You are on page 1of 12

Internal Audit Universe Enterprise Risk Model

Risk Level 1 to 3 1 to 3 1 to 3 1 to 3 1 to 3 1 to 3 1 to 3 1 to 3
F/S Risk
Factors Area Review
Mgmt
Concern
Disclosures
and Regulatory
Consequences
Employee/
Management
Turnover
System
Changes
Time Since
Last Audit
Budget to
Actual
Variance
Financial
Risk Size
Prior
Audit/SOX
Findings Total Risk
Weighted
Total Risk
Estimated
Hours
Weight 20% 5% 10% 10% 5% 20% 20% 10% 100% 200%
Information Systems System Implementations 3 1 2 3 3 3 1 3 13 2.40 200
Legal Department Litigation Management & Accrual 3 3 1 1 3 3 2 3 13 2.40 120
Finance & Accounting Billing 3 3 1 2 2 2 3 2 13 2.35 240
Customer Management Customer Technical Support 3 1 3 1 3 3 1 3 12 2.30 200
Customer Management Call Center Management 3 1 3 1 3 3 1 3 12 2.30 200
Legal Department Tariff Protection 3 3 1 1 3 3 1 3 12 2.20 80
Finance & Accounting Payroll 1 2 1 1 3 3 3 3 13 2.15 150
Human Resources Employee Benefits Mgt - Third Party Administration 2 2 1 1 3 3 2 3 12 2.15 120
Finance & Accounting Treasury - Debt Management (Covenant Compliance ) 2 3 1 1 2 2 3 2 12 2.05 120
Sales & Marketing Advertising & Promotions 1 1 2 1 3 3 2 3 12 2.00 120
Information Systems Data Security (Privacy) 2 2 2 2 2 2 2 2 12 2.00 160
Finance & Accounting Capital Management 3 2 1 1 2 2 2 2 10 2.00 120
Customer Management Customer Retention 3 1 3 1 2 2 1 2 10 1.95 120
Finance & Accounting Financial Close & Reporting 1 3 1 2 2 2 3 2 13 1.95 200
Finance & Accounting Line Cost 1 3 1 2 2 2 3 2 13 1.95 240
Customer Management Customer Credits/Adjustments 2 3 1 2 2 2 2 2 12 1.95 120
Information Systems Disaster Recovery/Business Continuity Plans 3 2 2 1 2 2 1 2 10 1.90 200
Finance & Accounting Revenue Recognition 1 3 1 1 2 2 3 2 12 1.85 200
Operations Inventory Mgt - CPE/Huntsville WH 2 1 1 2 2 2 2 2 10 1.85 200
Human Resources Employment Regulations 3 2 1 1 2 2 1 2 9 1.80 80
Sales & Marketing Contract Sales 3 2 3 2 1 1 1 1 10 1.75 240
Sales & Marketing Sales Branch Office 2 1 3 1 2 2 1 2 10 1.75 160
Operations Inventory Mgt. - Network Parts/Anniston WH 2 1 2 3 1 1 2 1 10 1.70 200
Finance & Accounting Treasury - Cash Management & Banking 2 3 1 1 1 1 3 1 10 1.70 120
Information Systems Help Desk & User Services 2 1 2 1 2 2 1 2 9 1.65 80
Sales & Marketing Sales Operations 3 1 3 1 1 1 1 1 8 1.60 200
Human Resources Recruiting 3 1 1 1 1 1 2 1 7 1.60 80
Sales & Marketing Customer Premise Equipment (CPE) Sales 1 2 3 1 2 2 1 2 11 1.60 120
Finance & Accounting Sales Commissions 2 2 1 2 1 1 2 1 9 1.55 200
Finance & Accounting Fixed Assets 1 2 1 2 1 1 3 1 10 1.55 160
Finance & Accounting Accounts Receivable 1 3 1 1 1 1 3 1 10 1.50 200
Information Systems IT Strategy/ Planning 3 1 2 1 1 1 1 1 7 1.50 80
Information Systems IT Network Administration 3 1 2 1 1 1 1 1 7 1.50 160
Operations Network Management, Provisioning, Grooming, etc. 3 1 2 1 1 1 1 1 7 1.50 160
Legal Department Government/Regulatory/Industry Affairs 3 2 1 1 1 1 1 1 7 1.45 120
Management & Board Mergers & Acquisitions 3 2 1 1 1 1 1 1 7 1.45 80
Human Resources Compensation 3 1 1 1 1 1 1 1 6 1.40 80
Finance & Accounting Accounts Payable 1 2 1 2 1 1 2 1 9 1.35 160
Operations Procurement 1 2 1 2 1 1 2 1 9 1.35 200
Finance & Accounting External Financial Reporting 1 3 1 1 1 1 2 1 9 1.30 160
Customer Management Field Support - Trouble Reporting & Tickets 2 1 2 1 1 1 1 1 7 1.30 160
Operations Network Operations - Switch Management 2 1 2 1 1 1 1 1 7 1.30 160
