2011 Internal Audit Plan Considerations

Has the internal audit function considered all high-risk areas in

its risk assessment?
Is the risk universe complete?
Is the audit plan balanced?
Are there emerging areas that the organization has overlooked?
The answers to the above questions probably wont be readily apparent without a reliable
process in place to evaluate progress. This white paper presents 10 key areas that should
assist organizations in their risk assessments and internal audit planning.
These areas are:
1. Compliance with The Institute of Internal Auditors (IIA) International Standards for
the Professional Practice of Internal Auditing (Standards)
The IIA's International Standards for the Professional Practice of Internal Auditing (Standards) is
essential in meeting the responsibilities of internal audit functions. Two of the Standards that
describe assessment requirements are:
Standard 1311, Internal Assessments
Internal assessments must include:
Ongoing monitoring of the performance of the internal audit activity; and
Periodic reviews performed through self-assessment or by other persons within the
organization with sufficient knowledge of internal audit practices.
Standard 1312, External Assessments
External assessments must be conducted at least once every five years by a qualified,
independent reviewer or review team from outside the organization.
Complying with the Standards helps to ensure that quality is built into the internal audit process
and validates the process in place. Toward this end, internal audit needs to communicate the
requirements of these Standards with the audit committee.


Protiviti | 2
2. Technology
Is the organization adequately covering all of its technology risks? It is important to review
mission-critical applications (e.g., front-end transaction capture, business intelligence and
customer interfaces), as well as applications that affect financial reporting (in scope for
Sarbanes-Oxley compliance). Key areas to consider are:
a. Governance
The organization should assess whether its information technology governance sustains
and supports its strategies and objectives (specified by IIA Standard 2110).
b. Change Control
This includes development, user access testing and access to the production environment.
c. Security and Privacy
Among the covered security and privacy areas are external penetration reviews, networks,
applications, Payment Card Industry Data Security Standard (PCI DSS), data leakage
identification and prevention.
d. Backup and Retention
Does the organization know the location of its critical information? In addition to core
systems, does the organization know where else critical and/or sensitive customer, pricing,
sales and other data are housed? Has anyone made changes to the IT infrastructure or
business applications? If so, it may be time to determine whether critical data is properly
stored and backed up, and if retention mechanisms comprehensively address the ever-
changing business needs and IT environment.
e. Spreadsheet Controls
Are spreadsheets used extensively in any of the key processes (e.g., financial or
management reports, footnotes, bonus calculations, fixed assets, stock options)? Has
internal audit noticed any errors related to spreadsheets (e.g., financial restatements or
accounting adjustments)? In such cases, performing a detailed analysis of spreadsheets for
logical and/or formula errors is a prudent move.
f. E-Discovery and Records Retention
Does the company have a comprehensive records retention program? Is a litigation
readiness and effectiveness program in place? Economic and market constraints increase
an organizations exposure to litigation and investigations. By proactively assessing the
organizations level of readiness and identifying gaps and areas for improvement, internal
audit can potentially save millions of dollars for the organization and help reassure
management and the board that exposure to these costly risks has been greatly reduced. A
single legal discovery failure can undermine any current cost-saving measures that the
company has implemented.
g. Risk Assessments
Does the organization adequately consider technology risk in its annual and project risk
assessments? Are there critical technology risks that the organization is not addressing?
Having a sufficient understanding of the IT environment and the related risks can help
ensure that the internal audit plans are complete.


Protiviti | 3
3. Fraud Risk Assessment
Is the organization addressing fraud and hotline calls adequately and in a timely manner? Has
internal audit performed a fraud risk assessment and is the process sufficient? As part of good
governance and a strong control environment, a process should be in place to identify fraud
risk, define controls and promptly respond to reported fraud (addresses IIA Standard 2120).
4. Disbursements Anal ysi s and Strategic Sourcing Opportunities Assessment
Is the organization analyzing disbursements data to identify unusual trends and items that
warrant follow-up? Duplicate payments, suspicious spending patterns, unusual vendors and
missed discount opportunities frequently can be identified through data analysis and may result
in monies that can be recovered.
5. Enterprise Risk Management (ERM)
Is internal audit receiving questions from management and the board regarding the ERM
process? There is a requirement for increased disclosure regarding the boards role in risk
oversight. The process can be difficult to define and begin. Some of the process steps include
setting objectives, identifying a sponsor, establishing risk definitions, ranking risks, and
assessing related controls and risk mitigation techniques.
6. Enterprise Resource Planning (ERP) Effectiveness
Is the company considering an ERP system implementation, upgrade or enhancement? Is the
company realizing the anticipated value from its ERP system? Many organizations are using
software vendors to provide integrated, automated and real-time solutions that enable
executives to better manage their business. Outsourcing and co-sourcing are viable options for
companies needing to maximize their significant software investments through a variety of
comprehensive enterprise application services and solutions.
7. Business Continuity Management (BCM)
Does the BCM program address the core components (e.g., crisis management, business
resumptions and IT disaster recovery) necessary for recovery from a significant business
disruption? Is there defined ownership of the organizations BCM program? Are BCM plans
exercised on a regular and frequent basis? A well-designed BCM program will help enable a
company to better protect its existing assets, as well as ensure successful recovery of critical
operations in the event of a disruption to business and technology operations.
8. Sarbanes-Oxley Optimization
Is internal audit over-auditing and testing the same controls that were identified when the
organization was first implementing its Sarbanes-Oxley compliance program? If so, the
organization may want to re-evaluate which Sarbanes-Oxley risks and controls are reviewed,
and consider a control-owner self-assessment, entity-level monitoring controls, and ERP
configurable control optimization. The company may derive benefits from reducing the
compliance effort or by increasing external audits reliance on managements work.
9. Audit Location Selection
Does the organization have multiple audit locations? Does it determine the number of location
audits to be performed and then select the locations haphazardly? Is the selection done outside
of internal audits typical annual risk assessment process? Are locations selected solely based
on size? Is internal audit able to support and defend its approach? Performing a location risk

