key considerations for your internal audit plan au1607
TRANSCRIPT
-
7/27/2019 Key Considerations for Your Internal Audit Plan AU1607
1/40
C]q[gfka\]jYlagfk^gjqgmjafl]jfYdYm\alhdYf=f`Yf[af_l`]jakcYkk]kke]flYf\
Y\\j]kkaf_]e]j_af_jakck
Afka_`lkgf_gn]jfYf[]$jakcYf\[gehdaYf[]
EYq*()+
-
7/27/2019 Key Considerations for Your Internal Audit Plan AU1607
2/40
iii Insights on governance, risk and compliance | May 2013
Risk assessment leading practices ..................... 2
Accounting ....................................................... 4
Finance ............................................................6
Tax .................................................................. 8
Sustainability .................................................. 10
Customer ....................................................... 12
Corporate development ..................................14
Fraud and corruption ......................................16
Information security ....................................... 18
Business continuity management .................... 19
Mobile ............................................................20
Cloud .............................................................21
IT risk management ........................................ 22
Program management ....................................24
Software/IT asset management ....................... 26
Social media risk management ........................ 28
Segregation of duties/identity
and access management ................................. 30
Data loss prevention and privacy ..................... 32
Human resources ............................................ 34
Supply chain and operations............................36
Contents
-
7/27/2019 Key Considerations for Your Internal Audit Plan AU1607
3/40
)Insights on governance, risk and compliance | May 2013
Lhe internal amdit risk assessment and the ongoing re^resh processes are
critical to identi^qing and ^iltering the activities that internal amdit can per^orm
to provide measmraZle Zene^it to the organiration&Ohile there are o^ten a
nmmZer o non%negotiaZle activities that internal amdit ^mnctions mmst
smpport KGP and other regmlatorq compliance, epternal amditor assistance!,
the internal amdit department has the opportmnitq to deliver increased risk
coverage, cost savings and measmraZle valme to the Zmsiness Zq identi qing and
per^orming amdits across the companqs valme chain& In omr role as the leading
provider o^ internal amdit services, oe have spent consideraZle time oorking
oith omr clients and thomght leaders to2
)& Identi q emerging risks and areas that most organirations are cmrrentlq
focused on
*&
-
7/27/2019 Key Considerations for Your Internal Audit Plan AU1607
4/40
* Insights on governance, risk and compliance | May 2013
Components of the
risk assessment
Data reviewed
Data analytics
Stakeholderengagement
Interview/surveytechniques
Collaboration
Audit prioritization
Outputs
Ohq is the need for a oorld%class internal audit risk assessmentmore vital than ever7
Lhere are multiple drivers Zehind the grooing importance of epecuting a roZust and
comprehensive risk assessment2
Internal audit executives continue to be challenged by the Audit Committee and
executive management to look around the corner and answer the question, Have
o]a\]fla]\Yddl`]Za_jakck7
Changes in the marketplace and external environment:
Increased risk due to expanding operations in emerging markets and developing
countries
Increased regulatory demands
Increased focus on cost savings across all functions including internal audit
Changes in the role of internal audit within organizations:
Effective use of internal audit resources no longer means only maintaining a world-class
assurance program that keeps the organization out of trouble. The department must
also improve the business through value-based audits and recommendations.
Investors are willing to pay for it 82% of institutional investors are more willing to
pay a premium for effective risk management (source: Ernst & Young survey)
Jisk assessmentleading practices
Ohen assessing risk to the organiration, internal audit functions
tqpicallq fall Zetoeen Zasic and leading on the maturitq curve Zeloo&
9s qour department moves tooard leading Zq utiliring the techniiues
listed here, qou increase qour aZilitq to look around the corner andidentifq the right risks&
)
*
+
-
7/27/2019 Key Considerations for Your Internal Audit Plan AU1607
5/40
+Insights on governance, risk and compliance | May 2013
:asic
-
7/27/2019 Key Considerations for Your Internal Audit Plan AU1607
6/40
4 Insights on governance, risk and compliance | May 2013
Operationalizing statutory
reporting: driving global
consistency to create savings
and transparency
www.ey.com/Publication/vwLUAssets/Operationalizing_Statutory_
Reporting/$FILE/Operationalizing%20Statutory%20Reporting_Driving%20global%20consistency.pdf
Operationalizing statutory reportingDrivingglobalconsistencyto createsavingsand transparency
:mkaf]kkZ]f]lk2
afYf[aYd9[[gmflaf_9\nakgjqK]jna[]k
Ernst&Youngrapidassessment
;mklgear]\lggdkYf\]fYZd]jklg_Yl`]j
\YlYgfdaf_klYlmk$[mjj]flhjg[]kkYf\j]dYl]\[gklk
Customizedglobalstatutory
reporting database
Hjgna\]knakaZadalq Y[jgkkqgmj _dgZYd
gj_YfarYlagf
>Y[adalYl]kYfYd qkakYf\a\] fla[Ylagf
g^[gfkakl]fll`]e]kYf\akkm]kZq
_]g_jYh a[Yddg[Yl agfYf\Zq hjg[]kk
Dashboardandreporting
=^^][lan]hj]k]flYlagfg^af^gjeYlagflgkmhhgjlh jg b][leYfY_]e]flYf\
eYfY_]e]fl\][akagf eYcaf_
Ernst&Youngglobalaccounting
database
Hjghja]lYjq\YlYZYk]l`Ylhjgna\]k
Y[[]kklgmh%lg%\Yl]$\]lYad]\$dg[Yd
j]hgjlaf_j]imaj]e] flk
Jecommended reading
Accounting
The pace of change to accounting standards is unprecedented
in the US and globally. Multinational organizations need to
understand how business decisions affect accounting and
reporting today, as well as the impact anticipated changes to
standards may have. The business needs to develop practical
strategies for managing the impact of accounting changes on
the organization. There needs to be particular focus in countrieswhere regulators are increasingly aligning local regulations with
IFRS, such as Brazil and the United Kingdom. It is imperative for
the internal audit department to be aware of potential changes
to accounting regulations, such as:
SEC accounting, disclosure and reporting matters The
K=;klY^^j][]fldq\ak[mkk]\q]Yj%]f\fYf[aYdklYl]e]fl
considerations and their areas of focus: revenue recognition
disclosures, valuation of deferred tax assets and observations
related to the new fair value disclosures. It is expected that
auditors will need to place extra scrutiny in these areas.
FASB and IASB The two organizations recently commented
on their joint convergence projects related to:
Revenue recognition. The new standard is expected to be
fYdar]\af*()+&L`]j]eYafaf_akkm]klgZ]fYdar]\j]dYl]
to disclosure and transition to the new standard.
Leases.Ka_fa[Yfl[`Yf_]k`Yn]Z]]feY\]lghjagj\jY^lk
developed by the Boards, and the revised proposal is expected
lgZ]j]d]Yk]\^gj[gee]flafl`]jklimYjl]jg^*()+&L`]
new draft is expected to end off-balance-sheet accounting for
leases by lessees.
Seizing the opportunity in
global compliance and
reporting: survey trends
www.ey.com/GL/en/Services/Tax/Seizing-the-opportunity-in-Global-
Compliance-and-Reporting--Global-Compliance-and-Reporting-Survey
K]araf_l`]ghhgjlmfalqaf?dgZYd;gehdaYf[]Yf\J]hgjlaf_Kmjn]qYf\lj]f\k
Financial instruments.L`]]phgkmj]\jY^lgf[dYkka[YlagfYf\
e]Ykmj]e]flak]ph][l]\lgZ]akkm]\afl`]jklimYjl]jg^
2013. Many changes have been made for convergence in these
areas, but the two Boards remain relatively far apart on the
issue of impairment.
IFRS update The SEC is continuing to investigate whether to
af[gjhgjYl]A>JKaflgl`]MKfYf[aYdj]hgjlaf_kqkl]eYf\$a^so, when to do so. The indication is that a decision will not be
made anytime soon.
As organizations are executing the day-to-day activities to meet
l`]j]hgjlaf_j]imaj]e]flk$l`]j]Yj]kh][a[Yj]Ykl`Yll`]q
need to focus on to mitigate the associated risks:
Statutory reporting Multinational organizations need to
understand the statutory reporting requirements and the
processes they need in place to meet them. The business must
assess its requirements and evaluate the opportunity to increase
[gfkakl]f[qafalkfYf[aYdj]hgjlaf_hjg[]kk]k&
Business transformation As organizations continue to lookfor opportunities to drive cost out of the business through major
transformations (e.g., shared service center implementations),
the accounting and reporting function must be aware of the
ka_fa[Yfljakclgl`]Zmkaf]kk&Gj_YfarYlagfkemklmk]l`]k]
transformations as an opportunity to streamline their accounting
policies and controls, thereby reducing both cost and risk.
ERP system implementation The implementation of an ERP
kqkl]eakYka_fa[Yflafn]kle]flZql`]gj_YfarYlagfYf\g^l]f
takes several years to be fully integrated. As an organization
is planning such a migration, the business should assess the
changing accounting and control requirements and incorporate
them into their plans.
-
7/27/2019 Key Considerations for Your Internal Audit Plan AU1607
7/40
5Insights on governance, risk and compliance | May 2013
Lhe audits that make an impact Cey iuestions to evaluate during audit
Accounting policy review The internal audit team focuses on
l`]\]f]\]flalq%oa\]Y[[gmflaf_hgda[a]kg^l`]gj_YfarYlagf&
The team reviews the consistency of application across entities
through sample testing (e.g., account reconciliations, accruals,
manual journal entries). Additional time is spent reviewingaccounting policies against leading practices (e.g., number of
days to close each month/quarter) and proposed legislation or
regulatory changes.
O`YlYj]l`]\]f]\Y[[gmflaf_hgda[a]kg^
l`]gj_YfarYlagf7
What is the process to disseminate updates and/or changes
lgl`]hgda[qlgYddh]jkgff]d7
What is the process for deviating from policy and is there anYhhjgnYdeYljap^gjl`]k]\]naYlagfkZYk]\gfeYl]jaYdalq7
Lease accounting review The internal audit team inventories
and reviews the organizations leases. A review of the policy for
leases is conducted, with individual leases being sampled for
adherence to policy and applicable guidance. For additional
Y\\]\nYdm]lgl`]gj_YfarYlagf$l`]afl]jfYdYm\all]Yea\]fla]k
improvement opportunities in the lease analysis (e.g., use of
a standard template) process.