Operations Research & Development 2 1 2 1 1 1 1 1 7 1.30 120
Sales & Marketing Product Development 2 1 2 1 1 1 1 1 7 1.30 80
Sales & Marketing Marketing Management & Plans 2 1 2 1 1 1 1 1 7 1.30 120
Information Systems IT - General Controls Review 2 1 2 1 1 1 1 1 7 1.30 200
Information Systems IT Applications - CRM Razorsight 1 2 2 2 1 1 1 1 9 1.25 160
Information Systems IT Applications - Oracle 1 2 2 2 1 1 1 1 9 1.25 160
Finance & Accounting Tax State & Local, Federal, 1 2 1 1 1 1 2 1 8 1.25 120
Finance & Accounting Tax - Pass-Through 1 2 1 1 1 1 2 1 8 1.25 120
Customer Management Product Pricing and Costing 2 2 1 1 1 1 1 1 7 1.25 200
Human Resources Hiring (including Non-standard Employee Agreements) 2 2 1 1 1 1 1 1 7 1.25 120
Page 1 of 12
Internal Audit Universe Enterprise Risk Model
Risk Level 1 to 3 1 to 3 1 to 3 1 to 3 1 to 3 1 to 3 1 to 3 1 to 3
F/S Risk
Factors Area Review
Mgmt
Concern
Disclosures
and Regulatory
Consequences
Employee/
Management
Turnover
System
Changes
Time Since
Last Audit
Budget to
Actual
Variance
Financial
Risk Size
Prior
Audit/SOX
Findings Total Risk
Weighted
Total Risk
Estimated
Hours
Weight 20% 5% 10% 10% 5% 20% 20% 10% 100% 200%
Management & Board Corporate Governance - (Authority/Approval Matrix, Disclosure
Controls, Policy Management) 2 2 1 1 1 1 1 1 7 1.25 160
Finance & Accounting Credit & Collections 1 2 1 1 1 1 2 1 8 1.25 200
Management & Board Incentive Compensation Plans 2 2 1 1 1 1 1 1 7 1.25 160
Information Systems Software Licensing 1 3 2 1 1 1 1 1 9 1.20 120
Information Systems IT Applications - ADP Enterprise 1 3 2 1 1 1 1 1 9 1.20 120
Finance & Accounting Treasury - FX/Derivatives 1 1 1 1 1 1 2 1 7 1.20 120
Finance & Accounting Travel & Entertainment 1 1 1 1 1 1 2 1 7 1.20 120
Finance & Accounting Budgeting, Forecasting, Strategic Planning 2 1 1 1 1 1 1 1 6 1.20 160
Management & Board Company Communications 2 1 1 1 1 1 1 1 6 1.20 80
Operations Engineering 2 1 1 1 1 1 1 1 6 1.20 160
Information Systems Contract Management - Service Level Agreements 1 2 2 1 1 1 1 1 8 1.15 120
Operations Safety 1 2 2 1 1 1 1 1 8 1.15 120
Information Systems Wireless Networks 1 1 2 1 1 1 1 1 7 1.10 80
Operations Network Operation Center Mgt. 1 1 2 1 1 1 1 1 7 1.10 120
Operations Energy Cost & Management 1 1 2 1 1 1 1 1 7 1.10 80
Operations Engineering Systems & Transport 1 1 2 1 1 1 1 1 7 1.10 120
Legal Department Securities Management & Stock Options Procedures 1 3 1 1 1 1 1 1 8 1.10 80
Human Resources Policies 1 2 1 1 1 1 1 1 7 1.05 80
Human Resources Terminations 1 2 1 1 1 1 1 1 7 1.05 80
Human Resources Worker Compensation 1 2 1 1 1 1 1 1 7 1.05 80
Human Resources Employee Relations 1 2 1 1 1 1 1 1 7 1.05 40
Legal Department Intellectual Property 1 2 1 1 1 1 1 1 7 1.05 80
Legal Department Contract Management 1 2 1 1 1 1 1 1 7 1.05 160
Legal Department Reconds Management 1 2 1 1 1 1 1 1 7 1.05 80
Legal Department Whistle Blower - Hotline 1 2 1 1 1 1 1 1 7 1.05 80
Management & Board Risk Management (General Liability,Officers & Directors,
Business Interruption) 1 2 1 1 1 1 1 1 7 1.05 120
Management & Board Risk Management - Workers Compensation 1 2 1 1 1 1 1 1 7 1.05 80
Management & Board Risk Management - Property Insurance 1 2 1 1 1 1 1 1 7 1.05 80
Management & Board SOX Program Management 1 2 1 1 1 1 1 1 7 1.05 80
Management & Board Investor Relations 1 2 1 1 1 1 1 1 7 1.05 80
Management & Board Governance Agreement 1 2 1 1 1 1 1 1 7 1.05 80
