Professional Documents
Culture Documents
Presenting To The Audit Committee: A Collection of Reporting Examples
Presenting To The Audit Committee: A Collection of Reporting Examples
Audit Committee
A Collection of Reporting
Examples
June 2018
Legal Caveat
Gartner, Inc. and/or its affiliates (“Gartner”) is not able to guarantee the accuracy of the information or analysis contained in these materials. Furthermore, Gartner is not
engaged in rendering legal, accounting, or any other professional services. Gartner specifically disclaims liability for any damages, claims, or losses that may arise from a)
any errors or omissions in these materials, whether caused by Gartner or its sources, or b) reliance upon any recommendation made by Gartner.
INTRODUCTION
Quick Facts
This deck is a collection of illustrative reporting examples
derived from presentations to Audit Committees. The
collection includes slides for presenting department
■■ Length of Audit Committee Report: Sixty-seven percent of
objectives, audit trends, risk assessment and audit planning Audit departments’ presentations to the Audit Committee are
processes and resource requirements. The deck does not 15 pages or shorter, including appendices — an approach that
represent a complete Audit Committee presentation but aligns with our reporting guidance. Determine whether your
rather select elements of practitioner-developed frameworks Audit Committee would like to see executive summaries or full
you may reference while building presentations for your own audit reports in the appendix.
Audit Committee. ■■ Length of Audit Committee Meetings: The typical duration
These examples provide flexible guidance for communicating of Audit Committee meetings is 1.5 to three hours. Most
with the Audit Committee. Some slides presented in their Audit departments have up to 30 minutes to present to the
entirety may be best suited for presentations of longer committee.
duration. Slide scope, elements and details may be tailored ■■ Frequency of Audit Committee Communication: In addition
to the needs of your organization and Audit Committee. to the annual and quarterly Audit Committee meetings, Audit
We will add to this collection as we uncover new, innovative teams:
examples.
––Schedule teleconference sessions (four on average) with
Audit Committee members throughout the year;
At our 2017 Assurance Summit, Audit Committee Over the years, we have also observed a few
members shared their views on effective reporting. common mistakes in Audit Committee reporting.
■■ Keep it simple and concise. Don’t include unnecessary ■■ Underestimating the power of the executive summary
detail, but focus on the metrics that matter. Put ■■ Failing to provide important context for data, such as
granular and additional information in the appendix the reason behind an increase or decrease
and refer to it if it is relevant to the discussion.
■■ Including issues without stating when or how they will
■■ Focus on trends rather than point-in-time be resolved or why they are important
assessments. The Audit Committee wants to
■■ Obscuring challenge areas and missing out on
understand how the organization’s risk profile and
valuable input from the committee that could inform
Audit’s work are evolving over time.
solutions
■■ Focus on the content, not the delivery platform
■■ Shying away from asserting your professional
(e.g., PowerPoint, Word, Tableau). Directors do not
judgment
care how a report delivers content as long as it does
so concisely. ■■ Avoiding definitive statements
■■ Provide the full context. If possible, include data
from other assurance functions to provide the board
with full understanding of the organization’s risk and
assurance profiles.
■■ Use visuals when appropriate. When data can be
better expressed in a visual form, use that to lead the
discussion where you want it to go.
PRESENTATION ELEMENTS INCLUDED
Executive Summary 6
Audit Performance 26
Dynamic Visualization 32
Appendix Documents 41
Overview of the Audit Planning Process 42
Overview of the Risk Assessment Process 44
Audit Plan Methodology and Coverage (Detailed Version) 45
Integrated Assurance Map 46
Audit Staff Profile 47
Risk Universe 48
Executive
Summary
© 2017–2018 Gartner, Inc. and/or its affiliates. All rights reserved. ADR181237 6
This example provides
a brief overview of EXECUTIVE SUMMARY: VERSION 1
Audit’s recent work and
highlights key issues for Include First Quarter Snapshot Summary of Audit Activities Highlight
the Audit Committee to an overall audit
discuss; it also addresses opinion on Internal Audit completed a range activities in
the control X Audits Special Reviews summary
high-level audit findings of assurance audits, special reviews
and output, as well as environment Completed ■■ Business Unit 1 form and
and consultative activities during the
events that affect the risk to assuage X Audits include
quarter. Function 1
■■
■■
directors’ details in the
environment. X Audits
concerns The results of our work indicate
■■
appendix.
immediately. that management controls over the ■■ X Audits
■■ When to Use It:
business activities of our company
–– To provide the remain effective.
committee with key Support for Annual audit
insights up front This report provides an overview Company plan was
(recommended) of activities for the quarter and Projects completed and
notes several areas for potential is included
improvement in business controls.
■■ Project 1
herein.
A summary of investigation, ■■ Project 2
security and consultative activities ■■ Project 3
conducted during the quarter is also
included.
© 2017–2018 Gartner, Inc. and/or its affiliates. All rights reserved. ADR181237 7
This example provides
a streamlined summary EXECUTIVE SUMMARY: VERSION 2
of key audit operations
and status compared
with status in the
previous quarter, clearly Sample Text: This report summarizes audit activities and includes important observations on the status of
identifying issues that the organization’s overall risk and control environment. At the end of the first quarter, there were no audit
require special attention observations that would impact financial results as presented.
from the committee.
Control Deficiency
Resolution
Investigations
Managing the
Group Audit
Function
© 2017–2018 Gartner, Inc. and/or its affiliates. All rights reserved. ADR181237 8
Audit Strategy
and Objectives
© 2017–2018 Gartner, Inc. and/or its affiliates. All rights reserved. ADR181237 9
This example
communicates a clear, AUDIT DEPARTMENT STRATEGY
concise and measurable
department strategy, 1 Craft a concise and
including metrics memorable statement that Statement of Audit Strategy
showing anticipated captures the essence of Create value for the business by leveraging internal control expertise to
progress against goals. the strategy. The statement drive process improvement and improve risk management. As a valued
should summarize the key strategic partner, we strive to help the business achieve its operational,
■■ When to Use It: objectives of Audit’s one- reporting and compliance objectives.
to three-year strategic plan.
–– To clarify Audit’s current
state, its future direction, STATE OF Top Four to Seven Audit Initiatives STATE OF
the path it will take and AUDIT 1. Improve audit productivity and AUDIT
expected outcomes; 2 Identify four to seven IN 2017 output to reduce audit cycle times IN 2020
normally presented once metrics that define the and increase coverage.
