMUNICATING TO
THE AUDIT COMMITTEE
KEY FACTORS IN DETERMINING CONTENT
Frequency of Meetings
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
34 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
SAMPLE CALENDAR
Q1 Q2 Q3 Q4 As Needed
A. Internal Audit
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
35 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
DASHBOARD SAMPLES
DASHBOARD SAMPLE – 1
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
37 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
DASHBOARD SAMPLE – 2
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
38 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
DASHBOARD SAMPLE – 3
Key Message Points
• Cash Account Reconciliations have improved, however remediation efforts related to system design deficiencies are still ongoing.
• There is no formal communication between AP and the Merchandising (Buyer) department to develop uniform, beneficial practices for
supplier management, and communication with suppliers should be managed to establish mutually agreeable practices.
Summary of Completed Activities (2nd Quarter 20XX) Summary of Completed Activities (3rd Quarter 20XX)
Risk Rating Beginning Balance Currently Open Past Past Due Findings
New Closed 5
Category (as of May 20XX) Open Due
5
4.5
High 2 1 0 3 0 4
3.5 3
3
Medium 10 5 2 13 5 2.5
2
1.5
Low 17 0 2 15 3 1
0.5 0
0
Total
29 6 4 31 8 High Medium Low
Findings
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
39 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
DASHBOARD SAMPLE – 4
Risk & Control Awareness Direct Support to Control Environment
• Led 3 sessions of SOX orientation for worldwide
controllers – team commented that this helped improve. • Ethics Committee participation - quarterly
• Published quarterly risk trends • Due diligence support for XYZ acquisition
• Provided SOX orientation to new XYZ acquisition & • Participated in the following new system/process redesign
briefed them on SOX process projects
• Various - responded to over 40 inquiries & reviews such – ABC (improved xx)
as review of new Ethics video, xx, xxx, contract review – XYZ (improved zz)
ABC, etc
Total $ XX Total $ XX
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
40 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
RISK ASSESSMENT RESULTS
RISK MAP – 1
High
9
Impact
8 7 5
• Financial loss
7 3
• Strategic objectives achievement
• Operational impact 6 1
• Reputation
Impact
6 8
5
Likelihood 4
3 2
• Probability of the risk event occurring
4
2
Low
Velocity 1
1 2 3 4 5 6 7 8 9
• Speed with which the impact of the risk event is Low Likelihood
realized Low High
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
42 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
RISK MAP – 2
The Risk Map depicts the relative significance and likelihood of business risks. Risk Map includes
participants’ consideration of perceived internal controls and Protiviti’s professional judgment and
experience.
High
HIGH
Low
14
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
43 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
RISK MAP – 3
The updated risk map represents the prioritization of IT Processes based on discussions with the
individuals noted previously. As a result of our discussions, the placement of various risks has
changed as indicated by the arrows and a new risk was added which has been circled
IT Disaster Recovery
Data Privacy
High
High
Low
Low
Likelihood of Risk
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
44 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
INTERNAL AUDIT CALENDAR AND
PLAN
AUDIT CALENDAR – 1
Audit Risk Type Jan Feb Mar Apr May Jun
Business Process
3rd Party Contracts Audit 3
Revenue Accounting 2
Reimbursement Claims 1
Information Technology
Web Portal 2
External Pen 2
SAP SOD 1
Consulting/Special Projects
Application Pre-Imp
Deferred Reviews high risk significant risk moderate risk low risk
Revised Timeline
Risk Level Legend:
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
46 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
AUDIT CALENDAR – 2
Activities Q1 Q2 Q3 Q4
Quarterly Follow Up
Color Legend
Complete In Process Not Started
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
47 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
AUDIT CALENDAR – 4
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
48 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
ACTIVITY SUMMARY
AUDIT ACTIVITY SUMMARY – 1
We assessed the existence and effectiveness of controls in relation to …
Suppliers are properly authorized prior to procuring goods/services. Detailed Issue and Action Plan #5
Disbursements are made to maximize cash flow. Detailed Issue and Action Plan #1, #2
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
50 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
AUDIT ACTIVITY SUMMARY – 2
Background
Audit Summary
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
51 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
AUDIT ACTIVITY SUMMARY – 3
Many companies store and process a large volume of personal and sensitive information on behalf …
The scope included:
• Network Security: Conducted a vulnerability assessment to determine …
• User Level Security Practices: Evaluated several business critical security processes …
• Governance: Reviewed the roles, responsibilities and supporting policies and procedures …
Summary Findings: The scorecard below summarizes ratings and findings by scope area.