Operations Real Estate - Lease Management 1 2 1 1 1 1 1 1 7 1.05 80
Operations Fleet Management 1 2 1 1 1 1 1 1 7 1.05 120
Finance & Accounting Management Internal Reporting 1 1 1 1 1 1 1 1 6 1.00 120
Human Resources Employee Benefits Mgt - Enrollments 1 1 1 1 1 1 1 1 6 1.00 80
Human Resources Employee Performance Feedback 1 1 1 1 1 1 1 1 6 1.00 80
Human Resources Employee Communications - Feedback, Surveys 1 1 1 1 1 1 1 1 6 1.00 80
Human Resources Staffing Analysis/Workforce Management 1 1 1 1 1 1 1 1 6 1.00 120
Human Resources Training & Development 1 1 1 1 1 1 1 1 6 1.00 80
Human Resources Employee Loans 1 1 1 1 1 1 1 1 6 1.00 40
Management & Board Charitable Contributions 1 1 1 1 1 1 1 1 6 1.00 40
Management & Board Political Contributions 1 1 1 1 1 1 1 1 6 1.00 40
Operations Facility Management & Physical Security 1 1 1 1 1 1 1 1 6 1.00 120
Management & Board Executive Travel & Entertainment 1 1 1 1 1 1 1 1 6 1.00 120
12,310
Page 2 of 12
11%
1%
16%
2%
5%
21%
6%
1%
12%
1%
5%
8%
1%
3%
9%
% of Total Risks by Risk Focus Areas
Audit Universe
Sales and Marketing Contact Name Operations Contact Name Finance & Accounting Contact Name Customer Management Contact Name Legal Contact Name
Contract Sales Supply Chain Ops/Purchasing Accounts Payables Technical Support Contract Approval
Sales Op Review Planning Accounts Receivables Problem Resolution & Tracking Litigation Management
Retail Quality Billings Customer Service Securities Management
Wholesale Construction Line Cost Customer Service Management Intellectual Property
Carrier Supplies, Materials and Services Invoice Auditing Pricing and Adjustments Whistle Blower
Enterprise Vendor Management (i.e.: competitive
bidding, preferred suppliers)
Processing Customer Retention Regulatory Affairs/Compliance
Equipment Fleet Management Credit & Collections Hotline
Finance Review Lease Management Placement, Write-offs & Placements Stock Options
Legal Review Testing and Control Credit Management Real Estate
Engineering Review Network Reliability Collections Record Retention
Operations Review Provisioning Capital Budgeting & Planning Employment Law
Product Marketing Regulatory Compliance (i.e.. OSHA) Capital Expenditure Approval
Product Development Inventory Management Records, Depreciation & Reporting
Sales Commissions Accounting and Valuation Non-capital purchases
Storage and Distribution
Call Center Fixed Assets
Network Operations Budgeting and Forecasting
Operator Services Closing the Books
Account Reconciliation
Account Analysis
Accruals
Internal Reporting
External Reporting
Tax Management
Federal Income Tax
State & Local Tax
Tariff Protection
Sales & Use
Research
Travel and Expense Reporting
Treasury
Audit Universe
Debt/Financial Structure
Cash Management
FX/Derivatives
Banking Relationships
Risk Categories
Risk Assessment Category Risk Category Definition Weighting
1 Consequences Severity of Consequence from Non-Compliance 5%
2 Prior Audit Prior Audit Findings 5% Total Risk Score
Total Risk Rating (Priority of Consideration for Audit
Project)
3 SOX Findings Prior SOX Findings 14 to 24 3 = High Risk
4 Mgmt Concern Management Interest & Concern 20% 11 to 13 2 = Medium Risk
5 Mgmt. Team Management Team 5% 8 to 10 1 = Low Risk
6 Turnover Employee Turnover 25%
7 System Changes Systems Changes 10%
8 Financial Risk Size Revenue /Expense Size in Dollars 25%
9 Time Time Since Last Audit 5%
100%
Scale from 1 to 3 1 2 3
1
Severity of Consequence from
Non-Compliance