Top Five to Top Five to
a year function’s current and 2. Recruit, attract and develop new
Seven Metrics skill sets to meet changing risk Seven Metrics
target state.
Describing coverage needs. Describing
the Initial State 3. Expand coverage of key risks by the End State
better coordinating with “second-
■■ Percentage ■■ Percentage
3 List the five to seven key line” assurance groups and enabling
of key risks of key risks
greater business risk ownership.
audit initiatives required covered by covered by
4. Mature and grow data analytics
to achieve the target state. Internal Audit Internal Audit
capabilities.
Draw the initiatives from in the audit in the audit
plan: 60% plan: 80%
the strategic plan.
■■ Client Top Five to Seven Underlying Beliefs ■■ Client
satisfaction: and Assumptions satisfaction:
70% 85%
4 Document five to seven ■■ Issues self-
1. Budgets for Internal Audit ■■ Issues self-
departments are likely to remain flat.
critical assumptions disclosed by disclosed by
2. Accelerating company growth will
underpinning the management:
put new and unpredictable risks
management:
strategy, setting metrics X 2X
into play that stakeholders haven’t
and thresholds where ■■ Audits using anticipated. ■■ Audits using
necessary to indicate data analytics: 3. Use of data analytics will improve data analytics:
when course correction is 40% audit outcomes, productivity and 80%
required as circumstances ■■ Process risk assessment capabilities. ■■ Process
change. improvements 4. Audit teams will need to rely on the improvements
implemented first and second lines to improve risk implemented
by the and control monitoring. by the
business: X 5. Internal Audit needs to link its audit business: 2X
outcomes to value contribution
and process improvements to
demonstrate its impact on the
business.
© 2017–2018 Gartner, Inc. and/or its affiliates. All rights reserved. ADR181237 10
This example highlights
the department’s key AUDIT DEPARTMENT OBJECTIVES
objectives and planned
activities focusing on
Sample Text: In FY 20XX, Audit will continue to support the organization’s strategic initiatives and key
the four dimensions of
projects by providing objective assurance and advisory services to assist the enterprise in maintaining
Audit’s work: people,
an effective system of internal controls.
processes, systems and
coverage.
3. Develop Internal
Audit staff to take on
key leadership roles
in other parts of the
business.
© 2017–2018 Gartner, Inc. and/or its affiliates. All rights reserved. ADR181237 11
Audit Alignment
With ERM and
Corporate Strategy
© 2017–2018 Gartner, Inc. and/or its affiliates. All rights reserved. ADR181237 12
This example provides
a high-level overview of LINKING AUDIT PLAN TO ERM RISKS: VERSION 1
the ERM risks and control
and urgency factors
Sample Text: The audit plan is based on enterprise residual risks. Engagements are prioritized by
that Audit considers in
considering several criteria, outlined below. Audit engagements are defined as ERM audits, site audits,
developing the audit
management requests, SOX or operational testing and other types of audits such as data analytics work and
plan.
legal investigations.
■■ When to Use It:
–– To clarify the link
between ERM risks and ERM Risks
planned audit activities,
explain decision-making
rationale and clarify how Mapped against the following criteria:
the audit plan addresses ■■ Risk mitigating factors/strategies identified and performed by management
enterprise risks ■■ Last time audited and prior audit rating
■■ Existing SOX controls and prior SOX issues
■■ Existing policies and procedures to manage risk
■■ Projects in progress to address existing risks or prior issues
■■ Alignment of risks to strategic, company-wide objectives
Audit Plan
© 2017–2018 Gartner, Inc. and/or its affiliates. All rights reserved. ADR181237 13
This example connects
audit activities to Audit’s LINKING AUDIT PLAN TO ERM RISKS: VERSION 2
risk observations and
ERM-identified risk ERM Risk Theme Risk Observationa Supporting Engagement
themes.
New Markets and ■■ Mobility ■■ Network and
■■ When to Use It: New Technology ■■ Cloud Computing Infrastructure
–– To clarify the ■■ Emerging Markets
■■ Social Media Integration
relationships among ■■ Social Media
■■ Patents and Litigation ■■ Cloud Computing
enterprise risks, ■■ Cloud Computing
■■ Enterprise Virtualization Convergence ■■ Mobility
potential control issues ■■ M&A
■■ Accelerated Growth in Unified Storage ■■ Social Media
identified in Audit’s risk ■■ Enterprise Workload Optimized Infrastructure
assessment and planned ■■ Process Integration
audit activities ■■ Post-Integration Sustainability
© 2017–2018 Gartner, Inc. and/or its affiliates. All rights reserved. ADR181237 14
This example provides a
summary of audit plan LINKING AUDIT PLAN TO ERM RISKS: VERSION 3
coverage by organizing
each planned audit ERM Risks and Related Audit Projects
activity by audit category
and type of enterprise E-Commerce Strategic Workforce Planning
risk.
■■ Customer Behavior Audit ■■ Workforce Plan Review
■■ When to Use It: ■■ Data Access Review ■■ Contingent Workers Accountability Review
–– To clarify the link
between ERM risks and ■■ Digital Acumen Skills Review ■■ Knowledge Management Review
planned audit activities
at a very high level
Supply Chain IT Security
Fraud Compliance
© 2017–2018 Gartner, Inc. and/or its affiliates. All rights reserved. ADR181237 15
This example shows
how audit engagements LINKING AUDIT PLAN TO STRATEGY AND RISKS
address enterprise risks
as well as the company’s Audit
strategic objectives and Value Drivers Objectives Risks Processes
Engagements
value drivers.
