Presenting To The Audit Committee: A Collection of Reporting Examples

Presenting to the
Audit Committee
A Collection of Reporting
Examples
June 2018
CEB Audit Leadership Council

Confidentiality and Intellectual Property
These materials have been prepared by Gartner, Inc. and/or its affiliates (“Gartner”) for the exclusive and individual use of our CEB Leadership Council member companies.
These materials contain valuable confidential and proprietary information belonging to Gartner, and they may not be shared with any third party (including independent
contractors and consultants) without the prior approval of Gartner. Gartner retains any and all intellectual property rights in these materials and requires retention of the
copyright mark on all pages reproduced.
Legal Caveat
Gartner, Inc. and/or its affiliates (“Gartner”) is not able to guarantee the accuracy of the information or analysis contained in these materials. Furthermore, Gartner is not
engaged in rendering legal, accounting, or any other professional services. Gartner specifically disclaims liability for any damages, claims, or losses that may arise from a)
any errors or omissions in these materials, whether caused by Gartner or its sources, or b) reliance upon any recommendation made by Gartner.
INTRODUCTION
Quick Facts
This deck is a collection of illustrative reporting examples
derived from presentations to Audit Committees. The
collection includes slides for presenting department
■■ Length of Audit Committee Report: Sixty-seven percent of
objectives, audit trends, risk assessment and audit planning Audit departments’ presentations to the Audit Committee are
processes and resource requirements. The deck does not 15 pages or shorter, including appendices — an approach that
represent a complete Audit Committee presentation but aligns with our reporting guidance. Determine whether your
rather select elements of practitioner-developed frameworks Audit Committee would like to see executive summaries or full
you may reference while building presentations for your own audit reports in the appendix.
Audit Committee. ■■ Length of Audit Committee Meetings: The typical duration
These examples provide flexible guidance for communicating of Audit Committee meetings is 1.5 to three hours. Most
with the Audit Committee. Some slides presented in their Audit departments have up to 30 minutes to present to the
entirety may be best suited for presentations of longer committee.
duration. Slide scope, elements and details may be tailored ■■ Frequency of Audit Committee Communication: In addition
to the needs of your organization and Audit Committee. to the annual and quarterly Audit Committee meetings, Audit
We will add to this collection as we uncover new, innovative teams:
examples.
––Schedule teleconference sessions (four on average) with
Audit Committee members throughout the year;
––Schedule hour-long phone meetings to review earnings

before quarterly filings;
––Speak with the Audit Committee chair regularly or as

needed;
––Escalate issues to the Audit Committee when necessary and
––Hold supplementary education sessions with the Audit

Committee.
■■ Material Distributed to the Audit Committee: Seventy-four
percent of respondents use a board reporting technology to
distribute meeting materials. Most teams send materials one
week before the meeting.
PRESENTATION GUIDANCE: DO’S AND DON’TS
At our 2017 Assurance Summit, Audit Committee Over the years, we have also observed a few
members shared their views on effective reporting. common mistakes in Audit Committee reporting.
■■ Keep it simple and concise. Don’t include unnecessary ■■ Underestimating the power of the executive summary
detail, but focus on the metrics that matter. Put ■■ Failing to provide important context for data, such as
granular and additional information in the appendix the reason behind an increase or decrease
and refer to it if it is relevant to the discussion.
■■ Including issues without stating when or how they will
■■ Focus on trends rather than point-in-time be resolved or why they are important
assessments. The Audit Committee wants to
■■ Obscuring challenge areas and missing out on
understand how the organization’s risk profile and
valuable input from the committee that could inform
Audit’s work are evolving over time.
solutions
■■ Focus on the content, not the delivery platform
■■ Shying away from asserting your professional
(e.g., PowerPoint, Word, Tableau). Directors do not
judgment
care how a report delivers content as long as it does
so concisely. ■■ Avoiding definitive statements
■■ Provide the full context. If possible, include data
from other assurance functions to provide the board
with full understanding of the organization’s risk and
assurance profiles.
■■ Use visuals when appropriate. When data can be
better expressed in a visual form, use that to lead the
discussion where you want it to go.
PRESENTATION ELEMENTS INCLUDED
Executive Summary 6
Audit Strategy and Objectives 9
Audit Alignment with ERM and Corporate Strategy 12
Audit Department Resource Allocation 20
Audit Performance 26
SOX Testing and Results 30
Dynamic Visualization 32
Appendix Documents 41
Overview of the Audit Planning Process 42
Overview of the Risk Assessment Process 44
Audit Plan Methodology and Coverage (Detailed Version) 45
Integrated Assurance Map 46
Audit Staff Profile 47
Risk Universe 48
Executive
Summary
© 2017–2018 Gartner, Inc. and/or its affiliates. All rights reserved. ADR181237 6
This example provides
a brief overview of EXECUTIVE SUMMARY: VERSION 1
Audit’s recent work and
highlights key issues for Include First Quarter Snapshot Summary of Audit Activities Highlight
the Audit Committee to an overall audit
discuss; it also addresses opinion on Internal Audit completed a range activities in
the control X Audits Special Reviews summary
high-level audit findings of assurance audits, special reviews
and output, as well as environment Completed ■■ Business Unit 1 form and
and consultative activities during the
events that affect the risk to assuage X Audits include
quarter. Function 1
■■
■■
directors’ details in the
environment. X Audits
concerns The results of our work indicate
■■
appendix.
immediately. that management controls over the ■■ X Audits
■■ When to Use It:
business activities of our company
–– To provide the remain effective.
committee with key Support for Annual audit
insights up front This report provides an overview Company plan was
(recommended) of activities for the quarter and Projects completed and
notes several areas for potential is included
improvement in business controls.
■■ Project 1
herein.
A summary of investigation, ■■ Project 2
security and consultative activities ■■ Project 3
conducted during the quarter is also
included.
Present Key Issues Raised by Audit Developments with Control Continuously

trends and Implications monitor
issues of As a whole, management has ■■ General Data Protection and report
concern on events
improved timeliness Regulation
to the that may
in resolving previous critical issues. Fraud finding in international
committee. ■■
impact the
New Critical Issues office company.
■■ Issue 1 ■■ Regulatory enforcement action
■■ Issue 2 targeting competitor
Give an ■■ Issue 3
update on
the status De-Escalated Since Last Audit
of previous Committee Meeting
issues ■■ Issue 1
to show
continuous ■■ Issue 2
coverage. ■■ Issue 3
Source: Wells Fargo; CEB analysis.
a streamlined summary EXECUTIVE SUMMARY: VERSION 2
of key audit operations
and status compared
with status in the
previous quarter, clearly Sample Text: This report summarizes audit activities and includes important observations on the status of
identifying issues that the organization’s overall risk and control environment. At the end of the first quarter, there were no audit
require special attention observations that would impact financial results as presented.
from the committee.

Current Status Audit Operations Summary Prior Quarter Status
–– To focus your
conversation with the
committee on the Assessment of
current status and Risk and Control
relative strength of Environment
Audit’s main operational
areas Quality of
Governance
Framework
Audit Plan Progress

and Summary of
Audit Results
Control Deficiency
Resolution
Investigations
Managing the
Group Audit
Function
Critical items Important issues Operating