Considers the quantity and complexity
of legislative mandates and guidelines
that govern the audit subject under
review, as well as mandates and
guidelines governing the business unit
as a whole.
This includes:
Regulatory (PUC/FCC)
Financial
Areas where deficiencies would likely produce little or no
recourse from regulatory, legal or governmental agencies.
Areas where deficiencies would likely result in minimal or no
financial statement exposures.
Areas where deficiencies could produce generally moderate
repercussions from regulatory, governmental or legal agencies.
This would include fines or penalties of immaterial amounts,
and/or short-term restrictions to the companys operations.
Areas wh
Areas where deficiencies could produce potentially severe
repercussions from regulatory, governmental or legal agencies,
such that they could have a material impact on the companys
operations.
This may include large fines, significant civil or punitiv
2 Prior Audit Findings
Considers the significance and number
of findings as well as the
implementation of corrective action.
Taken from Audit Project Reports and
SOX Observations.
No significant findings and few findings. There has been full
implementation of all corrective actions.
One or zero significant findings and/or less than five findings.
and
There has been at least 90 percent implementation of corrective
actions.
Two or more significant findings and/or more than five
findings.
or
There has been at least 50 percent implementation of corrective
actions.
3 Management Interest & Concern
Considers the level of management
interest and/or concern that was
obtained from the Business Risk
Assessment - SOX Management
Questionnaire completed in late 2009.
Management believes this issue warrants little interest or
concern.
Management believes this issue warrants moderate interest or
concern.
Management believes this issue warrants high interest or
concern.
4 Management Team
Considers the amount of time that a
management team has been in place for
the area based on Internal Audit
knowledge.
Management has been in place over three years. Management has been in place more than one year but less
than three years
Management has been in place less than one year.
Page 6 of 12
Risk Categories
Risk Assessment Category Risk Category Definition Weighting
1 Consequences Severity of Consequence from Non-Compliance 5%
2 Prior Audit Prior Audit Findings 5% Total Risk Score
Total Risk Rating (Priority of Consideration for Audit
Project)
3 SOX Findings Prior SOX Findings 14 to 24 3 = High Risk
4 Mgmt Concern Management Interest & Concern 20% 11 to 13 2 = Medium Risk
5 Mgmt. Team Management Team 5% 8 to 10 1 = Low Risk
6 Turnover Employee Turnover 25%
7 System Changes Systems Changes 10%
8 Financial Risk Size Revenue /Expense Size in Dollars 25%
9 Time Time Since Last Audit 5%
100%
Scale from 1 to 3 1 2 3
5 Turnover
Considers the level of turnover based
actual 2009 data from Human
Resources.
Area employee turnover is greater than 10 percent but less that
25 percent.
Area employee turnover is greater 25 percent.
6 Systems Changes
Considers any significant automated or
manual system changes and/or
upgrades and the number of issues
based on IA's knowledge. This will be
enhanced for the 2009 audit planning
using IT's annual plan.
No significant system changes and/or upgrades and no
outstanding issues.
One significant and/or several system changes and/or upgrades
and few outstanding issues.