The two overarching Value drivers are Risks to strategic High-level processes Audit engagements
■■ When to Use It: company goals are mapped to more objectives are sourced underlying strategic link directly to specific
deconstructed into tangible strategic through various objectives are business processes
–– To demonstrate links discrete value drivers. objectives of the firm. inputs. identified. that manage the risks
between audit work and that can undermine the
overall corporate value firm’s key objectives.
creation
Financial ERM Risks High-Level Processes
Top-Quartile Total Shareholder Return 1. 20% EBIDTA over 1. Consumer Credit
the next five years 2. Customer
2. Double-digit sales Marketing
Capital and Experience
increase annually
Assets 3. Product Liability
4. Inflation Logistics and
Compliance
5. People Distribution
1. Full compliance 6. Inventory
with all law, Management
regulations and Selling and
7. Business Customer Service
statutes across Continuity
Reputation Annual Audit Plan
all operating 8. IP/Trade Law
geographies Engagement 1
2. Avoidance of 9. CSR People ■■
© 2017–2018 Gartner, Inc. and/or its affiliates. All rights reserved. ADR181237 16
This example illustrates
how the company’s value LINKING AUDIT PLAN TO VALUE AND RISKS
drivers shape Audit
priorities and how these
Sample Text: Internal Audit’s focus areas for 20XX aim to address key risks and drivers that create the most
priorities relate to key
value for the company. In addition, these focus areas align closely with the CEB Audit Plan Hot Spots, a report
risks we’ve identified.
of the top risks impacting companies for the upcoming year.
■■ When to Use It:
–– To show how audit Company Value Drivers Internal Audit Focus Areas 20XX Audit Plan Hot Spots
work advances overall
corporate value creation
and reflects leading Managing for Value ■■ Data Privacy
research findings ■■ Risk Mitigation Compliance and Governance ■■ Geopolitical Volatility
■■ Revenue Recognition
■■ Cost Containment
■■ Reduction of Assets and Complexity ■■ Digitalization Preparedness
■■ Growth and Innovation Pressures
Review Strategic Programs ■■ Shareholder Intervention
Customer Centricity ■■ Strategic Workforce Planning
■■ Transparency
■■ Business Continuity and Disaster
■■ Efficiency Recovery
Basic Control Audits
■■ Responsiveness to Client Needs ■■ Fraud
■■ Revenue Recognition
■■ Cloud Computing
Execution Counterparty Risk ■■ Business Continuity and Disaster
■■ Getting the Basics Right Recovery
■■ Continuously Improving Operational
Decision-Making Processes ■■ Corporate Culture
Performance
Source: CEB analysis.
© 2017–2018 Gartner, Inc. and/or its affiliates. All rights reserved. ADR181237 17
This example shows
which risks are included AUDIT PLAN TRADE-OFFS
and excluded from the
audit plan. Assurance Matrix
Illustrative
■■ When to Use It:
–– To show the Audit
Committee the trade- Low Assurance: The degree
offs in the audit plan
of comfort derived from
in terms of risk impact, Risk 7 existing independent
assurance coverage and
available audit hours. Risk 1 evaluation processes.
Risk 6
Risk 8
Risk 5
Risk 3 Risk 4
Assurance
Risk 2
Risk Impact: The effect
Medium Risk 12 on the business if the
Risk 16 risk occurs.
Risk 14
Risk 15
Risk 9
Risk 13
Risk 11
Red Line: Risks above
Risk 10
the line will be included
High in the audit plan.
© 2017–2018 Gartner, Inc. and/or its affiliates. All rights reserved. ADR181237 18
This example presents
planned audits in the AUDIT COVERAGE BY BUSINESS AND PROCESS
context of processes
and business units and
Sample Text: Internal Audit’s plan for 20XX focuses on the critical processes, strategic initiatives and key
functions.
projects of the company, with a particular focus on activities that will contribute to maximizing the financial
strength of the company.
■■ When to Use It:
–– To show how risk Not Applicable Not Scheduled for Audit in 20XX Scheduled for Audit in 20XX
severity varies among
entities and business
Cash Management
Critical
Contractors, Joint
units if the organization
Measurement and
Accounts Payable
Inventory Council
and Fixed Assets
Receivables and
Capital Projects
Accounting and
Processes
Reconciliations
Consulting and
is decentralized.
Procurement—
Procurement—
Marketing and
Materials and
Ventures and
Third Parties
Redemption
Compliance
Production,
Financial
Products
Revenue
Services
Account
Business
Credit,
Other
Taxes
and
Functions
IT
Business Unit 1
Function 1
Department 1
Department 2
Business Unit 3
Operating Company
1
Operating Company
2
Operating Company
3
Operating Company
4
Department 3
Department 4
Department 5
1
Pseudonym.
© 2017–2018 Gartner, Inc. and/or its affiliates. All rights reserved. ADR181237 19
Audit Department
Resource Allocation
© 2017–2018 Gartner, Inc. and/or its affiliates. All rights reserved. ADR181237 20
This example highlights
changes to audit plan YEAR-ON-YEAR TIME ALLOCATION: VERSION 1
coverage from one year
to the next by showing
Sample Text
allocation of audit hours
Key Objectives:
by activity type or audit ■■ Continue to shift from a SOX-centric focus to provide more consulting and advisory services that add
area.
value to the business.
■■ Continue to revisit the existing control matrix with management to identify opportunities for rationalizing
■■ When to Use It:
controls.
–– To show the Audit ■■ Ensure acquired companies comply with SOX requirements and SOX readiness.
Committee year-on-year ■■ Review acquired sites approximately six weeks after closing, with a more detailed site review as needed.
© 2017–2018 Gartner, Inc. and/or its affiliates. All rights reserved. ADR181237 21
This example uses graphs
to quantify and illustrate YEAR-ON-YEAR TIME ALLOCATION: VERSION 2
the evolving audit focus
and key factors that led
Sample Text: Audit will focus on technology and financial risks for 20XX, as opposed to compliance and
to the change.
strategic risks. Rapid changes in the digital and regulatory landscapes have led to a sharp increase in our
planned activities for next year. We intend to spend most of our planned hours performing audits in the IT
■■ When to Use It:
and Procurement departments.
–– To help the Audit
Committee understand
audit plan changes over Plan Coverage (by Risk Category)
several years and the
considerations driving
Percentage of Planned Hours
20XX
them, focusing on risk
categories and business 20YY
processes (Coverage can 20ZZ
30% 30% 30%
be presented in terms of 30%
monetary value or time)
20% 20% 20% 20%
15% 15% 15% 15% 15%
15% 10% 10% 10% 10% 10%
5%
0%
Strategic Operational Financial Compliance Technology Other
Source: CEB analysis.
0%
Finance Marketing Legal Procurement IT Business Unit Other
Source: CEB analysis.