Protiviti | 4
assessment based on quantitative and qualitative factors may result in a more risk-based,
quantifiable and balanced assessment of audit locations.
10. Technology-Enabled Audits and Continuous Monitoring
Are resources insufficient to obtain the audit coverage that internal audit would prefer? Is
internal audit sufficiently targeting the transactions that warrant further review, or is it relying on
the luck of the draw in its audit sample? Would internal audit like to broaden its number of
locations, frequency of coverage and number of transactions? By incorporating the use of the
right tools and technology, internal audit can identify key metrics that can be monitored to
identify outliers that may indicate risk or the need for additional follow-up. This can help internal
audit more efficiently focus limited resources and achieve greater audit coverage.
In Closing
To be thorough in conducting all assessments and completing the internal audit planning
process, it is essential to invest sufficient time and allocate the appropriate resources. By
integrating ERM, compliance with the aforementioned IIA Standards, BCM and the other
discussed key areas with internal audit risk assessments and planning processes, organizations
will be better positioned to find satisfactory answers to the questions posed at the beginning of
this white paper.
About Proti viti
Protiviti (www.protiviti.com) is a global business consulting and internal audit firm composed of
experts specializing in risk, advisory and transaction services. We help solve problems in
finance and transactions, operations, technology, litigation, governance, risk, and compliance.
Our highly trained, results-oriented professionals provide a unique perspective on a wide range
of critical business issues for clients in the Americas, Asia-Pacific, Europe and the Middle East.
Protiviti has more than 60 locations worldwide and is a wholly owned subsidiary of Robert Half
International Inc. (NYSE symbol: RHI). Founded in 1948, Robert Half International is a member
of the S&P 500 index.
About Our Internal Audit and Financial Controls Solution
We work with audit executives, management and audit committees at companies of virtually any
size, public or private, to assist them with their internal audit activities. This can include starting
and running the activity for them on a fully outsourced basis or working with an existing internal
audit function to supplement their team when they lack adequate staff or skills. Protiviti
professionals have assisted hundreds of companies in establishing first-year Sarbanes-Oxley
compliance programs as well as ongoing compliance. We help organizations transition to a
process-based approach for financial control compliance, identifying effective ways to
appropriately reduce effort through better risk assessment, scoping and use of technology, thus
reducing the cost of compliance. Reporting directly to the board, audit committee or
management, as desired, we have completed hundreds of discrete, focused financial and
internal control reviews and control investigations, either as part of a formal internal audit activity
or apart from it.


2010 Protiviti Inc. An Equal Opportunity Employer.
Protiviti is not licensed or registered as a public accounting firm and does not
issue opinions on financial statements or offer attestation services.



One of the key features about Protiviti is that we are not an audit/accounting firm, thus there is
never an independence issue in the work we do for clients. Protiviti is able to use all of our
consultants to work on internal audit projects this allows us at any time to bring in our best
experts in various functional and process areas. In addition, Protiviti can conduct an
independent review of a companys internal audit function such a review is called for every
five years under The IIAs Standards.
Among the services we provide are:
Internal Audit Outsourcing and Co-Sourcing
Financial Control and Sarbanes-Oxley Compliance
Internal Audit Quality Assurance Reviews and Transformation
Audit Committee Advisory
For more information about the topics discussed in this white paper and our services, please
contact:
David Brand
Managing Director, Internal
Audit and Financial Controls
+1.312.476.6401
david.brand@protiviti.com
Scott Graham
Managing Director, Internal
Audit and Financial Controls
+1.469.374.2432
scott.graham@protiviti.com
Robert Hirth J r.
Managing Director, Internal
Audit and Financial Controls
+1.415.402.3621
robert.hirth@protiviti.com
Keith Kawashima
Managing Director, Internal
Audit and Financial Controls
+1.408.808.3222
keith.kawashima@protiviti.com
Frederick Umbach
Managing Director, Internal
Audit and Financial Controls
+1.212.603.8390
frederick.umbach@protiviti.com