= requiring Audit = that warrant =
as expected
Committee discussion
attention
Source: CEB analysis.
Audit Strategy
and Objectives
This example
communicates a clear, AUDIT DEPARTMENT STRATEGY
concise and measurable
department strategy, 1 Craft a concise and
including metrics memorable statement that Statement of Audit Strategy
showing anticipated captures the essence of Create value for the business by leveraging internal control expertise to
progress against goals. the strategy. The statement drive process improvement and improve risk management. As a valued
should summarize the key strategic partner, we strive to help the business achieve its operational,
■■ When to Use It: objectives of Audit’s one- reporting and compliance objectives.
to three-year strategic plan.
–– To clarify Audit’s current
state, its future direction, STATE OF Top Four to Seven Audit Initiatives STATE OF
the path it will take and AUDIT 1. Improve audit productivity and AUDIT
expected outcomes; 2 Identify four to seven IN 2017 output to reduce audit cycle times IN 2020
normally presented once metrics that define the and increase coverage.
Top Five to Top Five to
a year function’s current and 2. Recruit, attract and develop new
Seven Metrics skill sets to meet changing risk Seven Metrics
target state.
Describing coverage needs. Describing
the Initial State 3. Expand coverage of key risks by the End State
better coordinating with “second-
■■ Percentage ■■ Percentage
3 List the five to seven key line” assurance groups and enabling
of key risks of key risks
greater business risk ownership.
audit initiatives required covered by covered by
4. Mature and grow data analytics
to achieve the target state. Internal Audit Internal Audit
capabilities.
Draw the initiatives from in the audit in the audit
plan: 60% plan: 80%
the strategic plan.
■■ Client Top Five to Seven Underlying Beliefs ■■ Client
satisfaction: and Assumptions satisfaction:
70% 85%
4 Document five to seven ■■ Issues self-
1. Budgets for Internal Audit ■■ Issues self-
departments are likely to remain flat.
critical assumptions disclosed by disclosed by
2. Accelerating company growth will
underpinning the management:
put new and unpredictable risks
management:
strategy, setting metrics X 2X
into play that stakeholders haven’t
and thresholds where ■■ Audits using anticipated. ■■ Audits using
necessary to indicate data analytics: 3. Use of data analytics will improve data analytics:
when course correction is 40% audit outcomes, productivity and 80%
required as circumstances ■■ Process risk assessment capabilities. ■■ Process
change. improvements 4. Audit teams will need to rely on the improvements
implemented first and second lines to improve risk implemented
by the and control monitoring. by the
business: X 5. Internal Audit needs to link its audit business: 2X
outcomes to value contribution
and process improvements to
demonstrate its impact on the
business.
This example highlights
the department’s key AUDIT DEPARTMENT OBJECTIVES
objectives and planned
activities focusing on
Sample Text: In FY 20XX, Audit will continue to support the organization’s strategic initiatives and key
the four dimensions of
projects by providing objective assurance and advisory services to assist the enterprise in maintaining
Audit’s work: people,
an effective system of internal controls.
processes, systems and
coverage.
■■ When to Use It: FY 20XX Internal Audit Objectives

–– To give the Audit People Processes Systems Coverage
Committee a high-level
view of Audit’s vision for 1. Attract and recruit 4. Ensure high-priority 6. Implement advanced 9. Develop an audit plan
the upcoming period, new capabilities and issues are closed data analytics to assist that aligns with the
emphasizing resources
competencies to within agreed time in risk assessment and company’s strategic
and activities; normally
expand the type of frames. continuous auditing. initiatives to address
presented once a year
assurance provided by emerging risk more
Internal Audit. 5. Coordinate better 7. Identify opportunities effectively.
with other governance within the SOX control
2. Continue or controls groups to environment to shift 10. Increase use
development of skill increase efficiency. from manual to of continuous
sets based on the automated controls. monitoring to shift
company’s growth X% of audit focus
and demands of 8. Integrate ERM from lower-risk areas
Internal Audit through software to higher-risk areas.
department (e.g., tools to facilitate risk
critical thinking identification and
analysis, IT-specific enhance the audit
skills, continuous plan and procedures.
auditing capabilities,
industry knowledge,
functional expertise).
3. Develop Internal
Audit staff to take on
key leadership roles
in other parts of the
business.
Audit Alignment
With ERM and
Corporate Strategy
a high-level overview of LINKING AUDIT PLAN TO ERM RISKS: VERSION 1
the ERM risks and control
and urgency factors
Sample Text: The audit plan is based on enterprise residual risks. Engagements are prioritized by
that Audit considers in
considering several criteria, outlined below. Audit engagements are defined as ERM audits, site audits,
developing the audit
management requests, SOX or operational testing and other types of audits such as data analytics work and
plan.
legal investigations.
–– To clarify the link
between ERM risks and ERM Risks
planned audit activities,
explain decision-making
rationale and clarify how Mapped against the following criteria:
the audit plan addresses ■■ Risk mitigating factors/strategies identified and performed by management
enterprise risks ■■ Last time audited and prior audit rating
■■ Existing SOX controls and prior SOX issues
■■ Existing policies and procedures to manage risk
■■ Projects in progress to address existing risks or prior issues
■■ Alignment of risks to strategic, company-wide objectives
Audit Plan
ERM Audits: Site Audits: Management SOX or Other:

Requests: Operational:
Source: World Fuel Services Corporation; CEB analysis.
This example connects
audit activities to Audit’s LINKING AUDIT PLAN TO ERM RISKS: VERSION 2
risk observations and
ERM-identified risk ERM Risk Theme Risk Observationa Supporting Engagement
themes.
New Markets and ■■ Mobility ■■ Network and
■■ When to Use It: New Technology ■■ Cloud Computing Infrastructure
–– To clarify the ■■ Emerging Markets
■■ Social Media Integration
relationships among ■■ Social Media
■■ Patents and Litigation ■■ Cloud Computing
enterprise risks, ■■ Cloud Computing
■■ Enterprise Virtualization Convergence ■■ Mobility
potential control issues ■■ M&A
■■ Accelerated Growth in Unified Storage ■■ Social Media
identified in Audit’s risk ■■ Enterprise Workload Optimized Infrastructure
assessment and planned ■■ Process Integration
audit activities ■■ Post-Integration Sustainability
Evolving Infrastructure ■■ Emerging Countries ■■ Global Network

■■ Rationalize the Core
■■ Sales Compensation Security
■■ Original Design
■■ Channel and Partner ■■ Factory Audits
Manufacturers
■■ Third-Party Reliance ■■ Sales Compensation
■■ Solution Infrastructure
■■ Control of Assets ■■ Third-Party
■■ Third Parties
■■ Inventory Controllership Relationships
■■ Data Management
■■ Global Environment ■■ Pricing
■■ Global Solutions and Infrastructure
Regulatory and ■■ Talent, HR, Benefits and Compensation ■■ Data Protection

Controllership ■■ FCPA and Anti-Bribery and Privacy
■■ Disclosure Requirements
■■ Data Privacy ■■ FCPA and Anti-Bribery
■■ Financial Exposure
■■ Business Continuity and Resumption Planning ■■ Limited Site Reviews
■■ Cybersecurity
■■ Data Integrity ■■ Year-End Financials
■■ Business Resiliency
■■ Contract Compliance — Third-Party ■■ Fraud Deterrence
and Customer and Evaluation
■■ Shared Services (Payroll, Cash Applications)
■■ Trade Compliance
Source: Dell; CEB analysis.
a
To determine the “risk observations,” Dell uses the outputs from various risk information sources (e.g., results from the IT risk assessment and fraud risk
assessment, regulatory requirements, HR planning, external audit guidance and regional and business unit risk assessments). In reviewing various outputs, issues
that appear in multiple sources and have greater impact are considered worthy of attention.
This example provides a
summary of audit plan LINKING AUDIT PLAN TO ERM RISKS: VERSION 3
coverage by organizing
each planned audit ERM Risks and Related Audit Projects
activity by audit category
and type of enterprise E-Commerce Strategic Workforce Planning
risk.
■■ Customer Behavior Audit ■■ Workforce Plan Review
■■ When to Use It: ■■ Data Access Review ■■ Contingent Workers Accountability Review
–– To clarify the link
between ERM risks and ■■ Digital Acumen Skills Review ■■ Knowledge Management Review
planned audit activities
at a very high level
Supply Chain IT Security
■■ Third-Party Political Risk Exposure Audit ■■ Patch Management Audit
■■ Third-Party Disaster Recovery Audit ■■ Employee Security Education Review
■■ Third-Party Governance Assessment ■■ Technology Policy Assessment
Fraud Compliance
■■ Fraud Risk Assessment ■■ Global Regulatory Assessment
■■ Internal Controls Review ■■ Data Privacy Regulation Compliance Assessment
■■ Risk Culture Assessment ■■ Tax Compliance Readiness Audit