© 2017–2018 Gartner, Inc. and/or its affiliates. All rights reserved. ADR181237 22
This example
communicates the YEAR-ON-YEAR TIME ALLOCATION: VERSION 3
forecasted and actual
hours spent on audit
Sample Text
activities, compares ■■ Overall, there was a reduction of approximately 250 hours, or 3%. This reduction is due to enhanced
current and prior years
efficiency from more experienced staff, increased head count and efforts to rationalize controls.
and explains changes ■■ Reduction of available hours for Audit and Advisory was primarily due to open positions (five) not hired
stemming from the new
until midyear.
audit plan.
Change in Hours
■■ When to Use It:
–– To help the Audit 14,000
Committee understand
year-on-year audit plan
changes at a high level
and in terms of hours
Hours
7,000
0
20XX Forecast 20XX Actual 20YY Forecast 20YY Actual
SOX—Financial
7,100 9,022 9,000 9,855
and IT
Audit and
8,985 7,331 11,890 7,506
Advisory
Co-Sourcing
1,000 1,144 1,000 1,290
Hours
Total Head Count
(Including Co- 14 11 16 13
Sourced FTEs)
Source: World Fuel Services; CEB analysis.
© 2017–2018 Gartner, Inc. and/or its affiliates. All rights reserved. ADR181237 23
This example quantifies
hours budgeted in the YEAR-ON-YEAR TIME ALLOCATION: VERSION 4
audit plan and compares
current and prior years’
Sample Text: In 20XX, most of our budgeted hours will be focused on performing strategic and compliance
resource requirements.
audits. Audit is currently facing resource scarcity and plans to increase the number of senior auditors in the
team next year.
■■ When to Use It:
–– To present a plan in
terms of hours and 20XX Audit Plan Estimated Hours
provide a high-level view
of the department’s Planned Audits Estimated Hours
basic resource needs
Strategic Risks 800
Compliance Risks 700
Operational Risks 300
Financial Risks 400
Other Risks 400
■■ 20XX Risk Assessment and Group Administration
■■ Consulting Assignments
Description 20XX Plan 20YY Plan Position 20XX Plan 20YY Plan
Projected Cost (at inception) $ $ VP 1 1
Projected Technology Cost $ $ Senior Manager 2 2
Projected Third-Party Cost $ $ Senior Auditor 3 5
Projected Travel Cost $ $ IT Auditor 4 4
Other Cost $ $ Source: World Fuel Services; CEB analysis.
© 2017–2018 Gartner, Inc. and/or its affiliates. All rights reserved. ADR181237 24
This example compares
the current year’s YEAR-ON-YEAR TIME ALLOCATION: VERSION 5
departmental budget
with the previous year’s
Sample Text
budget and actual
expenditures and The 20YY budget considers the following assumptions:
explains key assumptions ■■ Current head count for the year is 18 (including VP) and the following positions need to be filled:
underpinning the new –– Audit Manager
budget. –– Auditor 1
–– IT Auditing Specialist
■■ When to Use It: ■■ Key activities will continue:
–– To provide a high-level –– Review of high-risk areas
view of the department’s –– Travel to significant locations, new acquisitions and remote locations not previously visited
basic operating costs
and describe year-on- ■■ Technical audits for specialized areas will continue to be outsourced.
year audit plan changes
in financial terms
Annual Budgets
© 2017–2018 Gartner, Inc. and/or its affiliates. All rights reserved. ADR181237 25
Audit
Performance
© 2017–2018 Gartner, Inc. and/or its affiliates. All rights reserved. ADR181237 26
This example provides
a status update of REMEDIATION PLANS
remediation plans,
including the severity of
Sample Text: As a whole, management has improved its timeliness in completing remediation plans. The
open issues, expected
seven open issues are the result of the corporate IT implementation effort. Management is working to
remediation completion
resolve the three critical open issues by the end of 4QXX. There is one critical issue past due. Management’s
dates and trends; it also
remediation plan is on track.
shows a snapshot of
open issues by process,
business unit or entity Outstanding Open Issues at Quarter End
and/or region.
Anticipated Management’s
■■ When to Use It: Issue Rating Entity Owner Plan Completion Date Reported
–– To show the Audit Completion %
Committee the high-
urgency issues needing Issue 1 Critical Sales Manager 1 -------------- 30 June 20XX 60%
remediation and related
trends Issue 2 High Subsidiary A Manager 2 -------------- 15 March 20XX 50%
30 25
15% 14%
Shared Compliance and Ethics
15
15 12 Services
11 8%
10 9
7 17% Hiring
7 4 Procurement
0 1 3 46%
1 0 1
0 IT
1Q FY 2Q FY 3Q FY 4Q FY 1Q FY
20XX 20XX 20XX 20XX 20YY
Source: CEB analysis. Source: CEB analysis.
© 2017–2018 Gartner, Inc. and/or its affiliates. All rights reserved. ADR181237 27
This example compares
the current quarter’s QUARTERLY TRENDS
high-risk audit findings
with previous quarters’
Sample Text: Most 1QXX audit findings result from the recent integration of the new entity with the
findings.
business. These findings have been categorized as “strategic.” Management has agreed to remediate three
open strategic issues by 31 December 20XX. The number of operational findings has remained constant this
■■ When to Use It:
quarter as compared to the previous quarter. Management has agreed to remediate two remaining open
–– To help the Audit operational issues by 30 September 20XX.
Committee understand
trend data on systemic
issues in the company New High-Risk Audit Findings by Category
and which audits are
yielding the most Issue Quarter Q1 20XX Q2 20XX Q3 20XX Q4 20XX Q1 20YY
significant results Financial 1 0 0 0 0
Strategic 1 2 2 1 1
Operational 1 1 1 1 1
Compliance 0 1 0 0 0
Special Projects 0 0 1 1 0
Total 3 4 4 3 2
Source: CEB analysis.
0
1Q FY 20XX 2Q FY 20XX 3Q FY 20XX 4Q FY 20XX 1Q FY 20YY
Source: CEB analysis.
© 2017–2018 Gartner, Inc. and/or its affiliates. All rights reserved. ADR181237 28
This example concisely
shows how the audit plan RISK CHANGES AND IMPACT ON AUDIT PLAN
has changed in response
to shifts in the risk
Sample Text: The original audit plan was adjusted for risk changes, with six projects added and two
environment.
deferred. These changes are provided here for Audit Committee information or approval. The changes
do not require resource adjustment.