One or more significant and/or numerous system changes
and/or upgrades.
Systems appear to be poorly maintained with numerous
outstanding issues.
7 Revenue /Expense Size in Dollars
Considers the annual revenues or
expense and volume transactions
initiated or processed through an area
based on actual 2008 and 2009
financial data.
Less than $15 million annual revenue or less than $1 million
expense.
Between $15 million and $50 million in annual revenue or
between $1 million and $10 million expense.
Greater than $50 million annual revenue or $10 million
expense.
8 Time Since the Last Audit
Considers when the last
financial/operational audit was
performed based on Internal Audit
history.
Less than two years since the last audit. More than two years but less than three years since the last
audit.
Greater than three years since the last audit.
Page 7 of 12
AUDIT GRADING MATRIX
REF
Grading
Categories
Description Min Max
Weight 1 2 3 4 5 Total Score
1 Dollar Amount Other things being equal, large dollar amounts, either
flowing through a system or committed to an activity
or project, increase audit interest. As a means of
establishing a common frame of reference, use gross
revenue of the audit customer's entity as the base for
determining relative size.
Relatively Low Relatively High 9
2 Public Disclosure
Implications
Other things being equal, the prospect of significant
adverse notoriety, as a consequence of either acts of
commission or omission, serves to increase audit
interest.
Noncontroversial Highly Controversial 1
3 Internal Control The design and past performance of an internal
control system is important in judging the probability
of errors in the system. Other things being equal,
areas with weak internal control are of greater audit
interest.
Strong Weak 7
4 Executive
Management
Interest
Other things being equal, expressed or implied
concern relating to an activity or project by a
responsible member of operating company
management increases audit interest. If there is no
basis for assessing management interest, arbitrarily
assign a three.
Strong Weak 10
5 Results in Prior
Audit Other things being equal, significant adverse findings
in a prior audit increase audit interest. If there is no
prior experience, arbitrarily assign a three.
No significant
deficiencies
Serious deficiency
findings
8
6 Changes in
Personnel/Proce
dures
Other things being equal, a dynamic environment in
terms of personnel or procedures increases the
probability of errors and inefficiency occurring, and
consequently increases audit interest.
Static Dynamic 5
7 Complexity of
Activity
Other things being equal, as the operating complexity
of an area increases, information and control systems
tend to become more complex. This complexity
increases both the probability of error and the effort
required to monitor the system.
Simple Complex 4
8 Time Since Last
Audit
As the time since the last audit lengthens, the value of
a new audit is likely to increase. The beneficial effects
of an audit are greatest immediately before and after
a project.
Recently Audited Never Audited or Not
Recently Audited
6
9 Deviations from
Budget/Plan Significant unfavorable variances from established
plans increase audit interest in an activity or project.
No significant variances Significant variances 3
10 Character of
Activity
Infrequent or unusual activities or projects are more
likely to result in error or inefficiency and are of
greater audit interest.
Routine and/or frequent Unusual and/or
infrequent
2
TOTAL SCORE:
AUDIT GRADING MATRIX
REF
Grading
Categories
Points Weight Score Points 0 - 3 Points 4 - 6 Points 7 - 8 Points 9 - 10
1
Management and
Staff Competence
8 0.12 0.97
Lack of understanding of basic
accounting principles. Unqualified
Rudimentary understanding of Company
Policies and GAAP. Improvements
required in the area of staff training
Satisfactory knowledge of Company
Policies and have reasonable
understanding of the appropriate
application of GAAP
Exceptional/very good understanding of
Company Policies and GAAP
2
Corporate Policy
Compliance
9 0.15 1.36
Significant non compliance of corporate
policies
Non compliance to corporate policies
without any compensating controls in
place
Minor unapproved deviations from
corporate policies with no significant
exposures to business or financial risk
No unapproved deviations from any
corporate policies
3 Asset Management 9 0.12 1.09
Control structure exhibits major
weaknesses which could result in
material loss of company assets and/or
misstatement of revenue/expense
Weaknesses in controls could result in
loss of assets or misrepresentation of
profits / losses. Reliance is placed on
mitigating controls
Satisfactory controls exist to ensure the
proper recording of assets. Few
mitigating controls exist
Strong asset control structure exists which
exhibits no system or physical weaknesses
4
Prior Audit
Recommendations
10 0.10 1.01
Less than 50% implementation 50% to 74% implementation 75% to 89% implementation 90% to 100% implementation. Full
implementation of all prior
recommendations
5 Information Systems 8 0.10 0.81
Locally developed and supported
accounting systems are poorly
maintained
Partially or fully implemented Global
Applications with a high number of
issues related to deployment and
support
Partially or fully implemented Global
Applications with a low number of issues
related to deployment and support
On-line system using Global Applications
with hardware located and maintained at
the the Home Office, with no outstanding
issues
6
Procedure and
Process
Documentation
7 0.12 0.85
Few to no processes have been
documented. Not familiar or not
compliant to global standard procedures
Global standard procedures are not fully
implemented or consistent with current
standards. No documentation exists
Global standard procedures are
compliant with Company standards and
current documentation is consistent with
actual processes
Global standard procedures are compliant
with Compnay standards and are regularly
updated and well communicated.
