Leading Practice Examples Of Audit Committee Reporting

2y ago
57 Views
5 Downloads
2.54 MB
60 Pages
Last View : 1m ago
Last Download : 2m ago
Upload by : Casen Newsome
Transcription

Leading Practice Examples ofAudit Committee Reporting2013

Contents2Key Factors in Determining Content3Typical Audit Committee Agenda4Typical Contents of an Audit Committee Report5Dashboard Samples8Internal Audit Calendar and Plan12Audit Scope17Report Summary20Issue Follow up Status26Risk Assessment Process31Risk Assessment Results35Benchmarking40SOX Program Overview and Results44Audit Organization and Qualification48Report on Quality52Report on Coverage55 2013 Protiviti Inc.CONFIDENTIAL: This document is for your company's internal use only and may not becopied nor distributed to another third party.

Key Factors in Determining ContentUnderstanding Board Expectations The Audit Committee Charter The Internal Audit Department Charter Committee members and their backgroundsfocusing on any changes since last meeting Prior Audit Committee Reports and Minutes Any arrangements that have been documentedconcerning report content expectations Board Communication StyleFrequency of MeetingsAllotted Agenda Time3 2013 Protiviti Inc.CONFIDENTIAL: This document is for your company's internal use only and may not becopied nor distributed to another third party.

Typical Audit Committee AgendaCall to orderReview and approval of minutes from prior meetingAudit committee report by internal auditorsAudit committee report by external auditorsOther matters (Legal, Hot Line, Compliance, etc.)Committee meeting in Executive SessionFormal presentation of quarterly or annual reports to shareholders by CEOand CFO and approval thereofDate and time of next meetingAdjournmentExecutive Session:Internal Audit should also be prepared to attend the Executive Session, where outside Board members can questioninternal and external audit without the presence of Senior Management.4 2013 Protiviti Inc.CONFIDENTIAL: This document is for your company's internal use only and may not becopied nor distributed to another third party.

Typical Quarterly ContentDashboard report on current activities1111,2060Changes to annual plan How reports are summarized shouldfollow agreed upon reportingarrangements.Status of the annual audit plan The committee may not want to reviewall reports, although they have access toall prepared material.Critical findings or emerging trends2440Internal Audit staffing, impact of resource limitations,and costs vs. budget year to date2020– Breaches of the company’s ethicspolicies.– Details of any frauds discovered.Department performance metrics /scorecardReporting of any impairments of independence orobjectivity 2013 Protiviti Inc.CONFIDENTIAL: This document is for your company's internal use only and may not becopied nor distributed to another third party. The goal is to summarize for thecommittee what they need to knowabout routine findings in a logicalsummary format, and report separatelyon more important matters such as:– Matters that might affect thefairness of financial reporting.Results of special investigations5Quarterly Audit Committee Reports:1130– Significant delays in managementresponding to or acting on findingsand recommendations.

Typical Annual Content6Report on the year in review to include themes ortrends identified2060Update of the risk assessment and audit plan2010,2020Report on the results of the internal quality assuranceand improvement program1320Discuss the results of the external quality assurancereview, timing / frequency of the external assessmentand reviewer’s background1312Review and approve updates to the IA departmentcharter1000,1010Confirmation of the independence of the internal auditactivity1110 The professional development coursesthat were given or attended during theyear.Disclosure of nonconformance with the IIA Standards1322 When the next quality assurance reviewof internal audit is scheduled for.Communicate an overall opinion (if appropriate)2450Resolution of senior management’s acceptance ofrisks (if necessary)2600 2013 Protiviti Inc.CONFIDENTIAL: This document is for your company's internal use only and may not becopied nor distributed to another third party.Annual Audit Committee Reports:With the exception of any additional items,the annual report is typically a summary ofthe four quarterly reports.Additional items to cover may include: Statement that all work continues to beperformed in accordance with IIAstandards. Details of changes in personnel in theinternal audit department.