■■ When to Use It:
–– To show the Audit
Committee the distinct
links between the
audit plan and the Plan Additions
risk environment
(recommended if your Risk Changes:
Original Plan 54
audit plan has undergone _______________________________
changes needing _______________________________
justification or if your _______________________________
organization is operating
in a particularly dynamic Audits Requested:
risk environment) _______________________________
Plan Additions 6
_______________________________
_______________________________
Risk Changes:
_______________________________
_______________________________
_______________________________
Revised Plan 58
Risks Covered in Other Audits:
_______________________________
_______________________________
-10 0 10 20 30 40 50 60
_______________________________
© 2017–2018 Gartner, Inc. and/or its affiliates. All rights reserved. ADR181237 29
SOX Testing
and Results
© 2017–2018 Gartner, Inc. and/or its affiliates. All rights reserved. ADR181237 30
This example
communicates the SOX SOX PLAN, EVOLUTION AND RATIONALIZATION
testing plan, scope and
rationalization. SOX Timing SOX Evolution and Rationalization
■■ Scoping to assess 20XX key controls and significant The SOX framework changed from 620 to 514
■■ When to Use It: sites for control testing will be performed during (including IT general controls) key controls during
–– If the organization has 1QXX. 20XX after Audit did the following:
recently been subject to ■■ Process walk-throughs and documentation will take ■■ Reduced the number of key controls tested
SOX compliance or has
place 2QXX through 3QXX. Control testing will take from 20XX to 20YY by automating, relying on
experienced challenges
place 3QXX through 1QYY. compensating controls and consolidating controls
with SOX compliance in
the past where possible
SOX Timeline 1QXX 2QXX 3QXX 4QXX 1QXX ■■ De-escalated controls to non-key by mitigating risks
20XX Risk through other processes
Assessment and
Planning ■■ Transitioned preparation and assessment of control
IT Risk deficiencies to management
Assessment
Key Controls
Walk-Throughs
and Flowcharts Location and ITGCs 20XX 20YY
Initial Testing
Update and
Remediation
Testing
Management
Representation
© 2017–2018 Gartner, Inc. and/or its affiliates. All rights reserved. ADR181237 31
Dynamic
Visualization
© 2017–2018 Gartner, Inc. and/or its affiliates. All rights reserved. ADR181237 32
This example presents
Audit’s risk universe in RISK DASHBOARD
an interactive way using ABC created an overall Risk Heat map to reflect the results of ABC's detailed risk assessment, by entity (geographic or market segment), by major business unit. Placing the mouse cursor over a particular combintion provides additional insight into the risk value.
Tableau; it enables the Selected visualizations are included in this PDF file.
presenter to show high- 1. Agenda 2. Effort Distribution Effort Distribution 2 3 - Rotation Effort &
Frequency
4. Risk Heat Map 4.1 Risk - (Amounts /
Risk)
5. Rotational Audit
Plans
5.1 - IT Audit Plans -
Rotational
Cyber Assurance Plan:
Illustrative
IT Risk Management Audit Project Results &
Ratings
A
u.
information by selecting
Risk Heat Map
areas of interest and United States Direct Latin American Subs Non Direct Service
generating custom Type Country 1 Country 2 Country 3 Company 1 Company 2 Company 3 Country 1 Country 2 Country 3 Country 4 Country 5 Country 6 Company 1 Company 2 Company 1 Company 2
dashboard views.
Business Unit 1
areas to explore in
additional detail; Audit Business Unit 5
Committee access to
the dashboards to be Business Unit 6
granted as desired by
specific committee
Business Unit 7
members
Business Unit 8
Business Unit 9
1
Pseudonym.
Aether
© 2017–2018 Gartner, Inc. and/or its affiliates. All rights reserved. ADR181237 33
RISK DASHBOARD (CONTINUED)
In addition to the summary view on the prior page, ABC layered in the underlying detail, to enable a Board Member recipient to explore further or for an ABC presenter to articulate a risk rating assigned.
roject Results & Audit Project Results REFERENCE - Risk Risk - Corruption Map Risk - (Amt/Risk/ Map) Risk Methods & Calcs Risk Details Risk Mega Dash Risk - Industry Risk - CINC Risk REFERENCE Materials 1. Working Hours A
s Ratings_Details Considerations Factors - Other Reconciliation B
..
Risk Details
North America Direct Latin American Subs Non Direct Service
Country 1 Country 2 Country 3 Company 1 Company 2 Company 3 Country 1 Country 2 Country 3 Country 4 Country 5 Country 6 Company 1 Company 2 Company 1 Company 2
Type Area
Business Unit 1 2 2 1 2 1 1 2 2 2 2 2 1 1 1 1 1
Sub Area 1 M M L M L L M M M M M L M L L L
Sub Area 2 M M L M L L M L L L L L L L L L
Sub Area 3 M M M M L M M M M M M L M L L M
Sub Area 4 M M L M L L L L L L M L L L L L
Sub Area 5 M M L M L M M L L L L L L L L M
Sub Area 6 M M L M L L M M M M M L L L L L
Sub Area 7 M M M M L M M M M M M L L L L L
Sub Area 8 M M L L L L L L L L L L L L L L
Business Unit 2 2 2 1 2 1 1 1 1 1 1 1 1 1 1 1 1
Sub Area 1 L L L M L L L L L L L L L L L L
Sub Area 2 M M L L L L L L L L L L L L L L
Sub Area 3 M M M M L M M M M M M L L L L L
Sub Area 4 M M L M M M L L L L L L L L L L
Sub Area 5 M M L L L L L L L L L L L L L L
Sub Area 6 M M L L L L L L L L L L L L L L
Sub Area 7 M M M M L M M M M M M L L L L L
Sub Area 8 M M M M M L M M M M M L L L L L
Sub Area 9 M M M M M M M M M M M L L L L L
Business Unit 3 2 2 1 2 1 2 1 2 2 2 2 1 1 2 1 1
Sub Area 1 M M L M L M L M M M M L L M L L
Sub Area 2 L L L L L L L L L L L L L L L L
Business Unit 4 2 2 2 2 2 2 2 2 2 2 2 1 2 2 2 2
Sub Area 1 M M M M M M M M M M M L M M M M
Sub Area 2 M M M M M M M M M M M L M M M M
Sub Area 3 M M M M M M M M M M M L M M M M
Sub Area 4 M M M M M M M M M M M L M M M M
Sub Area 5 M M L M M M L L L L L L L M L M
Sub Area 6 M M M M M M M M M M M L M M M M
Sub Area 7 M M M M M M M M M M M L M M M M
Sub Area 8 M M L M M M L L L L L L L M M M
Sub Area 9 M M M M M M M M M M M L M M M M
Business Unit 5 2 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
Sub Area 1 M L L L L L L L L L L L L L L L
Sub Area 2 M L L L L L L L L L L L L L L L
Sub Area 3 L L L L L L L L L L L L L L L L
M L L L L L L L L L L L L L L L
Source: Aether Company.1 M L L L L L L L L L L L L L L L
1
1
Pseudonym.