Does the organization have a database or repository of all of
alkd]Yk]k7
Akl`]j]YfYhhjgnYdeYljap^gjd]Yk]kZYk]\gfeYl]jaYdalq7
O`Ylakgj_YfarYlagfkhgda[qgfd]Yk]k7
O`YlYj]l`][gfljgdkafhdY[]afl`]d]Yk]a\]fla[YlagfYf\
]p][mlagfhjg[]kk7
Statutory risk assessment The internal audit team focuseson the countries in which the organization operates and
assesses the statutory risk to the business. A risk assessment
is performed of the locations based on the statutory reporting
risk of each location, as well as the materiality and inherent
risk of the companys operations in each location.
O`ggofkklYlmlgjqj]hgjlaf_7 Where have we had issues from a statutory reporting
h]jkh][lan]afl`]hYkl7
For countries in which we operate, which are inherently
`a_`]jjakc7
Are we appropriately aligning our resources for statutory
j]hgjlaf_ZYk]\gfjakc7
-
7/27/2019 Key Considerations for Your Internal Audit Plan AU1607
8/40
6 Insights on governance, risk and compliance | May 2013
Jecommended reading
>inance
O`ad]fYf[]^mf[lagfk`Yn]`aklgja[YddqZ]]fY^g[mkg^afl]jfYd
audit departments, pressures from within the organization to
dgo]j[gklkYf\aehjgn]l`]]^[a]f[qg^l`]^mf[lagf`Yn]Z]]f
augmented by emerging challenges. The push for shared service
centers, implementations of global ERP systems, and the
standardization of global policies, procedures and operations
have increased the pressure on CFOs and their functions. With
these initiatives come risks that internal audit needs to identify,
assess and help the organization mitigate with appropriate
controls and strategies.
In addition to the internal pressures to reduce costs and operate
egj]]^[a]fldq$]pl]jfYd\]n]dghe]flkYj]Ydkg\]eYf\af_egj]
g^fYf[]^mf[lagfk&>gjafklYf[]$[gfka\]jl`]j][]flljYmeYaf
l`]_dgZYdfYf[aYdeYjc]lk$l`]mfcfgofaehY[lg^l`]
implementation of the Patient Protection and Affordable Care Act
in the United States, and the uncertainty surrounding additional
governmental policy and legislation. While all of this is occurring,
fYf[]Yf\alkd]Y\]j$l`];>G$Yj]]ph][l]\lgk]jn]YkYZmkaf]kk
partner in strategic decision-making by putting the right informationin the hands of decision makers at the right time.
;gfka\]jl`]^gddgoaf_fYf[]jakckYf\l`]ajaehY[lgfl`]
function and organization.
Disparate nance systems and processes Multinational and
global organizations frequently grow through inorganic methods
(e.g., acquisitions), often leading to the need to manage
different ERP packages and supporting systems. Additionally,
l`]fYf[aYdhjg[]kk]kYf\l`]aj[gfljgdkYj]g^l]ffgl
consistently designed (or performed), leading to a potential
roadblock in the businesss operations.
Managing performance
through famine and feast:
the CFOs role as economic
advisor
www.ey.com/GL/en/Services/Advisory/Managing-performance-through-famine-and-feast---CFO-report
Views. Vision. Insights:
the evolving role of
todays CFO
www.ey.com/GL/en/Issues/EYfY_af_%fYf[]'L`]%
-
7/27/2019 Key Considerations for Your Internal Audit Plan AU1607
9/40
7Insights on governance, risk and compliance | May 2013
The audits that make an impact Cey iuestions to evaluate during audit
Analysis of the budgeting and forecasting process
Assess the annual budgeting and forecasting processes including
the internal controls and potential process, improvement
recommendations. Review the primary business segments of the
organization, current state processes and root cause issuesdriving inaccuracies in the forecast.
What is the current process for budgeting and forecasting and
akal[gfkakl]flY[jgkkZmkaf]kkmfalk'dg[Ylagfk7
How do we monitor the accuracy of the budgeting and
^gj][Yklaf_hjg[]kk7
What are the controls in place to assess accuracy and[gehd]l]f]kkg^l`]hjg[]kk7
O`YlY[lagfkogmd\Z]j]imaj]\lgY\\j]kkl`]_Yhk7
Capital allocation review Review the comprehensive capital
allocation process focusing on internal controls and potential
process improvement recommendations. Evaluate the capital
request and approval process, committee and approval structure
and return on investment tracking.
How does the organization manage capital allocation requests
Yf\o`Ylakl`]hjg[]kk^gjhjagjalaraf_l`]e7
How does the capital allocation process mirror the goals and
kljYl]_a]kg^l`]gj_YfarYlagf7
Global costing review Review the policies and internal controls
g^l`]hjg[]kklgegfalgj[gklYf\hjglYZadalqeYj_afZqhjg\m[l
line/service. Evaluate the organizations internal control structure
and provide potential process improvement recommendations for
a\]fla]\[gfljgd_Yhkgj\][a]f[a]k&
O`Ylakl`]hjg[]kk^gj\]l]jeafaf_l`]hjglYZadalqeYj_af!
_gYdZqk]jna[]'hjg\m[ldaf]7
Are controls related to margin analysis designed and operating
]^^][lan]dq7
9j]l`]j]ghhgjlmfala]klgaf[j]Yk]l`]]^[a]f[qg^[gfljgdk7
Treasury process review The internal audit team focuses on
the business process and controls for cash forecasting, funding,
hedging and derivatives, and compliance with applicable debt
covenants. Additional focus is given to the vetting and granting
of credit to customers (if owned by Treasury).
O`ggofklj]YkmjqYf\akalY_dgZYdhjg[]kk7
@go\go]egfalgjl`]Y[[mjY[qg^[Yk`^gj][Yklaf_7
O`YlYj]l`][gfljgdkafhdY[]lgYkk]kkl`]lj]Ykmjqhjg[]kk7
O`YlY[lagfkogmd\Z]j]imaj]\lgY\\j]kkl`]akkm]_Yhk7
O`Ylogmd\Z]l`]Z]f]lkg^Y\\j]kkaf_l`]a\]fla]\_Yhk7
Finance benchmarking assessment As the organization
h]j^gjekYZ]f[`eYjcaf_Ykk]kke]flg^alkfYf[]^mf[lagf$
internal audit has a role in the compliance and controls
workstream. The team focuses on benchmarking the
organizations cost of controls relative to its competitors and
industries. Additional feedback is provided on the utilization ofl][`fgdg_qafl`]fYf[]hjg[]kk]kYmlgeYl]\[gfljgdk$
continuous control monitoring).
What is the companys total spend on the planning, execution
Yf\egfalgjaf_g^[gfljgdkYf\[gehdaYf[]7
@go\g]kgmjkh]f\[gehYj]oal`gmjh]]jk'af\mkljq7
Akl`]j]Yfghhgjlmfalqlgd]n]jY_]Y\\alagfYdYmlgeYlagf7A^
kg$o`]j]Yf\`go7
Opportunities for integrated audits between IT and operational audit Audit was frequently mentioned in survey of leading IA organizations
-
7/27/2019 Key Considerations for Your Internal Audit Plan AU1607
10/40
8 Insights on governance, risk and compliance | May 2013
Tap
Tax risk goes well beyond the tax technical application of the law.
Factors that contribute to increased pressure on organizations to
develop and maintain an effective tax risk management strategy
include expanding business operations, increasingly complex tax
d]_akdYlagfYf\j]_mdYlagfk$ka_fa[YflY[[gmflaf_\]n]dghe]flk$
expanding global internal control and tax authority regimes and
greater transparency and increased accountability to stakeholders.
Interestingly, since the inception of reporting under Section 404
of the Sarbanes-Oxley Act (SOX 404), tax reasons have accounted
^gjYZgml+(g^Y\n]jk]ghafagfkd]\mf\]jKGP,(,]Y[`q]Yj
and continue to be a leading cause of restatements.
L`]fYf[aYd[jakak`YkZjgm_`lYZgmlYfmhla[caf_dgZYdarYlagf$
[Ymkaf_YdYj_]k`a^laf[YhalYdgoklgoYj\]e]j_af_eYjc]lk&
Policy-makers in emerging markets are rapidly enacting mechanisms
to capture their fair share of the global tax pie. In many mature
markets, governments have an urgent need to increase revenues.
As a result, they are attempting to raise taxes and intensify
enforcement for companies operating within their borders.
It is in this context that the following tax topics are receivingattention across the enterprise and should be considered during
the risk assessment and potentially in the audit plan:
Failure to integrate tap in large global initiatives Large
initiatives such as moves to a shared service environment,
implementation of an ERP or supply chain transformation
are all examples of initiatives that are critical for tax to be
involved in up front. Where tax is not involved, tax compliance
akkm]k$hjg[]kkaf]^[a]f[a]kgjYdY[cg^YnYadYZd]\YlY^gjlYp
purposes all emerge as concerns for the organization.
Dack of availability of data Tax is one of the largest
consumers of data within any organization. A lack of accurate
and accessible transactional data for tax purposes is a top root
cause of tax compliance issues, not to mention a driver
g^af]^[a]f[a]kYf\]p[]kk[gkl^gjl`]gj_YfarYlagf&
Transfer pricing While tax owns the transfer pricing policy, it
akl`]Zmkaf]kkl`Ylaklqha[YddqYkc]\lg\]f]Yf\]p][ml]l`]
controls that ensure compliance with the policy. Therefore, a
key risk related to transfer pricing remains the ability to sustain
transfer pricing controls. Operationally, a lack of transparency
aflgljYfk^]jhja[af_hjgl\m]lgYdY[cg^\YlY!g^l]fd]Yn]k
the organization waiting until it is too late to make changes to
prices or controls. Transfer pricing risk is compounded by tax
authorities with very divergent goals.