This example shows
how audit engagements LINKING AUDIT PLAN TO STRATEGY AND RISKS
address enterprise risks
as well as the company’s Audit
strategic objectives and Value Drivers Objectives Risks Processes
Engagements
value drivers.
The two overarching Value drivers are Risks to strategic High-level processes Audit engagements
■■ When to Use It: company goals are mapped to more objectives are sourced underlying strategic link directly to specific
deconstructed into tangible strategic through various objectives are business processes
–– To demonstrate links discrete value drivers. objectives of the firm. inputs. identified. that manage the risks
between audit work and that can undermine the
overall corporate value firm’s key objectives.
creation
Financial ERM Risks High-Level Processes
Top-Quartile Total Shareholder Return 1. 20% EBIDTA over 1. Consumer Credit
the next five years 2. Customer
2. Double-digit sales Marketing
Capital and Experience
increase annually
Assets 3. Product Liability
4. Inflation Logistics and
Compliance
5. People Distribution
1. Full compliance 6. Inventory
with all law, Management
regulations and Selling and
7. Business Customer Service
statutes across Continuity
Reputation Annual Audit Plan
all operating 8. IP/Trade Law
geographies Engagement 1
2. Avoidance of 9. CSR People ■■
legal penalties or 10. Capital/Liquidity ■■ Engagement 2

litigation expenses 11. Supply Chain Engagement 3
Strategy,
■■
12. Cost Control/
Efficiency Governance ■■ Engagement 4
Market Operational
13. Process and Oversight ■■ Engagement 5
1. Streamlined cost Engineering
structure ■■ Engagement 6
2. Fully automated 14. Governance
Legal and Risk
inventory 15. Financial
management Reporting
3. Six-sigma or lean 16. HR Compliance
Mid-Teen ROI Cap
Growth caliber process 17. Technology Merchandising

execution
18. Growth Strategy
Execution
Strategic
19. Regulatory IT
1. Double-digit Environment
growth in emerging 20. Information
markets annually Privacy and
Efficiency 2. Improved product Security Finance
offerings and
streamlined service 21. External Forces
3. Strong investment 22. Transformation
in talent of Business/ Resource
development Financial Model Management
Source: Nordstorm; CEB analysis.
This example illustrates
how the company’s value LINKING AUDIT PLAN TO VALUE AND RISKS
drivers shape Audit
priorities and how these
Sample Text: Internal Audit’s focus areas for 20XX aim to address key risks and drivers that create the most
priorities relate to key
value for the company. In addition, these focus areas align closely with the CEB Audit Plan Hot Spots, a report
risks we’ve identified.
of the top risks impacting companies for the upcoming year.
–– To show how audit Company Value Drivers Internal Audit Focus Areas 20XX Audit Plan Hot Spots
work advances overall
corporate value creation
and reflects leading Managing for Value ■■ Data Privacy
research findings ■■ Risk Mitigation Compliance and Governance ■■ Geopolitical Volatility
■■ Revenue Recognition
■■ Cost Containment
■■ Reduction of Assets and Complexity ■■ Digitalization Preparedness
■■ Growth and Innovation Pressures
Review Strategic Programs ■■ Shareholder Intervention
Customer Centricity ■■ Strategic Workforce Planning
■■ Transparency
■■ Business Continuity and Disaster
■■ Efficiency Recovery
Basic Control Audits
■■ Responsiveness to Client Needs ■■ Fraud
■■ Revenue Recognition
Winning Performance Culture

■■ Cloud Computing
IT Security ■■ Information Security Behaviors
■■ Accountability
■■ Simplified Structure ■■ Business Continuity and Disaster
Operations Recovery
■■ Digitalization Preparedness
Compliance
Financial and Equity ■■ Geopolitical Volatility
■■ Effective Function and Education Market Securities ■■ Shareholder Intervention
■■ Cloud Computing
Execution Counterparty Risk ■■ Business Continuity and Disaster
■■ Getting the Basics Right Recovery
■■ Continuously Improving Operational
Decision-Making Processes ■■ Corporate Culture
Performance
This example shows
which risks are included AUDIT PLAN TRADE-OFFS
and excluded from the
audit plan. Assurance Matrix
Illustrative
–– To show the Audit
Committee the trade- Low Assurance: The degree
offs in the audit plan
of comfort derived from
in terms of risk impact, Risk 7 existing independent
assurance coverage and
available audit hours. Risk 1 evaluation processes.
Risk 6
Risk 8
Risk 5
Risk 3 Risk 4
Assurance
Risk 2
Risk Impact: The effect
Medium Risk 12 on the business if the
Risk 16 risk occurs.
Risk 14
Risk 15
Risk 9
Risk 13
Risk 11
Red Line: Risks above
Risk 10
the line will be included
High in the audit plan.
Low Medium High

Risk Impact
Source: The Coca-Cola Company; CEB analysis.
This example presents
planned audits in the AUDIT COVERAGE BY BUSINESS AND PROCESS
context of processes
and business units and
Sample Text: Internal Audit’s plan for 20XX focuses on the critical processes, strategic initiatives and key
functions.
projects of the company, with a particular focus on activities that will contribute to maximizing the financial
strength of the company.
–– To show how risk Not Applicable Not Scheduled for Audit in 20XX Scheduled for Audit in 20XX
severity varies among
entities and business
Cash Management
Critical
Contractors, Joint
units if the organization
Measurement and
Accounts Payable
Inventory Council
and Fixed Assets
Receivables and
Capital Projects
Accounting and
Processes
Reconciliations
Consulting and
is decentralized.
Procurement—
Procurement—
Marketing and
Materials and
Ventures and
Third Parties
Redemption
Compliance
Production,
Financial
Products
Revenue
Services
Account
Business
Credit,
Other
Taxes
and
Functions
IT
Business Unit 1
Function 1
Function 2 Map the audit universe to top enterprise risks to effectively

Function 3 portray Internal Audit’s coverage of the risk universe.
Business Unit 2
Department 1
Department 2
Business Unit 3
Operating Company
1
Operating Company
2
Operating Company
3
Operating Company
4
Department 3
Department 4
Department 5
Source: Gamma Company1; CEB analysis.

Note: Please find a more detailed depiction of audit plan methodology and coverage to include in the appendix
1
of an Audit Committee report on page 36.
1
Pseudonym.
Audit Department
Resource Allocation
This example highlights
changes to audit plan YEAR-ON-YEAR TIME ALLOCATION: VERSION 1
coverage from one year
to the next by showing
Sample Text
allocation of audit hours
Key Objectives:
by activity type or audit ■■ Continue to shift from a SOX-centric focus to provide more consulting and advisory services that add
area.
value to the business.
■■ Continue to revisit the existing control matrix with management to identify opportunities for rationalizing
controls.
–– To show the Audit ■■ Ensure acquired companies comply with SOX requirements and SOX readiness.
Committee year-on-year ■■ Review acquired sites approximately six weeks after closing, with a more detailed site review as needed.
audit plan changes.

–– Any increases or
decreases in the page’s
headline should be
20XX Audit and Advisory Plan: Actual 20XX Audit and Advisory Plan: Planned
explained.
2% 4% 2% 4%
Unanticipated Risk Other Unanticipated Risk Other
Events or Projects Events or Projects
3% 13% 3% 13%
Investigations Financial Audits Investigations Financial Audits
2%
1% External
External 24% Auditor 30%
Auditor Operational Assistance Operational
Assistance Audits Audits
5%
5% Consulting
Consulting and Advisory
and Advisory
20% 12%
28% SOX 29% SOX
ERM Audits ERM Audits
Source: CEB analysis. Source: CEB analysis.
This example uses graphs
to quantify and illustrate YEAR-ON-YEAR TIME ALLOCATION: VERSION 2
the evolving audit focus
and key factors that led
Sample Text: Audit will focus on technology and financial risks for 20XX, as opposed to compliance and
to the change.
strategic risks. Rapid changes in the digital and regulatory landscapes have led to a sharp increase in our
planned activities for next year. We intend to spend most of our planned hours performing audits in the IT
and Procurement departments.
–– To help the Audit
Committee understand
audit plan changes over Plan Coverage (by Risk Category)
several years and the
considerations driving
Percentage of Planned Hours
20XX
them, focusing on risk
categories and business 20YY
processes (Coverage can 20ZZ
30% 30% 30%
be presented in terms of 30%
monetary value or time)
20% 20% 20% 20%
15% 15% 15% 15% 15%
15% 10% 10% 10% 10% 10%
5%
0%
Strategic Operational Financial Compliance Technology Other
Plan Coverage (by Business Process)