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
52 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
AUDIT ACTIVITY SUMMARY – 4
(P) Audit 2 [0 high items] (DC) Audit 2 [0 high items] (CF) Audit 2 [4 high items] (SC) Audit 2 [1 high item] (IT) Audit 2 [2 high items]
(P) Audit 3 [2 high items] (DC) Audit 3 [0 high items] (CF) Audit 3 [1 high item] (SC) Audit 3 [1 high item] (IT) Audit 3 [3 high item]
Audits (P) Audit 4 [0 high items] (DC) Audit 4 [0 high items] (CF) Audit 4 [2 high items] (SC) Audit 4 [0 high items] (IT) Audit 4 [2 high items]
(P) Audit 5 [0 high items] (DC) Audit 5 [0 high items] (CF) Audit 5 [0 high items] (IT) Audit 5 [1 high item]
(P) Audit 6 [0 high items] (CF) Audit 6 [2 high items] (IT) Audit 6 [2 high items]
RATING LEGEND
Low Risk
Medium Risk
High Risk (immediate action required)
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
53 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
CONTINUOUS AUDITING
At the start of 20XX, IA developed and implemented routines (i.e., scripts) in ACL to
automate expense reporting, journal entry, and user administration analytics. A core team
of three resources is responsible for managing our continuous auditing program. Quarterly
results are provided below.
% of Issues
Significant
Frequency Population Identified this
Issues
Tested Quarter
Expense Reporting Monthly 100% 40 2
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
54 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
ISSUE FOLLOW UP STATUS
FOLLOW UP STATUS – 1
Internal Audit performs follow-up reviews for each report issued to ensure that all control
improvement action items have been completed.
Completed Reviews Rating Report Date Follow up Status
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
56 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
FOLLOW UP STATUS – 2
Design Remediation
Access to be reviewed
PR33 Access to process payroll runs is restricted … Complete Complete and necessary
remediation to be
Access to generate the ledger distribution, which
Payroll/ PR34 Complete Complete identified during SOD
automatically creates … Analysis. SOD Analysis
Benefits Payroll
pending validation by
& Mgr.
Protiviti.
Insurance
Access to add or update employees is restricted
PR35 Complete Complete See PR21 NEW
to the HR Representatives.
MONITORING CONTROL
for PR33
Operational Remediation
Sr.
Functional segregation of duties within key
Entity Manager
EL41 processes are reviewed annually. Where Delayed Delayed SOD Analysis pending
Level and
conflicts exist, …
Protiviti
Discussed with Inventory
Inventory Control Associates verify the Inventory
Inventory IN15 Complete Complete Management – Control
Adjustment Form is approved by a … remediation underway. Manager
Accounts Payable verifies non-merchandise
Assistant
Expend. AP03 expenditures and employee expense At Risk At Risk Testing in progress
reimbursements … Controller
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
57 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
FOLLOW UP STATUS – 3
Overall
Rating
Total
28 19 31 23 48
Issues
Open
4 7 12 8 21
Issues
PAST
0 1 6 0 9
DUE
Owner Name, Owner Name, Vice Owner Name, Owner Name, Owner Name, 2nd
Owner
Vice President President Senior Director Senior Director Vice President
RATING LEGEND
Low Risk
Medium Risk
High Risk (immediate action required)
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
58 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
SOX PROGRAM OVERVIEW AND
RESULTS
SOX APPROACH AND TIMELINE
External
20XX:
Form 10-Q Form 10-Q Audit Form 10-Q
Form 10K
due due Testing filled
&404 Cert.
begins
Q2 Q3 Q4 Q1 20xx
APR MAY JUN JUL AUG SEP OCT NOV DEC January
Implement 302
Certification
Process
404
Planning
&
Scoping 1
Evaluate
Entity-level
Controls
Document Key
Processesss 2
Control Design
Assessment 3
Test Key Controls
Remediate Remediate Control
Design Gaps Deficiencies 4
Test Remediated
Controls
Roll-forward Testing and Test
Annual Controls 5
Evaluate
Control 6
Deficiency
Key External
Auditor
Checkpoints
Status Reporting
Ongoing Communication/Project Management
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
60 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
INTERNAL CONTROL SUMMARY – 1
Internal Control over Financial Reporting
IT General Computer Controls
Current Events/Trends
• Interim testing is complete and preliminary results indicate that processes are well controlled and operating effectively.
2 7
91 48
Not Tested
142 Effective 69
Gaps
“Not Tested” includes controls that had no sample to test at Interim and controls that are only scheduled for testing during
Update/Year End testing. The following control cycles will primarily be tested during Update/Year End testing:
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
61 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
INTERNAL CONTROL SUMMARY – 2
Remediation
Internal Controls Information Rating Actions to Complete
Status
Not
Board Level Entity Level Controls Low N/A
Applicable
Business Unit #2 Management Group Subsidiary books were reopened to book approximately $X in
Medium Complete
(Financial Reporting, Treasury & Process Level) adjustments
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
62 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
Andrea Dorsey
Associate Director
[email protected]
Chris Payne
Managing Director
[email protected]
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
63 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed
or registered as a public accounting firm and does not issue opinions on financial statements or
offer attestation services. All registered trademarks are the property of their respective owners.