VAT and other indirect tapes These transactional taxes
continue to create risk due to the fact that heavy reliance is
placed on the accuracy of information in the business to comply.
While tax can provide direction and guidance related to indirect
taxes, it is the transactions being executed by the business that
drive compliance, and organizations often do not have the right
processes and controls in place. Identifying the right structure
(in the business, versus within tax) to manage VAT and indirect
tax is a complex issue companies continue to assess.
Tap complepity in :razil and Datin America Latin America,Yf\kh][a[Yddq:jYrad$[gflafm]klghj]k]flY_j]Yl]jd]n]dg^
tax risk for organizations. This is driven by the complexity of tax
rules, a lack of resources familiar with both US and Brazilian tax
rules in the region and governmental policy decisions.
Other risks that continue to receive attention include: failure to
identify tax planning opportunities and manage tax obligations
across all jurisdictions; failure to manage non-income tax
obligations like customs duties; failure to track the movement
of expatriates and assets across foreign tax locations, resulting
in permanent establishment or nexus issues; and/or a lack of
resources with tax accounting skills in foreign jurisdictions.
The management of tax risk is complex and requires the participation
of different constituents with the requisite skills partnering with the
business and tax department to properly assess, remediate and
monitor these risks. Internal audit can, and should, play an integral
role in the organizations broader tax risk management approach.
-
7/27/2019 Key Considerations for Your Internal Audit Plan AU1607
11/40
9Insights on governance, risk and compliance | May 2013
Jecommended readingwww.ey.com/US/en/Services/Tax/Tax-Library
The audits that make an impact Cey iuestions to evaluate during audit
Transfer pricing audit This audit is not just an assessment
of the companys compliance with policy but a broader look at the
processes, controls and data in place to sustain compliance. Assess the
accuracy, completeness and availability of data used to understand
ljYfk^]jhja[af_hjgleYj_af$[gfjeafnga[]kY[[mjYl]dqj]][l
transfer prices, and evaluate the design and operating effectiveness
of managements monitoring processes, including reports and
periodic meetings to monitor performance. An emerging area of
risk to consider would be the harmonization of transfer pricing and
custom valuations.
Akl`]\YlYl`Ylakf]]\]\lgmf\]jklYf\ljYfk^]jhja[]hjglYZadalq
YnYadYZd]Yf\Y[[mjYl]7
What controls are in place within the business to monitor transfer
hja[af_[gehdaYf[]7
What can be done to improve the accuracy of transfer prices and
j]\m[]^j]im]fl[`Yf_]klgljYfk^]jhja[]kgjq]Yj%]f\kmjhjak]k7
Is the organization at risk for inconsistent transfer pricing and
[mklgenYdmYlagfk7
Tax data assessment Evaluate the availability, completeness
and accuracy of data needed to comply with tax regulations.
L akYm\alak]p][ml]\Zqjklmf\]jklYf\af_l`]kgmj[]g Ydd\YlY
necessary for tax (determined in coordination with tax or third
party). The team then evaluates gaps in either the completeness,
accuracy and availability of data and articulates the impact of the
gap. Management can use the results of this audit to evaluate future
Y[lagfkYf\l`]Z]f]lkg^Y\\j]kkaf_l`]_Yhk&
What data and related data resources are the most critical to
]^[a]flYf\]^^][lan]lYp[gehdaYf[]oal`afl`]gj_YfarYlagf7
Where does a lack of data availability, completeness or accuracy
[j]Yl]af]^[a]f[a]k^jgeY[gklgjlae]klYf\hgafl!^gjl`]
gj_YfarYlagf7O`Ylakl`]aehY[lg^l`gk]af]^[a]f[a]kYf\o`q
\gl`]q]pakl7
@go[Yfl`]_YhkZ]Y\\j]kk]\$Yf\o`Ylogmd\Z]l`]Z]f]lk
g^Y\\j]kkaf_l`]e7
VAT (indirect taxes) Perform an end to end process review of the
companys VAT tax process. This includes evaluation of how data
is compiled, processed and ultimately reported to tax authorities.
;gfjel`YlYhhjghjaYl][gfljgdk$l][`fgdg_q$[geh]l]f[a]kYf\
hjg[]kk]k]pakllg]^[a]fldq[gehdq&L`akYm\aleYqYdkgj]kmdlaf
opportunities for substantial cost savings by improving the accuracy
Yf\]^[a]f[qg^l`]N9LlYphjg[]kk&Gl`]jYj]Ykg^af\aj][llYp
such as sales and use tax could also be considered for this audit.
Is data needed for VAT purposes captured accurately and
[gehd]l]dq7
9j][gfljgdkafhdY[]lg]fkmj]N9Lak[Yd[mdYl]\Y[[mjYl]dq7
Who owns VAT processes and do they have the necessary skills
lg]fkmj][gehdaYf[]7
9j]l`]j]ghhgjlmfala]k^gj[gklkYnaf_kj]dYl]\lgN9L7
Tax compliance audit Evaluate the tax provision and other tax-
[gehdaYf[]%j]dYl]\hjg[]kk]klg[gfje[gfljgdkYj]\]ka_f]\Yf\
operating effectively. To add value to the organization, identify
ways in which controls can be further optimized for adequate risk
[gn]jY_]o`ad]af[j]Ykaf_]^[a]f[q&
@go]^[a]flakl`]hjg[]kklg[gehad]\YlY^gjl`]lYphjgnakagf7
Akl`]j]_dgZYdnakaZadalqaflgl`]hjg[]kk7
Are controls related to compliance designed and operating
]^^][lan]dq7
9j]l`]j]ghhgjlmfala]klgaf[j]Yk]l`]]^[a]f[qg^[gfljgdk7
Af\aj][lLYp:ja]f_2
a review of global indirect tax
developments and issuesIndirect Tap:riengA review of global indirecttap developments and issues
Issue5tAugust *()*
Navigating a complex tax
controversy environment
Inthisissue:
2 Ernst&Youngtaxcontroversysurveyaneweraof taxriskand
mf[]jlYaflq2 \]faf_l ]businessimperative
4 IRSpracticeandprocedures
;`a]^ ;gmfk]dakkm]kfgla[]gf
9hh]Ydk]phYjl][geemfa[Ylagfk
AJKoal`\jYok;AHgf[gkl%k`Yjaf_Zmq%afljYfkY[lagfk
AJKj]nakalkj]k]Yj[`[j]\alj]^mf\[dYaek
10 Transferpricing
enforcementtrends
Hjagjala]klg]f`Yf[]l`]EmlmYd9_j]]e]flHjg[]\mj]
13 Penaltycorner
O`a[`h]fYdlqYhhda]k
mf\]jhYqe]flgj]p[]kkan]j]^mf\715 Courts
20 Legislative,regulatoryand
gl ]j_ma\Yf[]F]odqj]d]Yk]\lYf_aZd]
hjgh]jlqj]_mdYlagfk
26 Ernst&YoungLLPaddsnew
taxcontroversytalent
Summer2012
Wearepleasedtopresentthelatest issueofournewsletterdedicatedtotax controversyand
relatedrisks.Asbusinessmodelsgrowincomplexityandgeographicreach,the challengesYf\jakckj]dYl]\lglYp[gfljgn]jkqaf[j]Yk]ka_fa[Yfldq&L`]j]Yj]fYf[aYdYko]dd Yk
j]hmlYlagfYdjakckl`Yl[YfZ][gkldq a^fgleYfY_]\hjgY[lan]dq&L`]klYc]kYj]`a_`$l`]
rulesarenotalwaysclear,anditcan bechallengingtokeepup withallofthe changesinIRSprocedures,toolstoresolvedisputes,andthevariousrolesand responsibilitiesoftheteams
Yf\eYfY_]jk&L`akf]okd]ll]jakafl]f\]\lg`]dh qgmc]]hmhlg\Yl] gfl`][`Yf_]kaf AJKinitiativesandenforcementfocus,courtdecisionsandtheir implications,regulatorychanges,
andotherinformationthatcanhelp youmakeinformeddecisionsaboutmanagingtaxcontroversyandrelatedrisk.
L`]AJKj][]fldqj]n]Yd]\l`Yll`]l`j]]lgh Yj]Ykg^mf[]jlYaflYphgkalagfk\ak[dgk]\gf>gje))*(MLHYj]l`]j]k]Yj[`[j]\al$ljYfk^]jhja[af_$Yf\akkm]kj]dYl]\lg AJ;k][lagf
).*$ljY\]gjZmkaf]kk]ph]fk]k&Afl`ak]\alagf g^gmjf]okd]ll]j$qgmoaddf\Yjla[d]kj]dYl]\lgl`]k]l`j]]Yj]Yk&9dkgaf[dm\]\ak YkmeeYjqg^l`]f\af_k ^jgegmj*())*()*LYpjakc
andcontroversysurvey.Seehowyourcompanycompareswiththeperspectivesof500tax\aj][lgjkYf\;>Gko`ga\]fla]\l`]ajlgh jakcYj]YkYf\lj]f\kl`Yll`]qgZk]jn]&Qgmoadd
alsoseewhattaxauthorities,taxpolicy makersandauditcommitteemembersconsidertobetheirkeychallenges.
L`]j]Yj]ka_fa[Yfl[`Ydd]f_]kafeYfY_af_lYpjakc Yf\[gfljgn]jkqaflg\Yqk][gfgea[andglobalenvironment.However,withthosechallengescomeopportunitiestodealwithtax
[gfljgn]jkqegj]]^[a]fldqYf\]^^][lan]dqafl`]MKYf\ gfY_dgZYdZYkak& O`]l`]jqgmoYfllgeYc]Yka_fa[Yflk`a^l afqgmjj]dYlagfk`ahYf\hjg[]kkaf \]Ydaf_oal`lYpYml`gjala]k$gj
justwanttoimprovetheprocessto obtaincertaintysooner,knowledgeofthetoolsavailableYf\`golgfYna_Yl]l`jgm_`l`] gj_YfarYlagfak]kk]flaYd&O]`gh]l`Ylqgm f\l`ak
informationhelpful.