20XX
Percentage of Planned Hours
20YY
20ZZ
30% 30%
30% 25%
20% 20% 20%20%
15% 15% 15% 15%
15% 10% 10% 10% 10% 10%
5% 5% 5% 5% 5%
0%
Finance Marketing Legal Procurement IT Business Unit Other
This example
communicates the YEAR-ON-YEAR TIME ALLOCATION: VERSION 3
forecasted and actual
hours spent on audit
Sample Text
activities, compares ■■ Overall, there was a reduction of approximately 250 hours, or 3%. This reduction is due to enhanced
current and prior years
efficiency from more experienced staff, increased head count and efforts to rationalize controls.
and explains changes ■■ Reduction of available hours for Audit and Advisory was primarily due to open positions (five) not hired
stemming from the new
until midyear.
audit plan.
Change in Hours
–– To help the Audit 14,000
year-on-year audit plan
changes at a high level
and in terms of hours
Hours
7,000
0
20XX Forecast 20XX Actual 20YY Forecast 20YY Actual
SOX—Financial
7,100 9,022 9,000 9,855
and IT
Audit and
8,985 7,331 11,890 7,506
Advisory
Co-Sourcing
1,000 1,144 1,000 1,290
Hours
Total Head Count
(Including Co- 14 11 16 13
Sourced FTEs)
Source: World Fuel Services; CEB analysis.
This example quantifies
hours budgeted in the YEAR-ON-YEAR TIME ALLOCATION: VERSION 4
audit plan and compares
current and prior years’
Sample Text: In 20XX, most of our budgeted hours will be focused on performing strategic and compliance
resource requirements.
audits. Audit is currently facing resource scarcity and plans to increase the number of senior auditors in the
team next year.
–– To present a plan in
terms of hours and 20XX Audit Plan Estimated Hours
provide a high-level view
of the department’s Planned Audits Estimated Hours
basic resource needs
Strategic Risks 800
Compliance Risks 700
Operational Risks 300
Financial Risks 400
Other Risks 400
■■ 20XX Risk Assessment and Group Administration
■■ Audit Issue Tracking
■■ Consulting Assignments
SOX Testing 400

Total Hours — 20XX Audit Plan 3,000
20XX Audit Plan Budget Highlights In-House FTEs
Description 20XX Plan 20YY Plan Position 20XX Plan 20YY Plan
Projected Cost (at inception) $ $ VP 1 1
Projected Technology Cost $ $ Senior Manager 2 2
Projected Third-Party Cost $ $ Senior Auditor 3 5
Projected Travel Cost $ $ IT Auditor 4 4
Other Cost $ $ Source: World Fuel Services; CEB analysis.

Note: Please find a detailed depiction of the staff profile to include in the appendix
of an Audit Committee report on p.43.
This example compares
the current year’s YEAR-ON-YEAR TIME ALLOCATION: VERSION 5
departmental budget
with the previous year’s
Sample Text
budget and actual
expenditures and The 20YY budget considers the following assumptions:
explains key assumptions ■■ Current head count for the year is 18 (including VP) and the following positions need to be filled:
underpinning the new –– Audit Manager
budget. –– Auditor 1
–– IT Auditing Specialist
■■ When to Use It: ■■ Key activities will continue:
–– To provide a high-level –– Review of high-risk areas
view of the department’s –– Travel to significant locations, new acquisitions and remote locations not previously visited
basic operating costs
and describe year-on- ■■ Technical audits for specialized areas will continue to be outsourced.
year audit plan changes
in financial terms
Annual Budgets
FY 20XX Budget FY 20XX Actuals FY 20YY Budget

US Dollars in Thousands US Dollars in Thousands US Dollars in Thousands
Compensation XXXX Compensation XXXX Compensation XXXX
Travel XXX Travel XXX Travel XXX
Professional Fees XXX Professional Fees XXX Professional Fees XXX
Training XXX Training XXX Training XXX
Total Budget $ - Total Budget $ - Total Budget $ -

Audit
Performance
a status update of REMEDIATION PLANS
remediation plans,
including the severity of
Sample Text: As a whole, management has improved its timeliness in completing remediation plans. The
open issues, expected
seven open issues are the result of the corporate IT implementation effort. Management is working to
remediation completion
resolve the three critical open issues by the end of 4QXX. There is one critical issue past due. Management’s
dates and trends; it also
remediation plan is on track.
shows a snapshot of
open issues by process,
business unit or entity Outstanding Open Issues at Quarter End
and/or region.
Anticipated Management’s
■■ When to Use It: Issue Rating Entity Owner Plan Completion Date Reported
–– To show the Audit Completion %
Committee the high-
urgency issues needing Issue 1 Critical Sales Manager 1 -------------- 30 June 20XX 60%
remediation and related
trends Issue 2 High Subsidiary A Manager 2 -------------- 15 March 20XX 50%
Issue 3 Low Operations Manager 3 -------------- 31 August 20XX 85%

Outstanding Open Issues: 1Q FY 20XX– Open Issues by Process in 20XX

1Q FY 20YY
Open Issues Critical Open Issues Critical Issues
Past Due Issues could also be classified by region.
30 25
15% 14%
Shared Compliance and Ethics
15
15 12 Services
11 8%
10 9
7 17% Hiring
7 4 Procurement
0 1 3 46%
1 0 1
0 IT
1Q FY 2Q FY 3Q FY 4Q FY 1Q FY
20XX 20XX 20XX 20XX 20YY
This example compares
the current quarter’s QUARTERLY TRENDS
high-risk audit findings
with previous quarters’
Sample Text: Most 1QXX audit findings result from the recent integration of the new entity with the
findings.
business. These findings have been categorized as “strategic.” Management has agreed to remediate three
open strategic issues by 31 December 20XX. The number of operational findings has remained constant this
quarter as compared to the previous quarter. Management has agreed to remediate two remaining open
–– To help the Audit operational issues by 30 September 20XX.
trend data on systemic
issues in the company New High-Risk Audit Findings by Category
and which audits are
yielding the most Issue Quarter Q1 20XX Q2 20XX Q3 20XX Q4 20XX Q1 20YY
significant results Financial 1 0 0 0 0
Strategic 1 2 2 1 1
Operational 1 1 1 1 1
Compliance 0 1 0 0 0
Special Projects 0 0 1 1 0
Total 3 4 4 3 2
New High-Risk Audit Findings by Category
Strategic Compliance Special Projects Operational Financial
0
1Q FY 20XX 2Q FY 20XX 3Q FY 20XX 4Q FY 20XX 1Q FY 20YY
This example concisely
shows how the audit plan RISK CHANGES AND IMPACT ON AUDIT PLAN
has changed in response
to shifts in the risk
Sample Text: The original audit plan was adjusted for risk changes, with six projects added and two
environment.
deferred. These changes are provided here for Audit Committee information or approval. The changes
do not require resource adjustment.
–– To show the Audit
Committee the distinct
links between the
audit plan and the Plan Additions
risk environment
(recommended if your Risk Changes:
Original Plan 54
audit plan has undergone _______________________________
changes needing _______________________________
justification or if your _______________________________
organization is operating
in a particularly dynamic Audits Requested:
risk environment) _______________________________
Plan Additions 6
_______________________________
_______________________________
Plan Deletions (2)

-2 Plan Deletions
Risk Changes:
_______________________________
_______________________________
_______________________________
Revised Plan 58
Risks Covered in Other Audits:
_______________________________
_______________________________
-10 0 10 20 30 40 50 60
_______________________________
SOX Testing
and Results
This example
communicates the SOX SOX PLAN, EVOLUTION AND RATIONALIZATION
testing plan, scope and
rationalization. SOX Timing SOX Evolution and Rationalization
■■ Scoping to assess 20XX key controls and significant The SOX framework changed from 620 to 514
■■ When to Use It: sites for control testing will be performed during (including IT general controls) key controls during
–– If the organization has 1QXX. 20XX after Audit did the following:
recently been subject to ■■ Process walk-throughs and documentation will take ■■ Reduced the number of key controls tested
SOX compliance or has
place 2QXX through 3QXX. Control testing will take from 20XX to 20YY by automating, relying on
experienced challenges
place 3QXX through 1QYY. compensating controls and consolidating controls
with SOX compliance in
the past where possible
SOX Timeline 1QXX 2QXX 3QXX 4QXX 1QXX ■■ De-escalated controls to non-key by mitigating risks
20XX Risk through other processes
Assessment and
Planning ■■ Transitioned preparation and assessment of control
IT Risk deficiencies to management
Assessment
Key Controls
Walk-Throughs
and Flowcharts Location and ITGCs 20XX 20YY
Initial Testing
Update and
Remediation
Testing
Management
Representation
SOX Significant Sites (Preliminary)

