Controls Monitoring Quarterly Assessment Audit Work Program

Audit Objectives

• To evaluate the effectiveness of management’s monitoring of company-level controls.
• To assess management’s progress with respect to the implementation of action plans designed to address deficiencies noted during the FY 20XX assessment of internal controls over financial reporting.
• To provide management with an internal audit framework within which to monitor key controls on an ongoing basis and evaluate whether those controls, as stated, are operating as designed.

Project Work Step

Planning

1. Planning meeting – Audit Team
(a) Conduct a planning meeting to discuss scope, approach, and timing.
(b) Determine the appropriate auditee contacts.
(c) Prepare planning memorandum and distribute to the appropriate auditee personnel.

2. Obtain sufficient understanding of the audit area:
(a) Review any pertinent internal audits performed from which information may be utilized in the development of the current plan, including the previous quarter’s controls monitoring.
(b) Obtain and review any relevant policies and procedures pertaining to company-level controls.
(c) Use self-assessment material, if appropriate, to have the auditee evaluate the control environment prior to the audit.

3. Work with the auditee(s) as to the scope, approach, and timing of the audit and detailed document request.

4. Review available best practices for ongoing controls monitoring and incorporate them into the audit work and audit report, if appropriate.

5. Conduct an entrance meeting with auditee(s) to re-establish the scope and timing of the review. Establish a schedule for status meetings and open-communication protocol.

Fieldwork – Understanding & Documentation
1. Obtain and review the following (where available):

• Organizational chart outlining positions of key individuals playing an active role in the monitoring of company-level controls.
• Business code of conduct.
• Memorandums, narratives, or formal plans in support of existing company-level controls.

2. Gain an understanding of the factors impacting the effectiveness of company-level controls. Consideration of the following areas and pertinent discussions with applicable auditees will provide direction in obtaining that understanding:

• Control environment, including management’s integrity, ethical values, and commitment to competence.
• Management’s philosophy and operating style.
• Organizational structure.
• Human resource policies and practices.
• Performance of risk assessments, including an consideration of entity-wide objectives.
• Protocols for the dissemination of information and establishment of channels for communication.

3. Identify and document (via narratives) the ongoing controls monitoring processes, using previous SOX documentation as a starting point. Consider the following points:

• Overall, are management’s controls adequate and functional?
• Are there areas where controls should be enhanced or additional internal audits should be performed?
• Were any deficiencies relating to company-level controls noted during the FY 20XX assessment of internal controls over financial reporting?
• Were any of these deficiencies significant?
• Has management drafted appropriate action plans to address the deficiencies and corrected within the proper timeframe?
• For those deficiencies for which action plans have not yet been drafted, has management identified a proposed plan and a projected implementation date?

Fieldwork – Testing

1. Discuss with management the company-level and process- level control deficiencies identified during the FY 20XX assessment of internal controls over financial reporting.
(a) For the deficiencies identified as “significant,” obtain and review management’s action plan(s) designed to address the deficiencies. Review a portion of “non-significant” deficiencies each quarter, as well.
(b) In the event that action plans have not yet been drafted, discuss with the auditee the proposed plan and projected implementation date.
(c) Document the findings of these discussions.
(d) Evaluate status on completion of action plans.
(e) Document any gaps in achieving the action plans by their due dates.

PURPOSE: To ensure that management is taking the necessary steps to clear deficiencies noted during the annual assessment of internal controls over financial reporting, including the development and implementation of reasonable action plans in a timely manner.

2. Select a sample of five company sites and obtain the most recent QRP submitted by that site.
(a) For each site, ensure that the QRP is completed, signed by the designated certifying officer, and includes relevant supporting details and necessary disclosures.
(b) Review minutes of the Disclosure Committee meeting from the above selected quarter end, noting the discussion of any significant or unusual items identified in the QRP.

PURPOSE: To ensure that management is appropriately identifying all issues requiring disclosure by the company in its quarterly reporting and to determine whether there are any newly identified risks that internal audit should take into account.

3. Conduct a meeting with a selected member of the external audit team.
(a) Document any variations or deficiencies identified as part of their evaluation of internal controls that would necessitate disclosure in the QRP.
(b) Inquire as to whether they identified any issues during the performance of their quarterly procedures that would indicate the need for an internal audit.

PURPOSE: To validate required disclosures as identified by management and to recognize potential opportunities for future risk-based engagements.