Aether
© 2017–2018 Gartner, Inc. and/or its affiliates. All rights reserved. ADR181237 34
RISK DASHBOARD (CONTINUED)
ABC created an additional detail visualization to breakout the components (Operational transaction frequency, operational transaction impact, mitigating controls) driving the risk rating for a particular entitiy & business unit.
Project Results REFERENCE - Risk Risk - Corruption Map Risk - (Amt/Risk/ Map) Risk Methods & Calcs Risk Details Risk Mega Dash Risk - Industry Risk - CINC Risk REFERENCE Materials 1. Working Hours ABC Mission 2
s_Details Considerations Factors - Other Reconciliation 0
..
Ops Frequency
Ops Frequency
Ops Frequency
Ops Frequency
Non Direct
Ops Impact
Ops Impact
Ops Impact
Ops Impact
Ops Impact
North America
Service
Business Unit 1
Sub Area 1 L H S M H H S M L H S M H H S M H H S M Company
Sub Area 2 North America - Country 1
L H S M H H S M L H S M H H S M H H S M
North America - Country 2
Sub Area 3 H H S M H H S M H H S M H H S M H H S M North America - Country 3
Sub Area 4 H H S M H H S M H H S M H H S M H H S M Direct - Company 1
Sub Area 5 H H S M H L S L H L S L H L S L H L S L Direct - Company 2
Sub Area 6 H H S M H H S M H H S M H H S M H H S M Direct - Company 3
Sub Area 7 Latin America - Country 1
H H S M H H S M H H S M H H S M H H S M
Latin America - Country 2
Sub Area 8 H H S M H L S L H L S L H L S L H L S L
Latin America - Country 3
Sub Area 9 L H S M H H S M L H S M H H S M H H S M Latin America - Country 4
Latin America - Country 5
Latin America - Country 6
Non Direct - Company 1
Non Direct - Company 2
Service - Company 1
Service - Company 2
New Acqusition 1
1
Pseudonym.
Aether
© 2017–2018 Gartner, Inc. and/or its affiliates. All rights reserved. ADR181237 35
This example shows past,
current and planned ROTATIONAL AUDIT PLANS
efforts within major
operating and audit ABC has adopted a rotational audit plan and created the following view to articulate to the Board past, current, and planned efforts within each subsidiary and operating area.
areas. 1. Agenda 2. Effort Distribution Effort Distribution 2 3 - Rotation Effort & 4. Risk Heat Map 4.1 Risk - (Amounts / 5. Rotational Audit 5.1 - IT Audit Plans - Cyber Assurance Plan: IT Risk Management Audit Project Results & Audit Project Results R
Frequency Risk) Plans Rotational Illustrative Ratings Ratings_Details E
..
2 -
Sub Area 8 Hotline Awareness
- - - - -
Other
- Look back Monitoring Monitoring Monitoring
Data Analytics / Sub Area 1
1
Pseudonym.
Aether
© 2017–2018 Gartner, Inc. and/or its affiliates. All rights reserved. ADR181237 36
This example provides
a comprehensive and AUDIT PLAN DATA VISUALIZATION DASHBOARD
easily digestible summary
of the audit plan and
status of key risks; the SOX Testing Progress SOX Open Deficiencies Cost Savings Opportunities
click-through capability by Process Area
allows more detailed Cost Savings Cost
exploration. 55% 45%
Opportunities Savings
Identified Realized
Complete Not Started $30
■■ When to Use It: $23
($ in Millions)
Dollar Value
–– To enable the CAE to $17
present high-level plan $15
$15 $11 $13
progress to the audit
committee, while also $7 $15
$12
providing the option to $8
present more detailed $7 $6
Total $0 $5
views. 2012 2013 2014 2015 2016 2017
More Details
47 Canceled Segment B 72
72 11
50
Segment C 40 17
17
24
10 1 0 85 170
0
More Details More Details
© 2017–2018 Gartner, Inc. and/or its affiliates. All rights reserved. ADR181237 37
AUDIT PLAN DATA VISUALIZATION DASHBOARD (CONTINUED)
IA Plan Status
Plan Status Current Audit Plan
100 Postponed
Not Started Status 2016 2017 2018 Status 2016 2017 2018
1 In Progress Original
Canceled
5 Completed Plan
Canceled Completed
Additions
In Progress
Postponed
Not Started
Current
Postponed Plan
47
10
1 1 1 1
0
2017 2018
Back to Dashboard
© 2017–2018 Gartner, Inc. and/or its affiliates. All rights reserved. ADR181237 38
AUDIT PLAN DATA VISUALIZATION DASHBOARD (CONTINUED)
10%
Segment A 27 101 32 Comparative
24%
Operational
19%
Segment B 72 11 Compliance
12%
JV Audit 11%
Segment C 40 17 Contractor
18% 6%
0 85 170 IT GCR
Aging of Past Due IA Action Plans by Status Aging of Past Due IA Action Plans by Issue Category
Days Partially Grand Days Control Process Grand
Methodology Open Methodology Significant
Overdue Complete Total Overdue Weaknesses Enhancement Total
Compliance 1 4 5 Compliance 2 4 0 6
> 180 JV Audit 3 12 15 > 180 JV Audit 0 7 0 7
Operational 0 21 21 Operational 0 9 0 9
91-180 Operational 3 0 3 91-180 Operational 0 2 4 6
Compliance 2 7 9 Compliance 0 1 0 1
< 91 < 91
GCR 14 51 65 GCR 0 4 1 5
Grand Grand
23 95 118 2 27 5 34
Total Total
Back to Dashboard
© 2017–2018 Gartner, Inc. and/or its affiliates. All rights reserved. ADR181237 39
AUDIT PLAN DATA VISUALIZATION DASHBOARD (CONTINUED)
$30
$23 $21
$15
$15 $10 $9
$4
$0
External FTE Internal FTE Travel Expense Project IT Project
spend spend Scope Expense Moved
© 2017–2018 Gartner, Inc. and/or its affiliates. All rights reserved. ADR181237 40
Appendix
Documents
© 2017–2018 Gartner, Inc. and/or its affiliates. All rights reserved. ADR181237 41
This example provides
a quick overview of the AUDIT PLANNING PROCESS: VERSION 1
audit planning process.