■■ XXXX
■■ XXXX
SOX Non-Significant Sites (Preliminary)
■■ XXXX
■■ XXXX
Dynamic
Visualization
Audit’s risk universe in RISK DASHBOARD
an interactive way using ABC created an overall Risk Heat map to reflect the results of ABC's detailed risk assessment, by entity (geographic or market segment), by major business unit. Placing the mouse cursor over a particular combintion provides additional insight into the risk value.
Tableau; it enables the Selected visualizations are included in this PDF file.
presenter to show high- 1. Agenda 2. Effort Distribution Effort Distribution 2 3 - Rotation Effort &
Frequency
4. Risk Heat Map 4.1 Risk - (Amounts /
Risk)
5. Rotational Audit
Plans
5.1 - IT Audit Plans -
Rotational
Cyber Assurance Plan:
Illustrative
IT Risk Management Audit Project Results &
Ratings
A
u.
level as well as granular

.
information by selecting
Risk Heat Map
areas of interest and United States Direct Latin American Subs Non Direct Service
generating custom Type Country 1 Country 2 Country 3 Company 1 Company 2 Company 3 Country 1 Country 2 Country 3 Country 4 Country 5 Country 6 Company 1 Company 2 Company 1 Company 2
dashboard views.
Business Unit 1

Business Unit 2
–– To enable the CAE to

present compellingly to Business Unit 3
the Audit Committee,

providing options for Business Unit 4
areas to explore in
additional detail; Audit Business Unit 5
Committee access to
the dashboards to be Business Unit 6
granted as desired by
specific committee
Business Unit 7
members
Business Unit 8
Business Unit 9
Placing the mouse cursor

over a particular cell provides
additional insight into the risk.
Source: Aether Company.1
1
Pseudonym.
Aether
RISK DASHBOARD (CONTINUED)
A tab with detailed risk information enables Audit to explain

risk ratings and board members to explore issues further.
In addition to the summary view on the prior page, ABC layered in the underlying detail, to enable a Board Member recipient to explore further or for an ABC presenter to articulate a risk rating assigned.
roject Results & Audit Project Results REFERENCE - Risk Risk - Corruption Map Risk - (Amt/Risk/ Map) Risk Methods & Calcs Risk Details Risk Mega Dash Risk - Industry Risk - CINC Risk REFERENCE Materials 1. Working Hours A
s Ratings_Details Considerations Factors - Other Reconciliation B
..
Risk Details
North America Direct Latin American Subs Non Direct Service
Country 1 Country 2 Country 3 Company 1 Company 2 Company 3 Country 1 Country 2 Country 3 Country 4 Country 5 Country 6 Company 1 Company 2 Company 1 Company 2
Type Area
Business Unit 1 2 2 1 2 1 1 2 2 2 2 2 1 1 1 1 1
Sub Area 1 M M L M L L M M M M M L M L L L
Sub Area 2 M M L M L L M L L L L L L L L L
Sub Area 3 M M M M L M M M M M M L M L L M
Sub Area 4 M M L M L L L L L L M L L L L L
Sub Area 5 M M L M L M M L L L L L L L L M
Sub Area 6 M M L M L L M M M M M L L L L L
Sub Area 7 M M M M L M M M M M M L L L L L
Sub Area 8 M M L L L L L L L L L L L L L L
Business Unit 2 2 2 1 2 1 1 1 1 1 1 1 1 1 1 1 1
Sub Area 1 L L L M L L L L L L L L L L L L
Sub Area 4 M M L M M M L L L L L L L L L L
Sub Area 8 M M M M M L M M M M M L L L L L
Sub Area 9 M M M M M M M M M M M L L L L L
Business Unit 3 2 2 1 2 1 2 1 2 2 2 2 1 1 2 1 1
Sub Area 1 M M L M L M L M M M M L L M L L
Sub Area 2 L L L L L L L L L L L L L L L L
Business Unit 4 2 2 2 2 2 2 2 2 2 2 2 1 2 2 2 2
Sub Area 1 M M M M M M M M M M M L M M M M
Sub Area 5 M M L M M M L L L L L L L M L M
Sub Area 8 M M L M M M L L L L L L L M M M
Business Unit 5 2 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
Sub Area 1 M L L L L L L L L L L L L L L L
Sub Area 2 M L L L L L L L L L L L L L L L
Sub Area 3 L L L L L L L L L L L L L L L L
M L L L L L L L L L L L L L L L
Source: Aether Company.1 M L L L L L L L L L L L L L L L
1
1
Pseudonym.
Aether
RISK DASHBOARD (CONTINUED)
An additional detailed visualization shows the

components driving the risk rating for particular entities.
ABC created an additional detail visualization to breakout the components (Operational transaction frequency, operational transaction impact, mitigating controls) driving the risk rating for a particular entitiy & business unit.
Project Results REFERENCE - Risk Risk - Corruption Map Risk - (Amt/Risk/ Map) Risk Methods & Calcs Risk Details Risk Mega Dash Risk - Industry Risk - CINC Risk REFERENCE Materials 1. Working Hours ABC Mission 2
s_Details Considerations Factors - Other Reconciliation 0
..
Risk Type Category

Risk Mega Details All
Business
Latin American Subs Financial
Operations
Country 1 Country 2 Country 3 Country 4 Country 5
Operations Operations Operations Operations Operations
Legend:
Type
H = High Risk
Business Unit 1
M = Medium Risk
L = Low Risk
Ops Mitigate Controls Company Type
Ops Mitigate Controls

S = Strong Controls
Direct
W = Weak Controls
Latin American Subs
Ops Risk Rating
Ops Risk Rating
Ops Risk Rating
Ops Risk Rating
Ops Risk Rating

Ops Frequency
Ops Frequency
Ops Frequency
Ops Frequency
Ops Frequency
Non Direct
Ops Impact
Ops Impact
Ops Impact
Ops Impact
Ops Impact
North America
Service
Business Unit 1
Sub Area 1 L H S M H H S M L H S M H H S M H H S M Company
Sub Area 2 North America - Country 1
L H S M H H S M L H S M H H S M H H S M
North America - Country 2
Sub Area 3 H H S M H H S M H H S M H H S M H H S M North America - Country 3
Sub Area 4 H H S M H H S M H H S M H H S M H H S M Direct - Company 1
Sub Area 5 H H S M H L S L H L S L H L S L H L S L Direct - Company 2
Sub Area 6 H H S M H H S M H H S M H H S M H H S M Direct - Company 3
Sub Area 7 Latin America - Country 1
H H S M H H S M H H S M H H S M H H S M
Latin America - Country 2
Sub Area 8 H H S M H L S L H L S L H L S L H L S L
Sub Area 9 L H S M H H S M L H S M H H S M H H S M Latin America - Country 4
Non Direct - Company 1
Non Direct - Company 2
Service - Company 1
Service - Company 2
New Acqusition 1
1
Pseudonym.
Aether
This example shows past,
current and planned ROTATIONAL AUDIT PLANS
efforts within major
operating and audit ABC has adopted a rotational audit plan and created the following view to articulate to the Board past, current, and planned efforts within each subsidiary and operating area.
areas. 1. Agenda 2. Effort Distribution Effort Distribution 2 3 - Rotation Effort & 4. Risk Heat Map 4.1 Risk - (Amounts / 5. Rotational Audit 5.1 - IT Audit Plans - Cyber Assurance Plan: IT Risk Management Audit Project Results & Audit Project Results R
Frequency Risk) Plans Rotational Illustrative Ratings Ratings_Details E
..
■■ When to Use It: Company

Major operational areas and specific audit areas, by ABC presenter can select specific
–– If you want to show how
North America - Country 1 - Group 1
operating company and year (past, present, and subsidiary or major business unit, past/ North America - Country 1 - Group 2
future) present/future years, as well as major North America - Country 1 - Group 3
audit activities focused categories of audit efforts. North America - Country 2
North America - Country 3
on particular auditable Direct - Company 1 - Group 1

Direct - Company 1 - Group 2
entities compare over Direct - Company 1 - Group 3

Direct - Company 2
Category Area Risk 2016 2017 2018 2019
several years.
Direct - Company 3
Operational 2 -
Direct e-Commerce Business Direct e-Commerce Business Sales Promotions Latin America - Country 2
Sub Area 1
2 Accounting
Revenue Recognition Latin America - Country 4
Sub Area 2
2 -
Sub Area 3
Non Direct- Company 1
2 -
Payroll Non Direct - Company 2
Sub Area 4
Service - Company 1
2 Warehouse
Sub Area 5 Service - Company 2
New Acqusition 1
2 -
Sub Area 6 New Acqusition 2
New Acqusition 3
2 -
Sub Area 7 New Acqusition 4
2 -
Sub Area 8 Hotline Awareness
- - 717 717 717