Sample CalendarTypical Audit Committee includes reports from the following groups: Internal Audit Legal, Compliance and Regulatory External Audit Financial Reporting Oversight Risk Management Committee Structure and FunctionQ1Q2Q3Q4As Needed1. Evaluate the Internal and Independent Audit ProcessesA. Internal AuditPCharter, Mission, and ObjectivesPAppointment and compensation of Chief Audit ExecutivePBudget, staffing and resources including resource constraints if anyPScope, procedures and timing of audits (i.e., audit plan)Review of audit results and reportsPReview internal and external quality assurance proceduresPConfirm Internal Audit Independence7 2013 Protiviti Inc.CONFIDENTIAL: This document is for your company's internal use only and may not becopied nor distributed to another third party.PPPP

Dashboard Samples

Dashboard Sample - 19 2013 Protiviti Inc.CONFIDENTIAL: This document is for your company's internal use only and may not becopied nor distributed to another third party.

Dashboard Sample - 2Key Message Points Cash Account Reconciliations have improved, however remediation efforts related to system design deficiencies are still ongoing. There is no formal communication between AP and the Merchandising (Buyer) department to develop uniform, beneficial practices for suppliermanagement, and communication with suppliers should be managed to establish mutually agreeable practices.Summary of Completed Activities (2nd Quarter 20XX)Summary of Completed Activities (3rd Quarter 20XX) Completed ActivitiesAudits schedules for Q3 20XX–Payroll–Retail Stores and Back Office–Accounts Receivable and Vendor Management–Accounts Payable–Continuation of Premium Accounts Reconciliation SpecialProject–Vendor Master File MaintenanceAudit Finding Remediation StatusPast Due FindingsRisk RatingCategoryBeginning Balance(as of May 20XX)NewClosedCurrentlyOpenOpen PastDueHigh21030Medium1052135Low1702153Total Findings2964318554.543.532.521.510.5030High10 2013 Protiviti Inc.CONFIDENTIAL: This document is for your company's internal use only and may not becopied nor distributed to another third party.MediumLow

Dashboard Sample - 3Direct Support to Control EnvironmentRisk & Control Awareness Led 3 sessions of SOX orientation for worldwidecontrollers – team commented that this helped improve. Ethics Committee participation - quarterly Published quarterly risk trends Due diligence support for XYZ acquisition– Identified xx control issues impacting. CSA training Provided SOX orientation to new XYZ acquisition &briefed them on SOX process Various - responded to over 40 inquiries & reviews suchas review of new Ethics video, xx, xxx, contract reviewABC, etcCost RecoveryBusiness Unit11 Participated in the following new system/process redesignprojects– ABC (improved xx)– XYZ (improved zz)Future Savings/Process ImprovementsCost SavingsDuplicate payments in XYZ audit 85KVendor compliance issues in ABC audit 150KTotal XX 2013 Protiviti Inc.CONFIDENTIAL: This document is for your company's internal use only and may not becopied nor distributed to another third party. Streamlining of IT access process XX annually Reduction of FTE at XYZ location due to . 70k annuallyTotal XX

Internal Audit Calendar and Plan

Audit Calendar - 1AuditRiskTypeJanFebMarAprMayJunBusiness Process3rd Party Contracts Audit3Revenue Accounting2Reimbursement Claims1Information TechnologyWeb Portal2External Pen2SAP SOD1Consulting/Special ProjectsSupply Chain OptimizationApplication Pre-ImpDeferred ReviewsRevised Timeline13Risk Level Legend: 2013 Protiviti Inc.CONFIDENTIAL: This document is for your company's internal use only and may not becopied nor distributed to another third party.high risksignificant riskmoderate risklow risk

Audit Calendar - 220XX IT Audit Plan - Company X Audit Plan andActivities20XXQ1Q2Q3Q4Jan - MarchApril - JuneJuly - SeptOct - DecAccounts Payable ReviewAccounts Receivable ReviewITIL - Change Management & Service DeskPIMS – Interface EngineAudit Committee ReportingQuarterly Follow UpIT Risk Assessment (Initial)Update IT Risk AssessmentCoordinate with External AuditorColor LegendComplete14 2013 Protiviti Inc.CONFIDENTIAL: This document is for your company's internal use only and may not becopied nor distributed to another third party.In ProcessNot Started

Audit Calendar - 3Consistent with prior quarters, our Q3 IA Plan was developed based on risk prioritization in Q2. We will continueusing the ‘watch list’ items to identify audits each quarter so we remain focused on the most critical risks facingour organization.July – SeptemberWATCH LIST Accounts ReceivableData PrivacyFraud RiskNetwork SecurityOracle Segregation of DutiesReal Estate/ConstructionSocial MediaSpend Risk Anti-corruption(FCPA) Citrix Deployment Cloud Computing Crisis Management Data Management Disaster Recovery Health & Safety International ITControls InternationalOperations IT Innovation Logical Access Regulatory RevenueRecognition Sourcing Succession Planning* items listed alphabetically15 2013 Protiviti Inc.CONFIDENTIAL: This document is for your company's internal use only and may not becopied nor distributed to another third party.