Ifyouhaveanyquestionsor feedbackrelatedtothisnewsletter,pleasefeelfreeto
[gflY[lgmjLYp;gfljgn]jkqYf\JakcEYfY_]e]fld]Y\]jkj]^]j]f[]\Yll`]]f\ofthispublication.
DeborahNolan9e]ja[YkLYp;gfljgn]jkqD]Y\]j
Tax controversy andrisk management review
Navigating a complex taxcontroversy environment
Opportunities for integrated audits between IT and operational audit Audit was frequently mentioned in survey of leading IA organizations
-
7/27/2019 Key Considerations for Your Internal Audit Plan AU1607
12/40
10 Insights on governance, risk and compliance | May 2013
Sustainability
Awareness of environmental issues and the increased focus onthe scarcity of natural resources has brought sustainability to theforefront for many organizations. In a recent review of the proxystatements of the Russell 3000, more than 900 shareholderproposals were submitted on environmental and social topics, themost across the four major proposal categories (environmental/social, board-focused, compensation and anti-takeover/strategic
proposals). This shift was attributed to growing support frommainstream investors on environmental/social topics as wellas widespread corporate recognition of the business case forsustainability. Additionally, legislation such as the Dodd-Frank9[lYf\\ak[dgkmj]j]imaj]e]flkgf[gfa[leaf]jYdk`Yn]increased the risk in this area.
As the focus on sustainability grows, key topics continue to emerge:
Managing the global supply chainL`]j]akka_fa[Yflafl]j]klin how organizations are identifying and mitigating risks relatedto sustainability of their supply chain. Stakeholders are focusedon sustainability reporting, environmental impacts and human/labor rights and working conditions. Companies are frequentlybeing asked for disclosure of supply chain practices and/orrelated risks.
Dinking executive compensation to sustainability metrics To drive sustainable change through the organization, theexecutives must be properly incented and measured. Leadinggj_YfarYlagfkYj]af[gjhgjYlaf_fgffYf[aYdh]j^gjeYf[]metrics into their executive compensation programs a trendthat will only increase as sustainability grows in importance.
Including environmental'social considerations in employeeiualication Stakeholders are seeking information on howorganizations link their overall business strategies withenvironmental/social matters.
Conict minerals Section 1502 of the Dodd-Frank Act requires
certain public companies to provide disclosures about the use of[gfa[leaf]jYdk^jgel`]
-
7/27/2019 Key Considerations for Your Internal Audit Plan AU1607
13/40
11Insights on governance, risk and compliance | May 2013
The audits that make an impact Cey iuestions to evaluate during audit
Corporate responsibility audit Evaluate the processesfor developing and issuing the corporate responsibility report.Additional focus will be given to the metrics utilized in the report,hjg[]kk^gj[gdd][laf_l`akaf^gjeYlagf$Yf\l`]n]ja[Ylagfg^the completeness and accuracy of this data. The internal auditteam should evaluate the gaps in completeness, accuracy and/oravailability of the data required to issue the report.
Who is responsible for developing and issuing thej]khgfkaZadalqj]hgjl7
What are the key performance indicators and metricskmhhgjlaf_l`]j]hgjl7
How does the company determine that the informationaf[dm\]\afl`]j]hgjlak[gehd]l]Yf\Y[[mjYl]7
What controls are in place within the business to monitorl`]j]hgjl7
What can be done to improve the accuracy and timelinessg^l`]j]khgfkaZadalqj]hgjlaf_hjg[]kk7
Energy management audit The internal audit teamYkk]kk]kl`][gehYfqk[mjj]fl]f]j_qmkY_]Ylka_fa[Yfllocations, as well as their efforts to reduce energy usage.The internal audit team focuses on the companys energymanagement strategy, how it is implemented, the metrics usedlgljY[cmkY_]Yf\j]\m[lagfk$Yf\l`]jYea[Ylagfkg^gn]jY_]kand missed projections.
-
7/27/2019 Key Considerations for Your Internal Audit Plan AU1607
14/40
12 Insights on governance, risk and compliance | May 2013
Customer
While customers are clearly some of the most valued stakeholders
of any organization, conversation related to customer risk is often
limited to pricing compliance, sales commissions and rebates/
marketing incentives versus broader operational and strategic
concerns. The areas of customer can be compartmentalized as
follows: customer strategy, customer experience and insight,
and sales and marketing productivity. Below we touch on each of
these areas and provide insight into how to broaden the typical
customer-related audits and add value to the organization.
Customer strategy
Acquiring, maintaining and expanding relationships with customers
are extremely competitive aspects of any business. There are
ka_fa[Yfljakck^jgel`]\][akagflg]fl]jYeYjc]lYf\a\]fla^q
its customers) to the decision to exit a particular product line or
service that organizations must continually evaluate:
Market effectiveness and return%on%investment In a
stagnant economy, there is continued risk related to
unproductive use of funds for marketing purposes and an
inability to effectively measure return on investment. Internalaudit can help manage this risk by assessing ROI and the
organizations processes to allocate marketing spend. This is
in addition to more traditional marketing and advertising
contract audits for potential cost recovery.
Hricing strategy and improvement opportunities The lack of
information to make pricing decisions (primarily total cost data),
a disconnected pricing strategy and poor implementation of
the pricing strategy through sales channels and contracting
[j]Yl]ka_fa[Yfljakcoal`afl`]gj_YfarYlagf&
Hroduct innovation and life cycle management As
organizations focus on improving margin through customer-
based product innovation, the risk that product innovation isdisconnected from the customer or not fully integrated with
the necessary business functions emerges.
Digital marketing strategy Marketing went digital long ago,
but in todays rapidly evolving technological world, failure to
keep the strategy up to date is a key risk. With social media
emerging as a primary way for customers and organizations
to connect, the risks related to customer, HR, legal and IT will
continue to blur.
Customer experience and insight
With growing pressures on product margins, an increasingly diverse
customer base, and rising costs to acquire new customers, more
and more companies are differentiating themselves by gathering
additional customer insight to improve their customer experience.
Companies must be in tune with the real-time experiences and
feedback of their customers, and the value of this informationmust be leveraged and capitalized on.
Based on these focus areas, organizations need to consider the
following risks:
Failure to properly segment and understand customers
Organizations may not truly understand the characteristics
and needs of their customers, thus resulting in poor pricing
Yf\eYjc]laf_kljYl]_a]kYf\Y\jghafhjglYZadalq&
Customer support Poor customer support can quickly
j]\m[][mklge]j[gf\]f[]Yf\]jg\]hjglYZadalq&
Dack of proactive metrics to measure performance
Identifying the right metrics to proactively provide management
with an indication of performance is critical and often an area
organizations struggle with.
Sales and marketing productivity
>gjegklgj_YfarYlagfk$Yka_fa[YflYegmflg^[YhalYdakkh]flgf
sales and marketing to attract, retain and expand relationships
with customers. Organizations must develop the appropriate
metrics and reporting to monitor the effectiveness of their sales
forces and marketing materials. There are a number of focus areas
related to sales and marketing productivity that the internal audit
department should be aware of:
Sales productivity improvement This area includes developing
and sustaining the right account strategy and opportunity
sizing processes. This also includes understanding where and
how members of the sales force utilize their time and how it
aligns to the overall account and opportunity sizing process.
Sales organization structure This relates to having the right
sales force structure and span of control sizing to deliver on
sales goals.
Sales performance management To obtain the most from
the sales organization, its important to have clear roles
\]f]\Yf\Y^gjeYd[Yj]]jhYl`af_hjg[]kk&KYd]ke]lja[k
and incentive compensation must be aligned to the overall
organizational goals to drive the right behavior. This is a
critical risk area for members of the sales organization.
-
7/27/2019 Key Considerations for Your Internal Audit Plan AU1607
15/40
1+Insights on governance, risk and compliance | May 2013
This time its personal: from
consumer to cocreator
www.ey.com/GL/en Services/Advisory/This-time-its-personal--from-consumer-to-co-creator
Jecommended reading
The audits that make an impact Cey iuestions to evaluate during audit
Marketing effectiveness and ROI review This audit includesreviewing the process to develop key marketing programs andthen assessing managements ability to measure the success.Also included in this audit may be an assessment of keycontracts with marketing and advertising vendors. This portionof the audit would be structured as a more traditional contractcompliance review.
Are marketing programs developed and approved in[gehdaYf[]oal`[gehYfqhgda[a]kYf\hjg[]kk]k7
Do program incentives drive customer behavior that is alignedlg[gjhgjYl]kljYl]_q7
Are marketing and advertising providers delivering on[gfljY[lmYdl]jek7
How effectively does the organization measure ROI associatedoal`ka_fa[YfleYjc]laf_hjg_jYek7
Product innovation audit Evaluate the processes and controlsrelated to the organizations ability to innovate. This audit wouldYkk]kkl`]]^^][lan]f]kkg^l`]klY_]Yf\_Yl]khjg[]kk\]f]\and, most importantly, how well the innovation process isintegrated across business functions.
-
7/27/2019 Key Considerations for Your Internal Audit Plan AU1607
16/40
14 Insights on governance, risk and compliance | May 2013
Corporate
development
In the ever-changing economic world, the corporate development
function is more crucial than ever. Corporate development serves
as the lifeblood for an organization by providing strategic advice to
the board, actively managing the organizations portfolio, divesting
non-core assets and pursuing acquisitions to deliver increased
nYdm]lgl`]Zmkaf]kk&Afl`ak[gehd]pYj]Y$l`]j]Yj]Yka_fa[Yfl
number of potentially material risks. In the following section, weidentify these risks and the audits that may be performed to deliver
additional value to the business.
Divestitures
As organizations focus on preserving, optimizing and raising
capital, they often use divestitures to strategically manage their
portfolios. Deciding when and how to sell an operating unit can be
]plj]e]dq\a^[mdl&9k[gehYfa]k[gflafm]lgjYlagfYdar]l`]aj
product portfolio based on internal and external factors, internal
audit may play a role in enhancing managements credibility and
preparedness. By focusing on the right areas, the internal audit
team may assist in preserving the deals value and maximizing the
after-tax proceeds for the organization. By remaining an active
participant in the process, audit may help to mitigate the risks to
the organization in the following areas:
Carve-out nancial statements Being able to appropriately
value the carve-out business requires the organization to have
l`]f][]kkYjq\YlYYf\fYf[aYdaf^gjeYlagf&G^l]fl`akakY
ka_fa[Yfl]^^gjl^gjl`]gj_YfarYlagf\m]lg`goalakk]lmh
(e.g., systems, consolidation process).