Sample Text: The audit planning process begins with a general risk framework and extends to face-to-face
■■ When to Use It:
meetings with senior leaders, review of corporate and area business plans and consideration of previous
–– To convey that the audit findings and the current control environment as well as the auditor’s business judgment.
audit plan is based
on a comprehensive
analysis of internal External Factors
and external trends that
were validated at News and Events Regulatory Compliance
various levels
Internal Factors
© 2017–2018 Gartner, Inc. and/or its affiliates. All rights reserved. ADR181237 42
This example
communicates the AUDIT PLANNING PROCESS: VERSION 2
information Audit relies
on to complete its risk 1 Risk Assessment 2 Risk-Driven Audit Plan
assessment and build the
audit plan.
Internal ■■ ROI
■■ Management
Interviews
■■ Employee Survey
■■ Financial Forecast
External
■■ Regulatory
Compliance
■■ News and Events
■■ External Consultants
© 2017–2018 Gartner, Inc. and/or its affiliates. All rights reserved. ADR181237 43
This example with simple
visuals, shows the Audit OVERVIEW OF THE RISK ASSESSMENT PROCESS
Committee how the risk
assessment process is
used to filter the risk
universe into a draft audit
plan.
Create the Strategic Risk Identify the Most Significant Identify Possible Audit
Universe Risks Engagements
The following inputs are used to The Audit team uses the Output from the strategic risk
generate the risk universe: following questions as a filter: assessment and the “bottom-up”
audit universe risk assessment is
■■ Audit management discussion ■■ Does the audit team have the used to develop a draft plan.
of 10-K risks most appropriate skills and
experiences to provide value- ■■ Degree of assurance, risk
■■ Discussions with risk owners
added engagement in the risk impact and available hours are
■■ Risks mentioned in professional management analysis? taken into account.
publications
■■ Is the risk topic reasonably ■■ The audit plan also considers
■■ Discussions with external “actionable” by the Audit traditional elements such as
auditors department? SOX coverage and coordination
■■ Discussions with 25-40 senior ■■ Is the risk topic generally with external Audit.
managers and subject matter applicable to multiple business
experts segments and units or more
isolated to only one to two
entities?
Source: The Coca Cola Company; CEB analysis.
© 2017–2018 Gartner, Inc. and/or its affiliates. All rights reserved. ADR181237 44
This example presents
current and planned AUDIT PLAN COVERAGE: DETAILED
audits in the context of
business processes and
Sample Text: Audit uses a risk-based model that maps corporate risks to processes and integrates risk
risk areas.
assessments to determine which areas to audit each year. The volatility in the marketplace and ongoing
global economic turmoil have led to a sharp increase in our audit coverage for next year.
■■ When to Use It:
–– To show the connections
between audit areas Currently Being Audited Yet to Be Audited Not Subject to Audit
and key risks if in the Current Plan
the organization is Principal and
Financial System Theft and Financial Customer Business Product
Audit High Risks
centralized and has Universe Reporting Security Fraud Products Service Interruption Quality
Liquidity Comments
relatively uniform risk Processes
severity across entities Finance and
and business units Administration Map the audit universe to top
enterprise risks to effectively portray
Expense Reporting Audit’s coverage of the risk universe.
Capital Expenditure
The “X” in a cell illustrates
Cash Management where a process contributes
significantly to a specific risk.
Accounts Payable
Treasury
HR
Recruitment
Compensation
IT
IT Security
IT Development
Electronic
Commerce
© 2017–2018 Gartner, Inc. and/or its affiliates. All rights reserved. ADR181237 45
This example maps risks
to assurance provided by INTEGRATED ASSURANCE MAP
the three lines of defense
to help determine the Assurance Map
audit plan and establish Illustrative
the Audit department as
the ultimate provider and
coordinator of assurance. 1 3 5
Risk Category Indicative Risk Trend Coverage from Prior Audits
■■ When to Use It:
Through Audit’s dynamic risk assessment Risks are assessed The map includes previous
–– To show the combined
process, key strategic, project and operational as increasing, stable Global Internal Audit
activities of all
risks are identified and categorized into six or decreasing. activities related to the
assurance groups, if
major auditable risk areas. identified risk areas.
the organization has an
integrated assurance
framework in place
Global Internal Audit (GIA)
Key: Significant Movement Increase
Corporate and Regional Functions Assurance Map Indicative during 20XX
March 20XX contribution Moderate Stable
to assurance
Minor Decrease
2 4 6
Component Risk First Line/Second Line/Third Line of Planned Global Internal Audit
Risks are further Defense Assurance
broken down into Areas of assurance that mitigate the Having considered all risk
specific, identifiable identified risks across the organization information and the level/
and auditable areas. are mapped and assessed based on the quality of the related known
relative level and effectiveness of assurance assurance activities across the
provided (i.e., minor, moderate, significant), organization, the final column
then color-coded from light to dark. represents the Global Internal
Audit plan.
Source: IHG; CEB analysis.
© 2017–2018 Gartner, Inc. and/or its affiliates. All rights reserved. ADR181237 46
This example provides
a snapshot of staff AUDIT STAFF PROFILE
qualifications,
productivity and Employee Qualification Employee Work Experience
opportunities for Number of Auditors (Illustrative) Number of Auditors (Illustrative)
improvement.
