These audit memos are powerful tools for documenting an organization's audit plan during the initial phases of the audit process. Use KnowledgeLeader's customizable audit memo samples to communicate audit approach and scope as well as enhance audit efficiency.

We offer over 50 memos that offer a wide range of support. Some of KnowledgeLeader's most popular benchmarking tools are listed below. For a full list of available items, visit our Memos content area.

IT SECURITY MEMO SAMPLES

Security Access Badges Memo
This sample memo serves as a report of an internal audit function’s high-level assessment of the security access badges process. In this sample, support center employees are granted access from 6:00 a.m. to 7:00 p.m. to all external doors of the building unless otherwise requested by their supervisor or based on job requirements, call center employees are granted access from 6:00 a.m. to 1:30 a.m. to accommodate shift needs and are granted access solely through front and rear doors, and additional access is granted based on an employee’s department and job requirements and requires the approval of the applicable department head.

IT Network Security Scope Memo
The purpose of this memo is to document the assumptions and decision criteria used in scoping the documentation efforts around network security. In this sample, management classified network security as a medium-risk process. As a medium-risk process, organizations must create a narrative describing at a task level each step performed in the process. They must also identify the project-related risks within the process and document the controls that mitigate the identified risks. 

SARBANES-OXLEY ACT MEMO SAMPLES

Sarbanes-Oxley (SOX) Project Approach Memo
This tool contains two sample memos that serve as a report of an internal audit function’s high-level assessment of the SOX compliance project process. In these samples, a control is designed effectively if the control provides reasonable assurance the related risk of misstatement is reduced to acceptably low levels and corresponding financial statement assertions are achieved. In some cases, multiple controls may be required to adequately mitigate risk, and the aggregated controls must each be evaluated for design and operational effectiveness. 

SOX IT Testing Planning Memo
This memo captures details for SOX IT testing, including objectives, project scope, transaction types, key risks, coordination with specialists, and IT audit decisions. The purpose of this engagement is to assist companies with achieving compliance with SOX requirements for internal controls over their IT processes. These processes are related to accurate financial measurement and reporting. This includes evaluating the design and testing the operational effectiveness of IT general controls (ITGCs) and IT entity-level controls (IT-ELCs). 

AUDIT TESTING MEMO SAMPLES

IT Change Management Review Memo
This memo summarizes the findings of an internal audit review of an organization’s IT change management process. Memo sections include background information, executive summary (including objectives and approach and key findings), and observations and recommendations (including an action plan and management response). In this sample, internal audit evaluated the IT change management process for the entire organization. The review comprised interviews and utilization of previous process knowledge (no testing was completed).

Delegated Entity Review Memo
In this sample, internal audit assisted with a company’s annual delegated entity compliance procedures as part of the audit plan. Management requested that the delegated entity procedures performed focus primarily on ITGCs surrounding an application developed by company personnel. Relevant areas of testing included change management, computer operations and logical security. In addition, internal audit performed some limited procedures surrounding the protection of personal health information data. This delegated entity review focuses on IT SOX readiness procedures for an application, testing change management, computer operations and logical security areas.

PRIVACY MEMO SAMPLES

Data Governance Audit Scoping Memo
In this sample, internal audit assessed the data integrity and inconsistencies that have arisen from its merger. This tool can be used for reviewing the effectiveness of the function and confirming that the scope and direction of the group is aligned with industry best practices. Memo sections include background, scope and approach, baseline description, interview results, data governance capabilities, and recommendations. This sample memo serves as a report of an internal audit function’s high-level assessment of the company’s data governance function.

Data Breach Notification Memo
In this sample, the company has arranged for a credit monitoring product and is offering to assume the cost of one year of credit monitoring for the customer, with an attachment to the letter containing details on the service. The document also includes additional precautionary measures for protecting the information, such as activating a fraud alert and placing a security freeze on the individual's account. This memo notifies an individual regarding the possibility of a personal information breach and explains the steps taken by a company to protect against identity theft or abuse of information.

DOCUMENT RETENTION MEMO SAMPLES

Compliance and Regulation Management Review Memo
The primary objectives include: determine whether policies and procedures exist and are adequate in identifying and monitoring compliance with applicable laws and regulations; determine the laws and regulations in which lack of compliance most greatly affects the company; review the compliance processes and controls associated with the selected areas and review adherence to policies and procedures; and determine the status of internal audit’s recommendations delivered to the company. This tool outlines the steps for the review of policies, procedures and internal controls within a company’s compliance regulation management function.

Minimum Testing Standards for Systems and Data Memo
Implementing these minimum IT control standards into each work program creates consistency across reviews and verifies that internal auditors are assessing key areas of IT risk within the client’s key informational and accounting systems. The purpose of this memo is to outline minimum IT controls process teams should be assessing when performing their reviews. Specifically, it covers minimum controls process owners should have in place around user access, change control, backup, privacy, licenses and document retention for the primary accounting and informational systems that are within the scope of the review.