Tax analysis The structuring of the divestiture transaction
`YkYka_fa[YflaehY[lgfl`]lYpaehda[Ylagfkg^l`]\]Yd&
Most transactions involve businesses with operations in multiple
countries, further complicating the process and enhancing therisk to both the organization and acquiring company.
Buyer diligence After deciding to divest of a portion of its
portfolio, an organization must have an approach to dealing
with the buyer diligence process. Decisions on the amount and
type of information to be shared, and at what point in the
divestiture life cycle it will be shared, must be made prior to the
a\]fla[Ylagfg^hgl]flaYdZmq]jk&
Operational preparedness As a company or business unit is
divested from an organizations portfolio, the remaining business
must have the appropriate processes and controls in place to
ensure that it is prepared to operate post-transaction close.
Mergers and aciuisitions
As the business landscape continues to become more and more
competitive, organizations are looking for ways beyond organic
growth to continue to meet and exceed their goals. In a recent
survey of US companies, 76% believe the global economy shows
no signs of improvement. Mergers and acquisitions are viewed as
one route to help companys meet their targets and continue todeliver value to their shareholders. Organizations must be
actively monitoring the M&A market in emerging markets. For
instance, Brazil has seen year-over-year M&A activity increase
16%. The acquisition and integration of a business or segment
afngdn]kka_fa[Yfljakcl`jgm_`gmll`]hjg[]kkYf\emklZ]
tightly monitored by the organization:
Validate reiuirements and understand the issues for the
transaction As organizations initiate the process to identify
hgkkaZd]Y[imakalagflYj_]lk$l`]j]akka_fa[Yfljakca^l`]
gZb][lan]kYf\_gYdk^gjl`]ljYfkY[lagfYj]fgl[d]Yjdq\]f]\
at a detailed level.
Herform due diligence of potential targets Organizations
emkl`Yn]Y\]f]\YhhjgY[`lgh]j^gjeaf_\m]\ada_]f[]Yf\
fYf[aYdYfYdqkakg^l`]a\]fla]\lYj_]lk&L`]qemkl`Yn]
hj]nagmkdqa\]fla]\l`]af^gjeYlagfl`Yll`]qf]]\Yf\l`]
process they want to go through in order to successfully
evaluate the target.
Jeview potential compliance and regulatory issues that may
arise from aciuisition When considering a potential target,
the company should be aware of and actively managing the
compliance and regulatory issues that may arise as a result of
the transaction.
Continue ongoing support of the business and its integrationstrategy For the transaction to be truly successful, the
gj_YfarYlagff]]\klg`Yn]Y\]f]\hdYf$hjg[]kkYf\[gfljgdk
in place to assist with the transitioning of the target. The
transaction is not truly complete until the target is operating
like other segments of the organization.
Would-be buyers should also perform anti-corruption due diligence
YkYjklkl]haf[gfka\]jaf_\]YdkYZjgY\&L ak\m]\ada_]f[]k`gmd\
Z]h]j^gje]\hjagjlgljY\alagfYdfYf[aYd\m]\ada_]f[]g^Y
potential target. This is especially important given the potential for
successor liability of an acquired organization, and is an area where
afl]jfYdYm\al[YfZ]g^ka_fa[YflnYdm]lgl`]gj_YfarYlagf&
-
7/27/2019 Key Considerations for Your Internal Audit Plan AU1607
17/40
15Insights on governance, risk and compliance | May 2013
Jecommended readingwww.ey.com/US/en/Services/Transactions/Corporate-Development
The audits that make an impact Cey iuestions to evaluate during audit
Merger and acquisition process integration review
This audit is focused on evaluating the organizations
process to integrate operations, technologies, services
and product lines after the transaction has closed. The internal
audit team focuses on the policies and procedures in place tomake the transaction as seamless as possible. Additionally,
l`]afl]jfYdYm\all]Yeoaddj]na]ol`]\]f]\c]qh]j^gjeYf[]
indicators (KPI) for the integration, as well as the process
to monitor the KPIs.
O`YlYj]l`]\]f]\[gfljgdhgaflkafl`]afl]_jYlagfhjg[]kk7
Who is involved in the acquisition integration process and what
Yj]l`]ajjgd]k7
What are the KPIs to determine whether the integration is
km[[]kk^md7 How is the acquired organization transitioned to the companys
hgda[a]kYf\hjg[]\mj]kafYlae]dqeYff]j7
Are there any new reporting requirements or disclosures as a
j]kmdlg^l`]Y[imakalagf7
What is the process for assessing the culture of the target
organization and identifying the steps necessary to assimilate
l`]h]ghd]aflggmjZmkaf]kk7
Business development/due diligence assessment The internal
audit team will focus on the process and controls in place to
manage the business development life cycle from the
a\]fla[Ylagfg^lYj_]lgj_YfarYlagfklgl`]imYda[YlagfYf\
offer process. Additional consideration is given to the strategicdecision-making process for the allocation of capital.
What is the process and what are the controls for identifying
Yf\imYda^qaf_Y[imakalagflYj_]lk7
Who is responsible for monitoring the controls and how
]^^][lan]dqYj]l`]qgh]jYlaf_7
O`]j]\gnmdf]jYZadala]kgj_Yhk]pakl7 O`YlakZ]af_\gf]lgj]e]\aYl]l`]k]_Yhk7
Divestiture/carve-out review The internal audit team reviews
the process and controls in the divestiture/carve-out life cycle,
^jgej]na]og ]paklaf_Zmkaf]kkmfalk'k]_e]flklgl`]imYda[Ylagf
of potential buyers and the offer process. The team focuses on
l`]hjg[]kkYf\[gfljgdkafhdY[]\mjaf_l`]a\]fla[Ylagf$YfYdqkak
and potential sale/closing of the operations/business unit. A
focus is placed on the carve-out life cycle, including strategic
analysis, opportunity analysis, transaction development,
negotiation advice and execution, and measuring and monitoring
g^ljYfkY[lagf]^[a]f[qYf\]^^][lan]f]kk&
Akl`][Yjn]%gmlda^][q[d] gjeYddq\]f]\Yf\Y\`]j]\lg7
O`YlYj]l`]\]f]\[gfljgdhgaflkafl`]\an]klalmj]hjg[]kk7
Who is involved in the process and what is their level of
afngdn]e]fl7
O`YlYj]l`]c]qh]j^gjeYf[]af\a[Ylgjklg\]l]jeaf]km[[]kk7
Divesting for value
Fairness opinions:
the company is
about to enter into a
ka_fa[YflljYfkY[lagf
Fairness opinionsAnessentialservice
offeringfromErnst&Young
InvestmentAdvisorsLLP
The company is about to enter
into a significant transaction.
Yourshareholderswanttoknow.
Themarketplacewantstoknow.
Yourboardabsolutelymustknow.
Certainly,youbelieveitmustbe,orelsethetransactionwouldnot
beunderconsiderationormovingforward.
Butwillboardmembers,boardsubcommittees,shareholdersor
otherkeystakeholdersacceptyourexpertiseandobjectivityon
faithandreputationalone?Furthermore,canyouorthecompany
affordtheriskofbeingprovenwrongafterthefact?
Is it fair?
TransactionAdvisoryServices
Divesting for value
Opportunities for integrated audits between IT and operational audit Audit was frequently mentioned in survey of leading IA organizations
-
7/27/2019 Key Considerations for Your Internal Audit Plan AU1607
18/40
16 Insights on governance, risk and compliance | May 2013
Navigating todays complex
business risks: Europe, Middle
East, India and Africa
Fraud Survey 2013
Fraud and
corruption
Companies must recognize that fraud awareness, prevention and
mitigation are everyday issues that need to be a permanent
plmj]gfl`]gj_YfarYlagfkY_]f\Y&;gehYfa]kemklZ]na_adYfl
in ensuring their compliance with regulatory and legal issues. The
Foreign Corrupt Practices Act (FCPA), enacted in 1977, prohibits US
[gehYfa]kYf\l`]ajkmZka\aYja]k$g^[]jk$\aj][lgjkgj]ehdgq]]k
^jgeZjaZaf_^gj]a_fg^[aYdk\aj][ldqgjaf\aj][ldq!^gjl`]
purpose of obtaining or retaining business. The FCPA has become
an enforcement priority for regulators and a major compliance
issue for US companies with global operations. The US Securities
and Exchange Commission (SEC) and the US Department of Justice
(DOJ) have stepped up their efforts to investigate and prosecute
Zmkaf]kk[gjjmhlagf$ka_fa[YfldqjYakaf_l`]j]hmlYlagfYdYf\
fYf[aYdjakcklg[gehYfa]k&Af*()($l`]K=;Yf\
-
7/27/2019 Key Considerations for Your Internal Audit Plan AU1607
19/40
17Insights on governance, risk and compliance | May 2013
The audits that make an impact Cey iuestions to evaluate during audit
Supplier management review Evaluate the process
management has put in place to qualify and accept suppliers,
kh][a[Yddq^g[mk]\gf:JA;:jYrad$JmkkaY$Af\aYYf\;`afY!
countries and other emerging markets (e.g., Africa). The internal
audit team will focus on the controls for ensuring that companypolicies and procedures are in place and being consistently
followed. Additional focus will be on the companys strategy to
track and handle supplier management in the highrisk locations.
This will include a review of supplier acceptance and the periodic
supplier continuance review process.
O`Yl`a_`jakceYjc]lk\g]kl`]gj_YfarYlagfgh]jYl]af7
O`Ylakl`]hjg[]kk^gjY[[]hlaf_f]okmhhda]jk7
O`gakafngdn]\afl`]hjg[]kkYf\o`YlYj]l`][gfljgdkafhdY[]7
What is the process for validating continuing relationships
oal`kmhhda]jk7
FCPA program assessment The internal audit team would
review the companys approach to FCPA compliance. A detailed
review of the policy, procedures and internal controls in place to
remain compliant will be a focus of the team. The internal audit
team will review the companys training and education programs
for employees and third parties. Also, the team will focus on the
business approach to remaining up to date on all applicablelaws and regulations.