Documentation of standard processes are
clear and concise giving the reasonable
reader a clear understanding of the
procedures to follow.
7
Financial Reporting
Integrity
9 0.10 0.91
Financial reports are unreliable and
need immediate attention
Reliability of financial reporting requires
improvement. Material or multiple
immaterial adjustments are required
Overall reliability of financial information
is considered satisfactory. Immaterial
adjustments are rarely required.
Total reliability of financial reports. All
reported information is accurate and
complete (business and financial)
8
Balance Sheet
Accounts Supporting
Detail
8 0.12 0.97
Reconciliations or Listing of Account
Details are not performed. Material
adjustments are not properly
documented
Reconciliations or Listing of Account
Details are not performed on a regular
basis for all major accounts.
Reconciling items are not cleared on a
timely basis
Reconciliations or Listing of Account
Details are performed and reviewed
monthly for major control accounts.
Reconciling items are cleared on a timely
basis. Aged reconciling items are not
material in nature
Reconciliations or Listing of Account
Details are performed and reviewed on a
reasonable scheduled basis for all balance
sheet accounts. No adjustments are
required
AUDIT GRADING MATRIX
REF
Grading
Categories
Points Weight Score Points 0 - 3 Points 4 - 6 Points 7 - 8 Points 9 - 10
9
Reporting
Requirements Met
9 0.06 0.55
Deadlines (Corporate and Internal) are
not met. Insufficient and/or
unmeaningful information is distributed
Significant reporting requirements are
continuously not met
All reporting requirements are met with
deviations being infrequent or the nature
of such being minor
All reporting requirements are met on an
ongoing basis
TOTAL SCORE: 8.52
GRADE: ABOVE AVERAGE
Scale:
Below
Average:
Less than 7.00
Average: 7.00 to 8.49
Above
Average:
8.50 to 10.00
REFERENCE to CFO OBJECTIVES
1 Management identifies high potential individuals and assigns work that will provide a broad depth of experience, as well as benefiting the company.
2 Policies are followed and transactions are executed properly the first time without having to correct transaction mistakes.
3 Management actively seeks, identifies, and executes ways to reduce local capital, while maintaining high levels of customer service. Specific goals are in place.
4 A focused effort exists to implement prior audit recommendations to improve the organizational financial integrity, process/policy compliance and operational functions.
5 Aggressively working towards global system solutions with low levels of customization through process modification and government communications.
6 Implementation of standard global processes including the quotation to collection cycle. Associates routinely spend time analyzing results and forming recommendations to business issues.
7 Seek ways to improve the integrity of financial results, and enhance the forecasting process with more disciplined ties to the funnel.
8 Completed reconciliations that are useful tools to conduct true analysis of business issues.
9 Actively seeking ways to reduce the time necessary to close the books. Seek ways to evaluate the profitability of individual customers and orders.
Risk Factors
(from 200x Form 10-K)
Risk Factor # Risk Factor Description Audit Area from Universe
1
2
3
4
5
6
7
8
9
10
11
12
13
Page 11 of 12
Risk Factors
(from 200x Form 10-K)
Risk Factor # Risk Factor Description Audit Area from Universe
14
15
16
17
18
19
20
21
22
Page 12 of 12