Effort Avail Operational Avail Hours
2 IT Audit Plan IT Audit Plan IT Audit Plan IT Audit Plan Year/Risk

IT IT
Multiple values
- Notes A & B Customer Review - -
Special Mgmt Request / Special
Category
- Annual Count Annual Count Annual Count Annual Count
Audit Support Physical Inventories Audit Support
Data Analytics / Cont Mo..
- SOX SOX SOX SOX
SOX Effort Avail
IT
- - - - -
EY Reliance Operational
Special
- - - - -
EMS (Environment)
- - - - -
Other
- Look back Monitoring Monitoring Monitoring
Data Analytics / Sub Area 1
Sub Area 2 - - Monitoring Monitoring Monitoring
A navigation tab allows the presenter to customize

the view by business unit, year and audit activity.
1
Pseudonym.
Aether
a comprehensive and AUDIT PLAN DATA VISUALIZATION DASHBOARD
easily digestible summary
of the audit plan and
status of key risks; the SOX Testing Progress SOX Open Deficiencies Cost Savings Opportunities
click-through capability by Process Area
allows more detailed Cost Savings Cost
exploration. 55% 45%
Opportunities Savings
Identified Realized
Complete Not Started $30
■■ When to Use It: $23
($ in Millions)
Dollar Value
–– To enable the CAE to $17
present high-level plan $15
$15 $11 $13
progress to the audit
committee, while also $7 $15
$12
providing the option to $8
present more detailed $7 $6
Total $0 $5
views. 2012 2013 2014 2015 2016 2017
More Details
Low Medium Significant

IA Plan Status 2018 IA Open Issues by Segment
100 Not Started

In Progress Segment A 27
45 101 32
32
Complete
Engagements
47 Canceled Segment B 72
72 11
50
Segment C 40 17
17
24
10 1 0 85 170
0
More Details More Details
Click-through capability enables a more

granular analysis of each issue type.
Source: Occidental Petroleum; CEB analysis.
AUDIT PLAN DATA VISUALIZATION DASHBOARD (CONTINUED)
IA Plan Status
Plan Status Current Audit Plan
100 Postponed
Not Started Status 2016 2017 2018 Status 2016 2017 2018
1 In Progress Original
Canceled
5 Completed Plan
Canceled Completed
Additions
In Progress
Postponed
Not Started
Current
Postponed Plan
47
50 Additions 2017 Additions 2018

■■ Acquisition ■■ Cost Accounting
83 ■■ IT Process A ■■ Cybersecurity
■■ Compliance Preparedness ■■ Strategic Audit B
24 Postponed or Canceled 2017 Postponed or Canceled 2018

■■ T&E ■■ Business Unit A Performance
■■ IT Application B ■■ IT Application B
10
1 1 1 1
0
2017 2018
Back to Dashboard
Provides year-over-year comparisons

of plan progress and revisions.
IA Open Issues by Segment IA Open Issues by Methodology

Low Medium Significant
10%
Segment A 27 101 32 Comparative
24%
Operational
19%
Segment B 72 11 Compliance
12%
JV Audit 11%
Segment C 40 17 Contractor
18% 6%
0 85 170 IT GCR
Aging of Past Due IA Action Plans by Status Aging of Past Due IA Action Plans by Issue Category
Days Partially Grand Days Control Process Grand
Methodology Open Methodology Significant
Overdue Complete Total Overdue Weaknesses Enhancement Total
Compliance 1 4 5 Compliance 2 4 0 6
> 180 JV Audit 3 12 15 > 180 JV Audit 0 7 0 7
Operational 0 21 21 Operational 0 9 0 9
91-180 Operational 3 0 3 91-180 Operational 0 2 4 6
Compliance 2 7 9 Compliance 0 1 0 1
< 91 < 91
GCR 14 51 65 GCR 0 4 1 5
Grand Grand
23 95 118 2 27 5 34
Total Total
Back to Dashboard
Segmenting past-due issues by status and issue category

helps stakeholders prioritize remediation efforts.
Cost Savings by Issue Type

$ in Millions
$30
$23 $21
$15
$15 $10 $9
$4
$0
External FTE Internal FTE Travel Expense Project IT Project
spend spend Scope Expense Moved
Cost Savings per Business Unit
Business Unit 1 Business Unit 2 Business Unit 3

A External FTE Spend
C
D E B Internal FTE Spend
C Travel Expense
E B D Project Scope
A A
A E IT Expense
F
B F Project Moved
C F
Business Unit 4 Business Unit 5 Business Unit 6
A D
D E
B C
D Severity of Overcharge
E
Business Unit 7 Business Unit 8
C E D
A A B
F C E C High Low
B E F
Back to Dashboard
The heat map helps stakeholders understand how issues

affect individual business units and the enterprise as a whole.
Appendix
Documents
a quick overview of the AUDIT PLANNING PROCESS: VERSION 1
audit planning process.
Sample Text: The audit planning process begins with a general risk framework and extends to face-to-face
meetings with senior leaders, review of corporate and area business plans and consideration of previous
–– To convey that the audit findings and the current control environment as well as the auditor’s business judgment.
audit plan is based
on a comprehensive
analysis of internal External Factors
and external trends that
were validated at News and Events Regulatory Compliance
various levels
External Consultants Industry Benchmarks
Validated by Top Management
Emerging Risk Areas

Risk-Based,
Audit Prioritized Audit FY 20XX
High-Priority Risk Areas
Universe Audit Strategy Audit Plan
Universe
Low-Priority Risk Areas
Internal Factors
XYZ Strategy Management Interviews
Prior Audits Enterprise Risks
This example
communicates the AUDIT PLANNING PROCESS: VERSION 2
information Audit relies
on to complete its risk 1 Risk Assessment 2 Risk-Driven Audit Plan
assessment and build the
audit plan.
■■ When to Use It: Obtain Assess and Develop internal Obtain

inputs. prioritize risk. audit plan. approval.
–– To describe key planning
steps, inputs and
considerations
■■ Update understanding ■■ Document and compile ■■ Identify auditable ■■ Review draft risk-
of the company’s information obtained entities, processes driven Internal
enterprise and entity from interviews. and sub-processes. Audit plan with
risk profile. ■■ Develop risk capturing ■■ Map auditable risks management.
■■ Review last year’s and ranking criteria. into the audit universe. ■■ Obtain Audit
audit results and ■■ Validate the results ■■ Develop a complete Committee approval.
the company’s past with management. listing of prioritized
financial statement. ■■ Aggregate and audit focus areas.
■■ Conduct management prioritize the risk ■■ Determine the risk-
interviews across information. driven Internal Audit
key functions and plan considering
operations. Risk Criterion management’s budget
■■ Likelihood
■■ Review any existing parameters.
■■ Impact
key documents before
■■ Inherent Risk
the interviews.
■■ Complexity
Internal ■■ ROI
■■ XYZ Strategy ■■ Speed/Velocity
■■ Enterprise Risks ■■ Existing Controls
■■ Prior Audit Results ■■ Other
■■ Management
Interviews
■■ Employee Survey
■■ Financial Forecast
External
■■ Regulatory
Compliance
■■ News and Events
■■ External Consultants
This example with simple
visuals, shows the Audit OVERVIEW OF THE RISK ASSESSMENT PROCESS
Committee how the risk
assessment process is
used to filter the risk
universe into a draft audit
plan.