O`ggofkYf\akj]khgfkaZd]^gj>;H9[gehdaYf[]7
What is the organizations process for riskassessing the
[gmflja]kafo`a[`algh]jYl]k7
What is the process for ensuring the FCPA compliance
program remains up to date with any new legal or
j]_mdYlgjqj]imaj]e]flk7
Whistleblower audit The internal audit team would
focus on the companys compliance program with an emphasis
on the policies, procedures and internal controls of the program.
The internal audit team will review the whistleblower hotline,
managements response to new accusations and the process
lg^gddgohgl]flaYdakkm]ka\]fla]\l`jgm_`lg[gehd]lagf&
Additional focus will be given to the controls in place to ensure
Yfgfqealqg^o`akld]Zdgo]jkYk\]f]\Zql`]dYo&
Who owns and is responsible for the companys compliance
hjg_jYe7
What is the process for a whistleblower to provide feedback
lgl`][gehYfq7
What controls are in place to ensure the program promotes
[gf\]flaYdalqg^l`gk]o`g[gflY[ll`]o`akld]Zdgo]j`gldaf]7
What is the process for following up on tips provided through
l`]`gldaf]Yf\gl`]je]\amek7
:mkaf]kkZja]f_2
foreign corrupt practices
act guidance issued
November2012Fraud Investigation &Dispute Services (FIDS)
Business briefing
Foreign Corrupt Practices Act
guidance issued
The fight against corruptionis alawenforcementpriority oftheUnitedStatesandwe willcontinue to make clear thatbribingforeignofficialsisnotanacceptableshortcut.Lanny A. Breuer November 14, 2012Assistant Attorney General, U.S.Department ofJustice Criminal Division
Investorsmust have faiththattheeconomicperformanceofpublic companiesreflectslawfulconsiderationsof markets, priceandproductratherthanamirageresultingfrombriberyandcorruption.Robert Khuzami November 14, 2012Director, U.S. Securities and ExchangeCommission Division of Enforcement
OnNovember14,2012,theU.S.DepartmentofJustice(DOJ)andtheU.S.SecuritiesandExchangeCommission(SEC)jointlyreleasedAResourceGuidetotheU.S.ForeignCorruptPracticesAct,(Guide).TheGuidedemonstratestheirsharedcommitmenttofightingcorruptionthroughcontinuedvigorousenforcementoftheForeignCorruptPracticesAct(FCPA).
Aftermanyyearsofrequestingadditionalguidance,thebusinessandlegalcommunitiesnowhaveacomprehensivedocumentsummarizingtheapproachandprioritiesoftheDOJandSECinFCPAenforcement.ThiswidelyanticipatedGuidedoesnthavetheforceoflawbutdoesrepresenttheevolvingviewsofDOJandSECfromyearsofenforcementactivityandreviewsofprivateandpubliccompaniesanti-corruptioncomplianceprograms.
TopicsintheGuideinclude:
Globalanti-corruptionandinter-agencyefforts Discussionofkeyanti-briberyelementsand
accountingprovisions Affirmativedefenses Principlesofenforcement Penalties,sanctionsandremedies Hallmarksofaneffectivecorporatecompliance
program
FactpatternsandhypotheticalscontainedintheGuideillustratethegovernmentsinterpretationandapplicationoftheFCPAtocommonlyfacedcorruptionissues.
Perhapsmostsignificantly,theGuideunderscorestheimportanceofacompanyscomplianceprogramto
preventanddetectcorruptactivity.Thisviewisreinforcedthroughapracticalframeworkcompaniesofanysizecanusetoimplementrisk-basedanti-corruptionmeasures.
Corporatecompl ianceprogram sTheGuideprovideshallmarksorelementsofaneffectivecomplianceprogram.Indoingso,itsetsforthprinciplesthatareperhapsmoredetailedbutverysimilartotheAdequateProceduresguidanceissuedundertheUKBriberyActandtheOrganizationforEconomicCo-operationandDevelopmentsGoodPracticeGuidanceonInternalControls,EthicsandCompliance.
ManyprogramelementsintheGuidearesimilartoleadingpracticesadoptedbymanylargeglobalcompanies.TheGuideacknowledgesthatsmallandmedium-sizecompanieswillhavedifferentcomplianceprogramsfromlargemultinationalsandindoingsoimpliesthatcostandsizearefactorsinmeasurescompaniesshouldtaketoachievecompliance.
Itendorsestheconceptofriskassessmentasfundamentaltodevelopingastrongcomplianceprogram,statingthat[o]ne-size-fits-allcomplianceprogramsaregenerallyill-conceivedandineffectivebecauseresourcesinevitablyarespreadtoothin,withtoomuchfocusonlow-riskmarketsandtransactionstothedetrimentofhigh-riskareas.1
TenelementsofaneffectiveprogramaresetforthintheGuide:
1. Commitmentfromseniormanagementanda
clearlyarticulatedpolicyagainstcorruptionoftenreferredtoastoneatthetop,seniormanagementandboarddirectorsalikeareresponsibleforconveyingastrongmessagethatcorruptionwillnotbetolerated.
2. Codeofconductandcompliancepoliciesand
proceduresacodeofconductprovidesethicalguidelinesforthoseconductingbusinessonthecompanysbehalf.Acompanymayalsohavespecificanti-corruptionpoliciesandproceduresthataddressitsmostsignificantrisksandoutlineproperinternalcontrolsandmonitoringprocedures.
3. Oversight,autonomyandresources
responsibilityforthecomplianceprogramshouldbeassignedtoanappropriateseniorindividualorgrouptoprovidetheauthorityandautonomytooverseetheprogramandreporttothecompanysgoverningbody.
4. Risk a ssessmentacompanyscomplianceprogramshouldbedesignedaroundandcommensuratewithitsuniqueriskprofile,takingintoaccountfactorssuchasitssize,structure,industry,geography,interactionswithforeigngovernmentsandinvolvementofbusinesspartners.Athoroughriskassessmentaddsefficiencyandcredibilitytoanti-corruptioncomplianceefforts.
5. Trainingandcontinuingadvice acompanyshouldtakestepstoensurethatallemployeesareawareofthecompanysanti-corruptionpoliciesandprocedures,whichisoftenaccomplishedthroughperiodictraining.Certainkeyroles,suchasmanagement,sales,financeandbusinessdevelopmentpersonnel,mayreceiveenhancedtraining.
6. Incentivesanddisciplinaryactionstoavoidtheappearanceofapaperprogram,thecorporatecomplianceprogrammustbeenforcedunequivocallythroughouttheorganizationwithcleardisciplinaryproceduresforviolatorsappliedtimelyandconsistently.Also,positiveincentives,bothfinancialandothermerit-basedrewards,mayreinforceacultureofcompliance.
T
FraudInvestigation&DisputeServices
Forfurtherinformationplease contact:
Brian Loughman,
AmericasLeader
+1 212 773 5343 | [email protected]
Richard Sibery,
AmericasFraud&InvestigationsLeader
+1 212 773 6274 | [email protected]
WilliamHenderson,
AmericasAnti-CorruptionLeader
+1 212 773 4389 | [email protected]
Patrick OConnor,
AmericasBusinessDevelopment Leader
+1 212 773 4793 | [email protected]
1AResource Guide to the U.S. Foreign Corrupt PracticesAct,Chapter5: GuidingPrinciples ofEnforcement,p.5.
Audit was frequently mentioned in survey of leading IA organizations
-
7/27/2019 Key Considerations for Your Internal Audit Plan AU1607
20/40
18 Insights on governance, risk and compliance | May 2013
Information
security
Traditional security models focus on keeping external attackers out. The reality is that
there are as many threats inside an organization as outside. Mobile technology, cloud
computing, social media, employee sabotage these are only a few of the internal
threats organizations face. Externally, its not just about the lone hacker who strikes for
kicks. Overall, the risk environment is changing. Often, security professionals complain
that they are too busy reacting to immediate issues and have no time to anticipate what
may be lurking around the corner. To have any hope of protecting your organizations
critical assets, the business and security teams need to understand where youraf^gjeYlagfdan]k$afka\]gjgmlka\]&A\]fla^qaf_o`Ylqgmjgj_YfarYlagf[dYkka]kYkalk
most important information and applications, where they reside and who has or may
need access to them will enable the business to understand which areas of the security
program are most vulnerable to attack.
Although organizations have been dealing with opportunistic cyber attacks for years,
eYfqfgof\l`]ek]dn]kl`]lYj_]lg^egj]kgh`akla[Yl]\Yf\h]jkakl]fl]^^gjlk&L`]k]
attacks are focused on a single objective, often lasting over a long period of time and
until the desired target is obtained. They leave few signs of disturbance because they are
designed to remain hidden to acquire as much sensitive information as possible. In our
experience, those at the greatest risk are information-intensive entities or organizations
with intellectual property that is most attractive in emerging economies. Unfortunately,
many organizations have no idea they are compromised until it is too late.
In considering the audits below, IT internal audit can play a critical role in evaluating the
organizations information security strategy and supporting program and partnering to
improve the level of control.
The audits that make an impact Cey iuestions to evaluate during audit
Information security program assessment Evaluate the
organizations information security program, including strategy,
awareness and training, vulnerability assessments, predictive
threat models, monitoring, detection and response, technologies
and reporting.
@go[gehj]`]fkan]g^Yfaf^gjeYlagfk][mjalqhjg_jYe]paklk7
Is information security embedded within the organization, or is
alYfALgfdqj]khgfkaZadalq7
How well does the organization self-assess threats and mitigate
l`]l`j]Ylk7
Threat and vulnerability management program assessment
Evaluate the organizations threat and vulnerability management
(TVM) program, including threat intelligence, vulnerability
a\]fla[Ylagf$j]e]\aYlagf$\]l][lagf$j]khgfk]Yf\
countermeasure planning.