Audit Calendar - 4Jan – MarAccounts Payable ReviewApr – JunPInternalAuditJul – SeptAccounts ReceivableReviewPReview 4Anti-Money LaunderingReviewPReview 5Review 3Risk Assessment PFinalize 20XX 404 ScopePExecute TestingPValidate SelfAssessmentsPUpdate Self-AssessmentProgramPSchedule AuditsPValidate SelfAssessmentsPMonitor DeficiencyRemediationPRoll-out Self-AssessmentProgramPMonitor DeficiencyRemediationPUpdate ControlDocumentationPComplete SelfAssessmentPComplete SelfAssessmentsPCompleteSelf-AssessmentsPPEvaluate TestedControlsRemediate Deficiencies16 Draft 20XX 404 ScopeSOX 404DeferredOct – Dec Not StartedScoped 2013 Protiviti Inc.CONFIDENTIAL: This document is for your company's internal use only and may not becopied nor distributed to another third party.In portDraftedEvaluate TestedControlsRemediateDeficienciesCompletePPP

Audit Scope

Audit Scope - 1Vendor FileMaintenanceA/P Understand ProcessAssess Control DesignAssess Control GapsTest Understand ProcessAssess Control DesignAssess Control GapsTestAccounting Understand ProcessAssess Control DesignAssess Control GapsTestIn Scope Expense Payables, Stock and Relay Review controls over stop payments Review Vendor master file creation Review for completeness, & reissuesfor Expense Payables Review of access to systems and Review daily balancing performed by Review integrity of interface from A/Pcheck stock A/Psub ledger to G/L Review PO and invoice matching Review Vendor maintenance within Review monthly reconciliation of A/Pprocess (pre & post paid)A/P vendor master file (Stock andSub ledger to G/L Review disbursement approvalRelay) processOut of Scope Petty cash at RDCs Direct Ship Wire transfers18 2013 Protiviti Inc.CONFIDENTIAL: This document is for your company's internal use only and may not becopied nor distributed to another third party. T&E from xxx MSA on-line (rebates, deductions) Review of Vendor master files created by Merchandising

Audit Scope - 2Company operates XX year-round and XX seasonal international stations throughout Canada, Europe, LatinAmerica, Asia Pacific and Africa. In general, international stations are small.ScopeThe scope of this audit included the following key processes and corresponding control objectives:Cash and DepositsPassenger Compensation Verification and tracking of cash deposits Tracking assignment of cash bags Security and timeliness surrounding the stations’ Authorized/appropriate issuance of passengercompensation Monitoring passenger compensation issuancedaily bank deposits Daily and monthly reconciliation of all cash on-handGate OperationsAccountable Documents Appropriate access to bulk and working stockTracking bulk and working stockRecording usage of ticket stockMonitoring ticket stock usage Accuracy and security of paper tickets (Ticket LiftReport) Usage of 24-Hour Emergency EnvelopesPayroll Appropriate approval of overtime Appropriate segregation of dutiesSales Reporting Complete and timely sales reporting (daily) Appropriate close-out of agent and station salesreports Verification of sales receipts Monitoring of discrepancies19 2013 Protiviti Inc.CONFIDENTIAL: This document is for your company's internal use only and may not becopied nor distributed to another third party.Station Administration Appropriate segregation of duties Documentation and security of station keys Appropriate control and monitoring of system access

Report Summary

Audit Report Summary - 1We assessed the existence and effectiveness of controls in relation to Completeness & Accuracy – Authority/LimitSuppliers are properly authorized prior to procuring goods/services.Detailed Issue and Action Plan #5Accounts Payable disbursements are properly authorized.Detailed Issue and Action Plan #1, #2, #5, #7Access to applicable AP systems is properly segregated.Detailed Issue and Action Plan #2, #9, #12Timeliness – Effectiveness/EfficiencyDetailed Issues & Action PlansReferenceRatingDisbursements are made to maximize cash flow.Detailed Issue and Action Plan #1, #2Costs are reduced as much as possible.Detailed Issue and Action Plan #2, #7, #8,#10Processing time is minimized.Detailed Issue and Action Plan #2, #3, #4, #5,#6Performance measures used to control the process are reliable.NAStrong Controls21Detailed Issues & Action PlansReferenceRating 2013 Protiviti Inc.CONFIDENTIAL: This document is for your company's internal use only and may not becopied nor distributed to another third party.Moderate ControlsLimited Controls