–– To provide basic
Universe Significant Draft
information on the risk
assessment and audit of Risks Auditable Risks Audit Plan
planning processes
Create the Strategic Risk Identify the Most Significant Identify Possible Audit
Universe Risks Engagements
The following inputs are used to The Audit team uses the Output from the strategic risk
generate the risk universe: following questions as a filter: assessment and the “bottom-up”
audit universe risk assessment is
■■ Audit management discussion ■■ Does the audit team have the used to develop a draft plan.
of 10-K risks most appropriate skills and
experiences to provide value- ■■ Degree of assurance, risk
■■ Discussions with risk owners
added engagement in the risk impact and available hours are
■■ Risks mentioned in professional management analysis? taken into account.
publications
■■ Is the risk topic reasonably ■■ The audit plan also considers
■■ Discussions with external “actionable” by the Audit traditional elements such as
auditors department? SOX coverage and coordination
■■ Discussions with 25-40 senior ■■ Is the risk topic generally with external Audit.
managers and subject matter applicable to multiple business
experts segments and units or more
isolated to only one to two
entities?
Source: The Coca Cola Company; CEB analysis.
current and planned AUDIT PLAN COVERAGE: DETAILED
audits in the context of
business processes and
Sample Text: Audit uses a risk-based model that maps corporate risks to processes and integrates risk
risk areas.
assessments to determine which areas to audit each year. The volatility in the marketplace and ongoing
global economic turmoil have led to a sharp increase in our audit coverage for next year.
–– To show the connections
between audit areas Currently Being Audited Yet to Be Audited Not Subject to Audit
and key risks if in the Current Plan
the organization is Principal and
Financial System Theft and Financial Customer Business Product
Audit High Risks
centralized and has Universe Reporting Security Fraud Products Service Interruption Quality
Liquidity Comments
relatively uniform risk Processes
severity across entities Finance and
and business units Administration Map the audit universe to top
enterprise risks to effectively portray
Expense Reporting Audit’s coverage of the risk universe.
Capital Expenditure
The “X” in a cell illustrates
Cash Management where a process contributes
significantly to a specific risk.
Accounts Payable
Treasury
HR
Recruitment
Compensation
IT
IT Security
IT Development
Electronic
Commerce
Source: Canadian Tire Corporation Limited; CEB analysis.

Note: Risk and audit process categories are for illustrative purposes only and do not reflect Canadian Tire’s assessment.
This example maps risks
to assurance provided by INTEGRATED ASSURANCE MAP
the three lines of defense
to help determine the Assurance Map
audit plan and establish Illustrative
the Audit department as
the ultimate provider and
coordinator of assurance. 1 3 5
Risk Category Indicative Risk Trend Coverage from Prior Audits
Through Audit’s dynamic risk assessment Risks are assessed The map includes previous
–– To show the combined
process, key strategic, project and operational as increasing, stable Global Internal Audit
activities of all
risks are identified and categorized into six or decreasing. activities related to the
assurance groups, if
major auditable risk areas. identified risk areas.
the organization has an
integrated assurance
framework in place
Global Internal Audit (GIA)
Key: Significant Movement Increase
Corporate and Regional Functions Assurance Map Indicative during 20XX
March 20XX contribution Moderate Stable
to assurance
Minor Decrease
Sources of Assurance—Three Lines of Defense

Indicative First Line Second Line Third Line
Risk Planned GIA
Risk Component Management Independent/
Trend Functional GIA Coverage— 20XX Assurance
Category Risk Control External
During Assurance 20XX Audits Activities
Framework Assurance
20XX
2 4 6
Component Risk First Line/Second Line/Third Line of Planned Global Internal Audit
Risks are further Defense Assurance
broken down into Areas of assurance that mitigate the Having considered all risk
specific, identifiable identified risks across the organization information and the level/
and auditable areas. are mapped and assessed based on the quality of the related known
relative level and effectiveness of assurance assurance activities across the
provided (i.e., minor, moderate, significant), organization, the final column
then color-coded from light to dark. represents the Global Internal
Audit plan.
Source: IHG; CEB analysis.
a snapshot of staff AUDIT STAFF PROFILE
qualifications,
productivity and Employee Qualification Employee Work Experience
opportunities for Number of Auditors (Illustrative) Number of Auditors (Illustrative)
improvement.
Experience in Total Relevant
Formal Education Number of Department Experience
■■ When to Use It: Auditors
–– To provide the Audit 4
Committee with Certified Public Accountant (CPA) 18
additional information on 3 3 3
department composition Certified Internal Auditor (CIA) 15
and output
Certified Fraud Examiner (CFE) 11 2 2
2
Certified Information System 1 1 1

4
Auditor (CISA)
Certified Investment and

6 0
Derivatives Auditor (CIDA)
0 to Two Three to Six to 10 More Than
Years Five Years Years 10 Years
Certified Professional
3 n = 8.
Environmental Auditor (CPEA) Source: CEB analysis.
Employee Efficiency Skill Gap Assessment

Year Over Year Illustrative
20XX 20YY Category Experience Gaps Mitigation Plan

15 of 18 Only 1
Number of Projects XX YY Co-source with
employees auditor with
IT Audits provider as
with IT applications
Number of Auditors XX YY necessary
experience experience
— — — —
Auditors-to-Project Ratio X:Y Y:Z
— — — —
This example lists
enterprise risk categories RISK UNIVERSE: VERSION 1
and sub-categories and
underlying risks. Strategic Compliance
1.1 Governance 2.1 People/HR 2.7 Supply Chain
■■ When to Use It: 1.1.1 — Board Performance 2.1.1 — Culture 2.7.1 — Quality of Supply/Service
–– To provide the Audit 1.1.2 — Tone at the Top 2.1.2 — Recruiting and Retention 2.7.2 — Availability of Supply
Committee with 1.1.3 — Control Environment 2.1.3 — Development and 2.7.3 — Supplier Failure
additional information 1.2 Planning and Resource Performance 2.7.4 — Materials Pricing
on the risk universe if the Allocation 2.1.4 — Succession Planning 2.7.5 — Operations Planning
organization uses a tri- 1.2.1 — Organizational Structure 2.1.5 — Compensation and 2.7.6 — Production Capacity
level risk taxonomy. 1.2.2 — Strategic Planning Benefits 2.7.7 — Plant Health and Safety
1.2.3 — Annual Budgeting 2.2 IT 2.7.8 — Product Quality
1.2.4 — Forecasting 2.2.1 — IT Strategy and Planning 2.7.9 — Inventory Planning
1.2.5 — IT Strategy 2.2.2 — Information Protection/ 2.7.10 — Loading Systems
1.2.6 — Tax Planning Security 2.7.11 — Rail Systems
1.3 Major Initiatives 2.2.3 — Application and

1.3.1 — Planning and Execution Operating Systems
1.3.2 — System Implementation
Implementations 2.2.4 — Business Continuity
Planning
1.4 M
ergers, Acquisitions and 2.2.5 — Outsourcing
Divestiture Relationships
1.4.1 — Valuation and Pricing 2.2.6 — Hardware Procurement
1.4.2 — Due Diligence and Support
1.4.3 — Execution and 2.2.7 — End-User Computing
Integration
2.3 Hazards
1.5 Market Dynamics 2.3.1 — Natural Events
1.5.1 — Competition 2.3.2 — Terror and Malicious Acts
1.5.2 — Macroeconomic Factors
1.5.3 — Sociopolitical Factors 2.4 Physical Assets
1.5.4 — Customer Profile Trends 2.4.1 — Property, Buildings and
1.5.5 — Pricing Pressures Equipment
1.6 Communications 2.5 Tax Operations