@go[gehj]`]fkan]g^YLNEhjg_jYe]paklk7
Is the TVM program aligned with business strategy and the risk
Yhh]lal]g^l`]gj_YfarYlagf7
Are the components of TVM integrated with one another, as
o]ddYkoal`gl`]jk][mjalqYf\AL^mf[lagfk7
-
7/27/2019 Key Considerations for Your Internal Audit Plan AU1607
21/40
19Insights on governance, risk and compliance | May 2013
Business
continuity
management
As organizations grow in size and complexity within the world of the extended
]fl]jhjak]$l`]aehY[lg^fgf%YnYadYZadalqg^Yfqj]kgmj[]k`YkeY_fa]\&@a_`%hjgd]
events caused by natural disasters and technology infrastructure failures have increased
awareness of the need to develop, maintain and sustain business continuity programs.
Although these large-scale events such as the March 2012 Japanese earthquake and
tsunami dramatically challenge the existence of some companies, there are smaller,
less impactful but more frequent disruptions that cause many executives to question
their organizations ability to react and recover. The big disasters, as well as these smaller
disruptions, have prompted leading executives to hope for the best but prepare for the
worst by investing in effective business continuity management (BCM).
Effective BCM is rising in importance on the corporate agenda. Volatile global economies
have shrunk margins for error. Companies that previously would have survived a
ka_fa[Yfl\akYkl]jgj\akjmhlagfeYqfgof\l`]kYe]]n]flhmk`af_l`]aj[gjhgjYl]
existence to the brink. Executives are realizing that effective BCM may be the only buffer
between a small disruption and bankruptcy. Ernst & Youngs 2012 Global Information
Security Survey found that BCM was once again viewed as the top priority in the next
12 months by survey respondents.
While BCM should be viewed as an enterprise-wide risk and effort, the reality is that it
is often IT that is asked to lead critical planning activities and serve as lead facilitator. ITsystems and disaster recovery procedures are a cornerstone of the broader BCM plan,
and thus, IT audit is well positioned to evaluate broader BCM procedures.
The audits that make an impact Cey iuestions to evaluate during audit
Business continuity program integration and governance
audit Evaluate the organizations overall business continuity
plan, including program governance, policies, risk assessments,
business impact analysis, vendor/third-party assessment,
strategy/plan, testing, maintenance, change management and
training/awareness.
Does a holistic business continuity plan exist for
l`]gj_YfarYlagf7
@go\g]kl`]hdYf[gehYj]lgd]Y\af_hjY[la[]7
Akl`]hdYfl]kl]\7
Disaster recovery audit Assess ITs ability to effectively
recover systems and resume regular system performance in the
event of a disruption or disaster.
Are disaster recovery plans aligned with broader business
[gflafmalqhdYfk7
-
7/27/2019 Key Considerations for Your Internal Audit Plan AU1607
22/40
20 Insights on governance, risk and compliance | May 2013
Mobile
Mobile computing devices (e.g., laptops, tablet PCs, smartphones) are in widespread use,
allowing individuals to access and distribute business information from anywhere and
at any time. With the increase in mobile device capabilities and subsequent consumer
adoption, these devices have become an integral part of how people accomplish tasks,
both at work and in their personal lives. The increasing demand for information from the
mobile workforce is driving changes in the way organizations support and protect the
gog^af^gjeYlagf&Oal`Yfql][`fgdg_a[YdY\nYf[]e]fl[ge]kf]o[`Ydd]f_]k^gjl`]
enterprise, including:
Potential loss or leakage of important business information
K][mjalq[`Ydd]f_]k_an]fl`]jYf_]g^\]na[]k$gh]jYlaf_kqkl]ek$Yf\jeoYj]
limitations and vulnerabilities
Theft of the device due to the small size
Compliance with state, federal and international privacy regulations that vary from one
jurisdiction to another as employees travel with mobile devices
Navigation of the gray line on privacy and monitoring between personal and company
use of the device
IT internal audits knowledge of the organizations mobile strategy needs to evolve as
quickly as the mobile landscape. Evaluating these risks and considering the audits below
oadd`]dhYm\alY\\nYdm]lgl`]gj_YfarYlagfo`ad][gfjeaf_c]qjakckYj]o]ddeYfY_]\&
The audits that make an impact Cey iuestions to evaluate during audit
EgZad]\]na[][gf_mjYlagfj]na]o Identify risks in mobile
device settings and vulnerabilities in the current implementation.
This audit would include an evaluation of trusted clients, supporting
network architecture, policy implementation, management of
dgklgjklgd]f\]na[]k$Yf\nmdf]jYZadalqa\]fla[Ylagfl`jgm_`
f]logjcY[[]kkaZadalqYf\hgda[q[gf_mjYlagf&
How has the organization implemented bring your own
\]na[]:QG
9j]l`]ja_`lhgda[a]k'egZad]kljYl]_a]kafhdY[]7
9j]egZad]\]na[]keYfY_]\afY[gfkakl]fleYff]j7
9j][gf_mjYlagfk]llaf_kk][mj]Yf\]f^gj[]\l`jgm_`hgda[q7
@go\go]eYfY_]dgklYf\klgd]f\]na[]k7
O`Ylnmdf]jYZadala]k]pakl$Yf\`go\go]eYfY_]l`]e7
Mobile application black box assessment Perform audit using
different front-end testing strategies: scan for vulnerabilitiesusing various tools, and manually verify scan results. Attempt to
]phdgall`]nmdf]jYZadala]ka\]fla]\afegZad]o]ZYhhk&
O`Ylnmdf]jYZadala]k[YfZ]km[[]kk^mddq]phdgal]\7
How do we respond when exploited, and do we know anafljmkagf`Ykg[[mjj]\7
Mobile application gray box assessment Combine traditional
source code reviews (white box testing) with front-end (black
box) testing techniques to identify critical areas of functionality
and for symptoms of common poor coding practices. Each of
these hot spots in the code should be linked to the live instance
of the application where manual exploit techniques can verify the
existence of a security vulnerability.
How sound is the code associated with the mobile applications
mk]\oal`afl`]gj_YfarYlagf7
O`Ylnmdf]jYZadala]k[YfZ]]phdgal]\oal`afl`][g\]7
Recommended reading
Mobile device security:
understanding vulnerabilities
and managing risk
www.ey.com/GRCinsights
-
7/27/2019 Key Considerations for Your Internal Audit Plan AU1607
23/40
21Insights on governance, risk and compliance | May 2013
Cloud
Many organizations are looking to cloud computing to increase the effectiveness of
ALafalaYlan]k$j]\m[][gklg^af%`gmk]gh]jYlagfk$af[j]Yk]gh]jYlagfYd]paZadalqYf\
generate a competitive advantage. This is attained by shifting to a user of IT services, as
organizations no longer need to build and maintain complex internal IT infrastructures.
Cloud computing is evolving at a fast pace, giving companies a variety of choices when
looking to restructure their IT organization. However, like most technology changes,
cloud computing presents its share of risks and challenges, which are too often
overlooked or not fully understood by businesses that are quick to embrace it. Theserisks and challenges include:
Providers not living up to service level agreements (SLAs), resulting in cloud
architecture or deployment challenges
Evolving cloud standards increasing the risk that a companys systems wont work with
the providers
Legal and regulatory risk in how information is handled in the cloud
Af^gjeYlagfk][mjalqYf\hjanY[qjakckYjgmf\l`][gf\]flaYdalq$afl]_jalqYf\
availability of data
Cloud adoption and change management within an organization
IT internal audit needs to understand how the organization is embracing cloud
technologies and the risks the business faces based on the adopted cloud strategy.
The audits that make an impact Cey iuestions to evaluate during audit
Cloud strategy and governance audit Evaluate the organizations
strategy for utilizing cloud technologies. Determine if the
appropriate policies and controls have been developed to
support the deployment of the strategy. Evaluate alignment
of the strategy to overall company objectives and the level of
preparedness to adopt within the organization.
Akl`]j]YkljYl]_qYjgmf\l`]mk]g^[dgm\hjgna\]jk7
Are there supporting policies to follow when using a cloud
hjgna\]j79j]hgda[a]kafl]_jYl]\oal`d]_Yd$hjg[mj]e]flYf\
ALhgda[a]k7
Cloud security and privacy review Assess the information
security practices and procedures of the cloud provider.
This may be a review of their SOC 1, 2 and/or 3 report(s), areview of their security SLAs and/or an on-site vendor audit.
Determine if IT management worked to negotiate security
requirements into their contract with the provider. Review
procedures for periodic security assessments of the cloud
provider(s), and determine what internal security measures
have been taken to protect company information and data.
Has a business impact assessment been conducted for the
k]jna[]kegnaf_lgl`][dgm\7
Does your organization have secure authentication protocols^gjmk]jkogjcaf_afl`][dgm\7
Have the right safeguards been contractually established with
l`]hjgna\]j7
Cloud provider service review Assess the ability of the
cloud provider to meet or exceed the agreed-upon SLAs in the
contract. Areas of consideration should include technology,
legal, governance, compliance, security and privacy. In addition,
internal audit should assess what contingency plans exist in
case of failure, liability agreements, extended support, andthe inclusion of other terms and conditions as part of the
service contracts, as well as availability, incident, and capacity
management and scalability.