Audit Report Summary - 2Background International stations located in Europe, Latin America International operations processes are divided among several departments including: Relative to domestic operations, the international business offices are small, with a staff of Due to the culturaldifferences, country-specific regulations, and distance between international locations and corporate headquarters,the inherent risk level is increased.Audit SummaryThis review focused on: Understanding policies and procedures in-place related to in-scope processes; Evaluating the control environment around: human resources, payroll, accounts payable, month-end procedures,expense reimbursement, and contract validation; Evaluating the effectiveness of procedures and internal controls related to in-scope processes. Control and processimprovements were identifiedObservations SummaryControls AssessmentControl Improvement Opportunities: Protocols around payroll change documentation The process for reviewing employee Current, signed contracts are not 22 2013 Protiviti Inc.CONFIDENTIAL: This document is for your company's internal use only and may not becopied nor distributed to another third party.SatisfactoryControls RatingMarginalUnsatisfactory

Audit Report Summary - 3Report Name: Information Security Audit --- issued 1/1/20xxOverall Rating: HighBackground and Scope:Many companies store and process a large volume of personal and sensitive information on behalf The scope included: Network Security: Conducted a vulnerability assessment to determine User Level Security Practices: Evaluated several business critical security processes Governance: Reviewed the roles, responsibilities and supporting policies and procedures Summary Findings: The scorecard below summarizes ratings and findings by scope area.Scope AreaRatingNetwork Security[internal]HighNetwork Security[external]MediumIssues SummaryMultiple network security controls are not operating effectively Employees provided valid email user names and passwords during electronic andtelephonic social engineering exercises.Management Response (at report issuance): Management agrees with the items outlined in the report and willtake corrective action to address identified issues.23 2013 Protiviti Inc.CONFIDENTIAL: This document is for your company's internal use only and may not becopied nor distributed to another third party.

Audit Report Summary - rateFunctionsService CentersInformationTechnology (P) Audit 1 [1 high item](DC) Audit 1 [0 high items] (CF) Audit 1 [3 high items] (SC) Audit 1 [2 high items] (IT) Audit 1 [1 high item](P) Audit 2 [0 high items](DC) Audit 2 [0 high items] (CF) Audit 2 [4 high items] (SC) Audit 2 [1 high item](IT) Audit 2 [2 high items](P) Audit 3 [2 high items](DC) Audit 3 [0 high items] (CF) Audit 3 [1 high item](IT) Audit 3 [3 high item](P) Audit 4 [0 high items](DC) Audit 4 [0 high items] (CF) Audit 4 [2 high items] (SC) Audit 4 [0 high items] (IT) Audit 4 [2 high items](P) Audit 5 [0 high items](DC) Audit 5 [0 high items] (CF) Audit 5 [0 high items](P) Audit 6 [0 high items](CF) Audit 6 [2 high items](SC) Audit 3 [1 high item](P) Audit 7 [0 high items](IT) Audit 6 [2 high items](IT) Audit 7 [5 high items]RATING LEGEND Low Risk Medium Risk High Risk (immediate action required)24(IT) Audit 5 [1 high item] 2013 Protiviti Inc.CONFIDENTIAL: This document is for your company's internal use only and may not becopied nor distributed to another third party.

Continuous AuditingAt the start of 20XX, IA developed and implemented routines (i.e., scripts) in ACL to automate expense reporting,journal entry, and user administration analytics. A core team of three resources is responsible for managing ourcontinuous auditing program. Quarterly results are provided below.Expense ReportingJournal EntriesUser Access RemovalFrequency% of PopulationTestedIssues Identifiedthis QuarterSignificant IssuesMonthly100%40 2 Quarterly100%20 0 Monthly100%0 0 Significant Issues Summary: Two expense reporting issues related to FCPA 25 2013 Protiviti Inc.CONFIDENTIAL: This document is for your company's internal use only and may not becopied nor distributed to another third party.