4. Obtain and review the Finance site review schedule and criteria for the current quarter.
(a) Validate that site reviews have been performed in accordance with the stated schedule. If the schedule has not been met, confer with a member of the Corporate Accounting Team to determine how variance will be compensated for.
(b) Ensure that all steps on the site visit program have been appropriately completed.
(c) Ensure that the site visit includes review for the following:

• Preparation of the self-assessment questionnaire
• Completeness review for manual journal entries utilizing the XYZ report

(d) Review the standard template that compiles the results for each site review, noting any issues requiring further attention.

PURPOSE: To ensure that management is adhering to the planned schedule and criteria set forth for finance-related site visits and that issues identified during such are being properly disclosed and addressed, and to determine whether there are any newly identified risks that internal audit should take into account.

5. Obtain and review the IT site review schedule and criteria for the current quarter.
(a) Validate that site reviews have been performed in accordance with the stated schedule. If the schedule has not been met, confer with a member of the Corporate Information Technology group to determine how variance will be compensated for.
(b) Ensure that all steps on the site visit program have been appropriately completed.
(c) Review the standard template that compiles the results for each site review, noting any issues requiring further attention.

PURPOSE: To ensure that management is adhering to the planned schedule and criteria set forth for IT-related site visits and that issues identified during such are being properly disclosed and addressed, and to determine whether there are any newly identified risks that internal audit should take into account.

6. Obtain and review the HR site review schedule and criteria for the current quarter.
(a) Validate that site reviews have been performed in accordance with the stated schedule. If the schedule has not been met, confer with a member of the Global HR Team to determine how variance will be compensated for.
(b) Ensure that all steps on the site visit program have been appropriately completed.
(c) Review the standard template that compiles the results for each site review, noting any issues requiring further attention.

PURPOSE: To ensure that management is adhering to the planned schedule and criteria set forth for HR-related site visits and that issues identified during such are being properly disclosed and addressed, and to determine whether there are any newly identified risks that internal audit should take into account.

7. Discuss with management the use of the self-assessment questionnaire as a tool to identify controls currently in place at the various operating entities.
(a) Select a sample of sites and obtain the self-assessment questionnaires completed for those sites for the quarter end in review.
(b) Verify that the entities are completing the questionnaire and that action items identified as part of the assessment are acted upon by the appropriate individual(s).
(c) Ensure items pertaining to the self-assessment questionnaire have been properly completed in the QRP.

PURPOSE: To validate that controls being relied upon by management continue to be in place and to ensure that any changes in such are appropriately reflected in the company’s internal control documentation.

8. Obtain and review the binder containing the ABC Database Query Reports and Lawson Security Reports reviewed by the Director of Financial Systems and the Corporate Controller.
(a) Ensure that the reports were reviewed by the appropriate individuals and evidence of the reviews is clearly documented.
(b) Document any findings based on these reviews and validate that the appropriate action was taken to rectify any issues noted.

PURPOSE: To validate that the necessary reviews are being performed to properly monitor segregation of duties and level of security access assigned among users within the primary financial system.

9. Select a sample of sites and obtain documentation supporting the review of manual journal entries by site personnel utilizing the XYZ report or a similar report for non-ABC entities.
(a) Ensure the report was reviewed for reasonableness and completeness of entries by the appropriate individual and evidence of the review is clearly documented.
(b) Where warranted, select individual entries contained in the report and request the respective site provide support for the entry. Ensure the entry is reasonable and properly approved.

PURPOSE: To ensure all manual journal entries are reasonable, properly accounted for, and appropriately supported.

10. Discuss with management the recent origination of any major contracts (both customer and vendor).
(a) Validate that the execution and administration of the newly originated contracts were performed in accordance with stated policies and procedures.
(b) Ensure that management has given proper consideration to business risks associated with these contracts.

PURPOSE: To ensure the company’s contracts are being executed in accordance with agreed upon policies and procedures and that management has given adequate consideration to potential risks associated with such.

Final

1. Reporting – Draft
(a) Prepare preliminary draft of the audit findings in the form of a memo. Ensure appropriate auditee(s) review(s) the draft and that any action items have been discussed with auditee(s).

2. Reporting – Issuing draft
(a) Issue preliminary memo to management. At this point management/auditee(s) should agree on the timing for implementing any action items identified and agreed to in the memo. Responsibility for implementation should also be assigned.
(b) Validate the accuracy of all audit report content.
(c) Ensure the report/memo is reviewed by the engagement manager, director, and office managing director.
(d) Have the report/memo referenced.