Experience in Total Relevant
Formal Education Number of Department Experience
■■ When to Use It: Auditors
–– To provide the Audit 4
Committee with Certified Public Accountant (CPA) 18
additional information on 3 3 3
department composition Certified Internal Auditor (CIA) 15
and output
Certified Fraud Examiner (CFE) 11 2 2
2
© 2017–2018 Gartner, Inc. and/or its affiliates. All rights reserved. ADR181237 47
This example lists
enterprise risk categories RISK UNIVERSE: VERSION 1
and sub-categories and
underlying risks. Strategic Compliance
1.1 Governance 2.1 People/HR 2.7 Supply Chain
■■ When to Use It: 1.1.1 — Board Performance 2.1.1 — Culture 2.7.1 — Quality of Supply/Service
–– To provide the Audit 1.1.2 — Tone at the Top 2.1.2 — Recruiting and Retention 2.7.2 — Availability of Supply
Committee with 1.1.3 — Control Environment 2.1.3 — Development and 2.7.3 — Supplier Failure
additional information 1.2 Planning and Resource Performance 2.7.4 — Materials Pricing
on the risk universe if the Allocation 2.1.4 — Succession Planning 2.7.5 — Operations Planning
organization uses a tri- 1.2.1 — Organizational Structure 2.1.5 — Compensation and 2.7.6 — Production Capacity
level risk taxonomy. 1.2.2 — Strategic Planning Benefits 2.7.7 — Plant Health and Safety
1.2.3 — Annual Budgeting 2.2 IT 2.7.8 — Product Quality
1.2.4 — Forecasting 2.2.1 — IT Strategy and Planning 2.7.9 — Inventory Planning
1.2.5 — IT Strategy 2.2.2 — Information Protection/ 2.7.10 — Loading Systems
1.2.6 — Tax Planning Security 2.7.11 — Rail Systems
© 2017–2018 Gartner, Inc. and/or its affiliates. All rights reserved. ADR181237 48
RISK UNIVERSE: VERSION 1 (CONTINUED)
Operational Financial Reputational
3.1 Code of Ethics 4.1 Market 5.1 Reputational
3.1.1 — Ethics 4.1.1 — Interest Rate 5.1.1 — Health and Safety
3.1.2 — Fraud 4.1.2 — Credit Ratings 5.1.2 — Employee Satisfaction
4.1.3 — Foreign Currency 5.1.3 — Community Programs
3.2 Legal
4.1.4 — Derivatives 5.1.4 — Economic Forces
3.2.1 — Contract Administration
4.2 Liquidity and Credit 5.1.5 — Political Forces
3.2.2 — Record Retention
4.2.1 — Cash Management 5.1.6 — Social Responsibility
3.2.3 — Liability
4.2.2 — Funding 5.1.7 — Public Relations
3.2.4 — Trademark Compliance
3.2.5 — Litigation 4.2.3 — Hedging
4.2.4 — Credit and Collectibles
3.3 Regulatory
4.2.5 — Insurance
3.3.1 — Labor
4.2.6 — Debt
3.3.2 — Data Protection and Privacy
4.2.7 — Equity
3.3.3 — Tax Compliance and Tax
4.2.8 — Debt Covenants
Authority
4.2.9 — Pension/Retirement Funds
3.3.4 — Securities and Exchange
Commission 4.3 Accounting and Reporting
3.3.5 — Environmental 4.3.1 — Reporting and Disclosure
3.3.6 — Customs 4.3.2 — Revenue Recognition
4.3.3 — Internal Control
4.3.4 — Tax Strategy and Planning
4.3.5 — Tax Optimization
Source: CEB analysis.
© 2017–2018 Gartner, Inc. and/or its affiliates. All rights reserved. ADR181237 49
This example lists
enterprise risk categories RISK UNIVERSE: VERSION 2
and underlying risks.
20XX Corporate Risk Assessment Universe
■■ When to Use It:
–– To provide the Audit Sales and Marketing — Corporate Tax
Committee with
1. Product Marketing 1. Deferred Taxes and Income Taxes
additional information
2. Advertising 2. Property Tax
on the risk universe if the 3. Contract Sales 3. Sales and Use Tax
organization uses a dual- 4. Spot Sales 4. Federal and State Returns
level risk taxonomy 5. Export Sales 5. Federal Excise Taxes
6. Direct Sales
Legal
7. Indirect Sales and Merchant Sales
8. Pricing 1. Contracts
9. Sales Commission 2. Governance
10. Rebates 3. Code of Conduct
11. Product Research and Development 4. Whistleblower and Compliance
12. Product and Service Refinement 5. Monitoring of External Legal Environment
13. Technical Support 6. Manage Legal Compliance
7. Antitrust, NYSE, etc.
Sales and Marketing — Westchester
8. SEC Reports (Nonfinancial) and Proxy Statement
1. Supply Chain Optimization 9. Manage Relationships With Board of Directors
2. Manage Production and Delivery Process 10. Record and Information Management
3. Demand Management and Forecasting 11. Litigation Management
4. Customer Service (e.g., Order Entry) 12. Intellectual Property
5. Managing and Processing Orders 13. Trademarks
6. Maintaining Customer Masterfile 14. Copyrights
7. Invoicing — Customer Billing 15. Insider Trading
8. Returns and Adjustments 16. Lobbying and Public Policy
Finance Financial Reporting
1. General Ledger 1. External Reporting (e.g., 10-K, 10-Q, EXBRL, IFRS)
2. General Accounting (e.g., Basic, Pension, Derivatives, 2. Accounting Developments and Treatments
Hedging) 3. Consolidation
3. Account Reconciliations Environmental, Health and Safety
4. Fixed Assets
5. Delegation of Authority 1. Property Protection
6. Segregation of Duties 2. Plant Protection
7. Financial Analysis and Forecasting 3. Security
8. Budgeting 4. Workers’ Compensation Management
9. Capital Expenditure Approval 5. Contracts and Contractor Management
10. Policies and Procedures 6. Product Stewardship Liability
11. Investor Relations and Stockholder Communication
12. New Business Process Implementation
13. Performance-Monitoring KPIs, Balanced Scorecard
© 2017–2018 Gartner, Inc. and/or its affiliates. All rights reserved. ADR181237 50
RISK UNIVERSE: VERSION 2 (CONTINUED)
20XX Corporate Risk Assessment Universe (Continued)
© 2017–2018 Gartner, Inc. and/or its affiliates. All rights reserved. ADR181237 51