1.6.1 — Media Relations 2.5.1 — Tax Planning
1.6.2 — Crisis Communication 2.5.2 — Tax Department
1.6.3 — Employee Operations
Communication 2.6 Products
1.7 Stakeholders 2.6.1 — Marketing and Sales
1.7.1 — Shareholders 2.6.2 — Customer Service
1.7.2 — Customers 2.6.3 — Pricing
1.7.3 — Suppliers 2.6.4 — Product Availability
RISK UNIVERSE: VERSION 1 (CONTINUED)
Operational Financial Reputational
3.1 Code of Ethics 4.1 Market 5.1 Reputational
3.1.1 — Ethics 4.1.1 — Interest Rate 5.1.1 — Health and Safety
3.1.2 — Fraud 4.1.2 — Credit Ratings 5.1.2 — Employee Satisfaction
4.1.3 — Foreign Currency 5.1.3 — Community Programs
3.2 Legal
4.1.4 — Derivatives 5.1.4 — Economic Forces
3.2.1 — Contract Administration
4.2 Liquidity and Credit 5.1.5 — Political Forces
3.2.2 — Record Retention
4.2.1 — Cash Management 5.1.6 — Social Responsibility
3.2.3 — Liability
4.2.2 — Funding 5.1.7 — Public Relations
3.2.4 — Trademark Compliance
3.2.5 — Litigation 4.2.3 — Hedging
4.2.4 — Credit and Collectibles
3.3 Regulatory
4.2.5 — Insurance
3.3.1 — Labor
4.2.6 — Debt
3.3.2 — Data Protection and Privacy
4.2.7 — Equity
3.3.3 — Tax Compliance and Tax
4.2.8 — Debt Covenants
Authority
4.2.9 — Pension/Retirement Funds
3.3.4 — Securities and Exchange
Commission 4.3 Accounting and Reporting
3.3.5 — Environmental 4.3.1 — Reporting and Disclosure
3.3.6 — Customs 4.3.2 — Revenue Recognition
4.3.3 — Internal Control
4.3.4 — Tax Strategy and Planning
4.3.5 — Tax Optimization
This example lists
enterprise risk categories RISK UNIVERSE: VERSION 2
and underlying risks.
20XX Corporate Risk Assessment Universe
–– To provide the Audit Sales and Marketing — Corporate Tax
Committee with
1. Product Marketing 1. Deferred Taxes and Income Taxes
additional information
2. Advertising 2. Property Tax
on the risk universe if the 3. Contract Sales 3. Sales and Use Tax
organization uses a dual- 4. Spot Sales 4. Federal and State Returns
level risk taxonomy 5. Export Sales 5. Federal Excise Taxes
6. Direct Sales
Legal
7. Indirect Sales and Merchant Sales
8. Pricing 1. Contracts
9. Sales Commission 2. Governance
10. Rebates 3. Code of Conduct
11. Product Research and Development 4. Whistleblower and Compliance
12. Product and Service Refinement 5. Monitoring of External Legal Environment
13. Technical Support 6. Manage Legal Compliance
7. Antitrust, NYSE, etc.
Sales and Marketing — Westchester
8. SEC Reports (Nonfinancial) and Proxy Statement
1. Supply Chain Optimization 9. Manage Relationships With Board of Directors
2. Manage Production and Delivery Process 10. Record and Information Management
3. Demand Management and Forecasting 11. Litigation Management
4. Customer Service (e.g., Order Entry) 12. Intellectual Property
5. Managing and Processing Orders 13. Trademarks
6. Maintaining Customer Masterfile 14. Copyrights
7. Invoicing — Customer Billing 15. Insider Trading
8. Returns and Adjustments 16. Lobbying and Public Policy
Finance Financial Reporting
1. General Ledger 1. External Reporting (e.g., 10-K, 10-Q, EXBRL, IFRS)
2. General Accounting (e.g., Basic, Pension, Derivatives, 2. Accounting Developments and Treatments
Hedging) 3. Consolidation
3. Account Reconciliations Environmental, Health and Safety
4. Fixed Assets
5. Delegation of Authority 1. Property Protection
6. Segregation of Duties 2. Plant Protection
7. Financial Analysis and Forecasting 3. Security
8. Budgeting 4. Workers’ Compensation Management
9. Capital Expenditure Approval 5. Contracts and Contractor Management
10. Policies and Procedures 6. Product Stewardship Liability
11. Investor Relations and Stockholder Communication
12. New Business Process Implementation
13. Performance-Monitoring KPIs, Balanced Scorecard
RISK UNIVERSE: VERSION 2 (CONTINUED)
20XX Corporate Risk Assessment Universe (Continued)
Manufacturing ITa (See IT Risk Analysis)

1. Planning and Scheduling 1. Operations
2. Project Delivery Process 2. Logical Security
3. Regulatory Compliance (e.g., State, Local) 3. Application and DB Change Management
4. Wood Procurement — See Fiber Supply 4. OS Change Management
5. Realizable Gap Process
6. Subtotal Operation Process Treasury
7. Distribution 1. Credit and Collections
8. Energy and Technology 2. Cash Management
9. Warehousing 3. Loan Covenant Compliance
10. Sustainability (Fiber and Wood Certifications) 4. Insurance Risk Management
5. Debt (e.g., New, Old, Repricing, Payoffs)
Payroll 6. Derivatives and Hedging
1. Vendor Processing Administration (ADP) 7. Investments and Foreign Exchange
2. Payroll Check Processing (Corporate and Mills)
3. Timely Administration (E-Time, Payforce) HR
1. Compensation/Bonuses Benefits
Accounting Center of Excellence 2. Leave Administration
1. Account Receivable 3. Compliance (e.g., I-9, HIPPA, Pension, 401(k))
2. Accounts Payable 4. Executive Compensation and Reporting
3. Corporate Card Administration 5. Recruiting, Onboarding, Transfers and Terminations
4. Non-PO (Non-Purchase Order) Authorization 6. Employee Relations (Personnel Management, Staffing Analysis
5. Fleet Administration and Performance Management Process)
6. Disbursement 7. Internal Employee Communications
8. Workforce Planning
Integrated Planning and Control 9. Executive Succession Planning
1. Sourcing/Procurement 10. Training and Development
2. Gap Analysis 11. Labor Strategy and Contingency Planning
3. End-to-End Business Monitoring
4. Integrated Business Management (Including Enterprise
Risk Management)
5. Strategic Decision Making
a
Inclusive of major systems (i.e., SAP, ADP, Champ, Invoicing — Customer Billing Sabrix, Majiq, Active Directory, WTS).

Presenting To The Audit Committee: A Collection of Reporting Examples

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Presenting To The Audit Committee: A Collection of Reporting Examples

Uploaded by

Copyright:

Available Formats

Presenting to the

CEB Audit Leadership Council

––Schedule hour-long phone meetings to review earnings

––Speak with the Audit Committee chair regularly or as

––Escalate issues to the Audit Committee when necessary and

––Hold supplementary education sessions with the Audit

Audit Strategy and Objectives 9

Audit Alignment with ERM and Corporate Strategy 12

Audit Department Resource Allocation 20

SOX Testing and Results 30

Present Key Issues Raised by Audit Developments with Control Continuously

■■ When to Use It:

Audit Plan Progress

Critical items Important issues Operating

Source: CEB analysis.

■■ When to Use It: FY 20XX Internal Audit Objectives

Source: CEB analysis.

ERM Audits: Site Audits: Management SOX or Other:

Source: World Fuel Services Corporation; CEB analysis.

Evolving Infrastructure ■■ Emerging Countries ■■ Global Network

Regulatory and ■■ Talent, HR, Benefits and Compensation ■■ Data Protection

■■ Third-Party Political Risk Exposure Audit ■■ Patch Management Audit

■■ Third-Party Disaster Recovery Audit ■■ Employee Security Education Review

■■ Third-Party Governance Assessment ■■ Technology Policy Assessment

■■ Fraud Risk Assessment ■■ Global Regulatory Assessment

■■ Internal Controls Review ■■ Data Privacy Regulation Compliance Assessment

■■ Risk Culture Assessment ■■ Tax Compliance Readiness Audit

legal penalties or 10. Capital/Liquidity ■■ Engagement 2

Growth caliber process 17. Technology Merchandising

Winning Performance Culture

Low Medium High

Source: The Coca-Cola Company; CEB analysis.

Function 2 Map the audit universe to top enterprise risks to effectively

Source: Gamma Company1; CEB analysis.

audit plan changes.

Plan Coverage (by Business Process)

■■ Audit Issue Tracking

SOX Testing 400

20XX Audit Plan Budget Highlights In-House FTEs

Source: World Fuel Services; CEB analysis.

FY 20XX Budget FY 20XX Actuals FY 20YY Budget

Compensation XXXX Compensation XXXX Compensation XXXX

Travel XXX Travel XXX Travel XXX

Professional Fees XXX Professional Fees XXX Professional Fees XXX

Training XXX Training XXX Training XXX

Total Budget $ - Total Budget $ - Total Budget $ -

Issue 3 Low Operations Manager 3 -------------- 31 August 20XX 85%

Outstanding Open Issues: 1Q FY 20XX– Open Issues by Process in 20XX

New High-Risk Audit Findings by Category

Strategic Compliance Special Projects Operational Financial

Plan Deletions (2)

Source: CEB analysis.

SOX Significant Sites (Preliminary)

level as well as granular

■■ When to Use It:

–– To enable the CAE to

the Audit Committee,

Placing the mouse cursor

A tab with detailed risk information enables Audit to explain

An additional detailed visualization shows the

Risk Type Category

Ops Mitigate Controls

Ops Mitigate Controls