Issue Follow Up Status

Follow Up Status - 1Internal Audit performs follow-up reviews for each report issued to ensure that all control improvement actionitems have been completed.Completed ReviewsSales ReviewRatingReport DateFollow up StatusN/ R Date Complete Date Complete Date Complete Date CompleteSatisfactoryHuman Resources – Leave of Absence AuditVacation Systems Development ReviewN/RSite AuditsFollow up inProgressRatingReport DateCustomer Service Date Open item related to iLearning (online training)interface upgrade. ETC Date Date Open item related to edit report creation, IT requestpending. ETC Date N/R Date Delays due to resource allocation to ReShop/ChoiceSeats. ETC Date N/R Date Comprehensive process changes due to in-progressreview. ETC Date Date Open action plans are on-track for completion by Date Training AuditCorporate PayrollProcess AuditWebsite ReviewHuman ResourcesReviewInventoryManagement27Follow up Comments(ETC – Estimated Time to Completion) 2013 Protiviti Inc.CONFIDENTIAL: This document is for your company's internal use only and may not becopied nor distributed to another third party.MarginalN/R Not RatedUnsatisfactory

Follow Up Status - 2ProcessControlRef.ControlsStatus ofRemed.TestingStatusCommentsOwnerDesign RemediationPayroll/Benefits &InsurancePR33Access to process payroll runs is restricted CompleteCompletePR34A

1. Evaluate the Internal and Independent Audit Processes A. Internal Audit Charter, Mission, and Objectives P Appointment and compensation of Chief Audit Executive P Budget, staffing and resources including resource constraints if any P Scope, procedures and timing of audits (i.e., audit plan) P Review of audit results and reports P P P P

Related Documents:

The quality audit system is mainly classified in three different categories: i Internal Audit ii. External Audits iii. Regulatory Audit . Types Of Quality Audit. In food industries all three audit system may be used to carry out 1. Product manufacturing audit 2. Plant sanitation/GMP audit 3. Product Quality audit 4. HACCP audit

INTERNAL AUDIT Example –Internal audit report [Short Client Name] Internal Audit Report Rev. [Rev Number] STEP ONE: Audit Plan Process to Audit (Audit Scope): Audit Date(s): Lead Auditor: Audit #: Auditor(s): Site(s) to Audit: Applicable Clauses of [ISO 9001 or AS9100] S

4.1 Quality management system audit 9.2.2.2 Quality management system audit - except: organization shall audit to verify compliance with MAQMSR, 2nd Ed. 4.2 Manufacturing process audit 9.2.2.3 Manufacturing process audit 4.3 Product audit 9.2.2.4 Product audit 4.4 Internal audit plans 9.2.2.1 Internal audit programme

CHAPTER 12 Internal Audit Charters and Building the Internal Audit Function 273 12.1 Establishing an Internal Audit Function 274 12.2 Audit Charter: Audit Committee and Management Authority 274 12.3 Building the Internal Audit Staff 275 (a) Role of the CAE 277 (b) Internal Audit Management Responsibilities 278 (c) Internal Audit Staff .

Internal Audit Boot Camp Session 2: Phases of an Audit Program . IA Boot Camp 03/17/21 National Indian Gaming Commission Page 17 of 26 . It is important to understand and include audit steps within your audit program. Audit steps can be updated and created during the planning phase. Audit steps provide the auditor with the proper guidance to

AUDIT OF DEKALB COUNTY DATA CENTER PHYSICAL SECURITY AUDIT REPORT NO. 2018-007-IT John Greene Chief Audit Executive FINAL REPORT What We Did In accordance with the Office of Independent Internal Audit's (OIIA) Annual Audit Plan, we conducted a performance audit of the DeKalb County Data Center Physical Security.

PPC’s SMART Practice Aids – Audit Essential is an innovative and easy-to-use workflow tool that provides the essentials you need for any audit engagement. With PPC’s SMART Practice Aids – Audit Essential, you’ll be able to document audit planning, assess risk, tailor your engagements and complete your audit programs with ease. TakeFile Size: 1MB

state’s content standards in ELA and Mathematics –Grades 3 – 8 ELA and 9th and 10th grade literature and American Literature –Grades 3 – 8 Mathematics and Coordinate Algebra, Analytic Geometry and Advanced Algebra Created for exclusive use in Georgia classrooms Piloted with Georgia students Reviewed by Georgia educators