What SLAs are in place for uptime, issue management and
gn]jYddk]jna[]7
@Ykl`][dgm\hjgna\]jZ]]fe]]laf_gj]p[]]\af_l`]KD9k7
O`Ylakkm]k`Yn]l`]j]Z]]f7
Does the organization have an inventory of uses of external
cloud service providers, both sponsored within IT or direct byl`]Zmkaf]kkmfalk7
Recommended reading
Ready for takeoff:
preparing for your
journey into the cloud
www.ey.com/GRCinsights
-
7/27/2019 Key Considerations for Your Internal Audit Plan AU1607
24/40
22 Insights on governance, risk and compliance | May 2013
9kl`]ALjakchjgd]Yf\l`j]YldYf\k[Yh]jYha\dq[`Yf_]kYf\jakckaf[j]Yk]$[gehYfa]k
need to change their mindset and approach toward IT risk to address a new normal. Now
more than ever, IT issues are issues of importance to the C-suite. Boards of directors,
Ym\al[geeall]]k$_]f]jYd[gmfk]dkYf\[`a]^jakcg^[]jkf]]\lgogjcYdgf_ka\]AL
d]Y\]jkYf\af^gjeYlagfk][mjalqYf\hjanY[qg^[]jklg^mddqY\\j]kkl`]ajgj_YfarYlagfk
risk management level of due care, approach and preparedness and to implement an IT
risk management program that is adequate and effective in managing cyber risks. It iscritical that IT functions are able to effectively address the following questions:
Can you articulate your strategy to identify, mitigate and monitor IT risks to the
Ym\al[geeall]]7
@go\gqgmcfgol`Ylqgm`Yn]a\]fla]\Yddc]qALjakckl`Ylogmd\hj]n]fll`]
[gehYfq^jgeY[`a]naf_[gjhgjYl]kljYl]_a]k$gZb][lan]kYf\afalaYlan]k7
How do you make sure your risk framework continues to be relevant and continues
lga\]fla^qh]jlaf]fljakcklgc]]hl`][gehYfqgmlg^ljgmZd]7
The Securities and Exchange Commission, other regulators and the audit committee have
increased their focus on companies managing risks holistically. Company stakeholders/
shareholders expect the company to focus risk management activities and resources on
areas with the greatest impact. Internal audit is uniquely positioned to help drive growthand create value to the company through reviewing IT risk management activities.
IT risk
management
Recommended reading
The evolving IT risk landscape:
the why and how of IT risk
management today
www.ey.com/GRCinsights
Afka_`lk gj]p][mlan]k-Use governance, risk andcompliance technology to
turn risk into resultsImproveyourriskmanagementprogramandnancialperformance
Economicvolatility,shareholderdemandsandanincreasinglycompetitive
marketlandscapeareforcingorganizationstorethinktheirapproachto
risk.Moreandmore,companiesarerealizingthattheabilityto managerisk
hasaveryreal impactontheirbottomline.Infact,arecentErnst& Young
globalsurveyofmorethan250leadingorganizationsfoundadirectlink
betweeneffectiveriskmanagementpracticesandimprovednancialperformance.
However,forbusinessestoimplementeffectiveriskmanagement
practicesandreapthenancialbenets,theyllneedacomprehensiveandsustainablegovernance,riskandcompliance(GRC)processandtechnology
solution.
ArobustGRCtechnologysolutioncanhelpembedriskmanagement
requirementsandpracticesintodailybusinessactivities.Thiscanimprove
thecompanysabilityto: Identifyandrespondtorisk
Providegovernanceandoversight
Coordinateriskfunctionsandrequirements
Optimizeprocessesandcontrols
Ofspecialinterestto
Chiefexecutiveoffic ers
Chieffinancial officersHeadofin ternalaudit
Use governance, risk and
compliance technology to
turn risk into results
www.ey.com/5
-
7/27/2019 Key Considerations for Your Internal Audit Plan AU1607
25/40
2+Insights on governance, risk and compliance | May 2013
The audits that make an impact Cey iuestions to evaluate during audit
IT risk management strategy assessment Assess the
framework and process IT has embedded within the function to
assess and manage risks. Evaluate the actions taken to mitigate
risks and the level of accountability within the process.
@goo]dd\g]kALa\]fla^qjakck7
O`Ylak\gf]gf[]Yjakcaka\]fla]\7
9j]ALjakceYfY_]e]flhjg[]kk]k^gddgo]\7
-
7/27/2019 Key Considerations for Your Internal Audit Plan AU1607
26/40
24 Insights on governance, risk and compliance | May 2013
InsightsonITriskBusinessbrieng
September2011
Building condencein IT programsFacilitating success through
program risk management
Program complexity is increasing at a faster rate than companies can adapt. While
companies have been cautious with investments over the last few years, investment
portfolios are now being expanded to keep up with emerging trends (e.g., shared service
centers, system implementations). As organizations continue to look for ways to take
[gklkgmlg^l`]Zmkaf]kk$l`]qYj]mf\]jlYcaf_ka_fa[YflafalaYlan]klgj]\]ka_fYf\
standardize business processes.
Kh][a[lgAL$?Yjlf]jhj]\a[lkkh]f\af_oaddaf[j]Yk]YlYfYn]jY_]jYl]g -&+h]jq]Yjthrough 2015. Gartner also indicates that approximately 20% to 50% of a companys
IT spending will be focused on programs and projects depending on an organizations
initiatives. However, organizations continue to fail to deliver on their large IT programs.
Approximately two out of three programs are not on budget, delivered too late and/or do
fgl\]dan]jl`]]ph][l]\Z]f]lk&DYkldq$/(g^l`]eYbgj]fl]jhjak]j]kgmj[]hdYffaf_
=JH!hjg_jYek^Yadlgj]Ydar]Yld]Ykl-(g Zmkaf]kkZ]f]lk&
O`ad][gehYfa]k`Yn]afn]kl]\ka_fa[Yfldqafaf[j]Ykaf_l`]ajcfgod]\_]Yf\
capabilities in program and project management, this is not visible in the success
rates. In our opinion, the lack of improvement is mainly due to increased complexity
in business processes and the emerging technology landscape. Organizations are still
failing to properly adapt their program approaches to this increased complexity. Research
indicates a strong link between program maturity capabilities and program execution and
eYjc]l[geh]lalan]f]kk&Afl]jfYdYm\al[YfhdYqYf]^^][lan]jgd]af[gfjeaf_l`]ja_`l
processes are in place to manage programs and those processes and controls are being
executed appropriately.
Strategy deployment
through portfolio
management: a risk-
based approach
www.ey.com/GRCinsights
Hrogrammanagement
Recommended reading
:mad\af_[gf\]f[]af
IT programs: facilitating
success through program
risk management
www.ey.com/GRCinsights
-
7/27/2019 Key Considerations for Your Internal Audit Plan AU1607
27/40
25Insights on governance, risk and compliance | May 2013
The audits that make an impact Cey iuestions to evaluate during audit
Project management methodology audit Assess the design
of processes and controls in place to manage projects against
leading practices.
Are the right processes and controls in place to provide
that projects are delivered on time, on budget and with the
ja_`lj]kgmj[]k7
9j][gfljgdkafhdY[]lge]Ykmj]Y[`a]n]\Z]f]lkY_Yafkl
afl]f\]\Z]f]lkY^l]jhjgb][l[gehd]lagf7
Project and program execution audit Evaluate common
areas of high risk on programs (e.g., third-party contracting,
business change, test strategy, data migration). Outputs provide
[gf\]f[]lgeYfY_]e]fll`Yl`a_`%jakcYj]Yk`Yn]Z]]f
af\]h]f\]fldq[`][c]\Yf\n]ja]\lgd]Y\af_hjY[la[]&
Is project/program management methodology being
^gddgo]\[gjj][ldq7
O`Ylak\gf]o`]fhjgb][lkYj]mf\]jh]j^gjeaf_7
@goakhjgb][ljakcYkk]kk]\Yf\eYfY_]\7
Portfolio risk review Review strategy, projects and
programs to assess alignment. This review focuses on
assessing the prioritization of the project portfolio in support of
increasing value and reducing the risk that the transformation
portfolio exposes.
Do the right governance processes exist to provide that
hjgb][lk'hjg_jYekYda_flg[gehYfqkljYl]_q7
@goakl`]hgjl^gdageYfY_]\Yk[gjhgjYl]gZb][lan]k[`Yf_]7
Shared service center review Evaluate the processes and
controls related to a shared service center implementation.
In-scope processes are assessed to verify that control points are
in place and have also been optimized to leverage available
technology (e.g., automated controls).
O`Ylakl`]hjg[]kk gjljYfkalagfaf_lgl`]k`Yj]\k]jna[][]fl]j7
O`Ylhjg[]kk]kYj]af%k[gh]7@Ykl`][gfljgd^jYe]ogjcZ]]f
j]na]o]\YkhYjlg^l`]ljYfkalagfhjg[]kk7
Akl`]j]Y[gfljgdkogjcklj]Ye^gjl`]aehd]e]flYlagf7
O`Yll][`fgdg_qakZ]af_mladar]\YkhYjlg^l`]ljYfkalagf7
Process redesign review Assess the businesss plan for
redesigning its business processes as part of a major initiative
(e.g., system implementation). The internal audit team focuses
on the project plan, management structure and approach to
redesigning the control framework for the in-scope processes.
O`gYj]l`]hjgb][ll]Yee]eZ]jkYf\o`YlYj]l`]ajjgd]k7
Akl`]j]Y\g[me]fl]\[gfljgdkogjcklj]Ye7
What is the process for leveraging automation and system
[gfljgdkafl`]j]\]ka_f]\hjg[]kk7
Opportunities for integrated audits between IT and operational audit
-
7/27/2019 Key Considerations for Your Internal Audit Plan AU1607
28/40
26 Insights on governance, risk and compliance | May 2013
With increased focus on cost reduction in a global economy struggling to recover, effective
software asset management and IT asset management can have a very positive impact
by helping to reduce license-related expenses, improve IT service management by more
]^[a]fldqeYfY_af_ALYkk]lafn]flgja]k$Z]ll]jeYfY_][gehdaYf[]%j]dYl]\jakcYf\
]n]faehjgn]gn]jYddgh]jYlaf_]^[a]f[a]k&D]Y\af_AL\aj][lgjkYf\l`][`a]^af^gjeYlagf
g^[]jklgo`gel`]qj]hgjlYj]j]Ydaraf_l`Yl]^^][lan]dqeYfY_af_kg^loYj]Ykk]lk[Yf
be a strategic advantage. For example, effective asset management: Potentially reduces liability risk by maintaining license compliance and avoiding
related penalties
Lowers potential costs by helping to avoid license and other IT asset overbuying
@]dhklgegj]]^[a]fldqeYfY_]l`]gl`]joak]j]kgmj[]%\jYafaf_Yf\dYZgj%afl]fkan]
compliance processes
Limits potential reputational risks associated with license violations or compliance-
j]dYl]\[gfa[lkoal`n]f\gjk
Software licenses currently account for about 20% of typical IT costs, and the already
pervasive use of software continues to rise. At the same time, many IT directors are noticing
that their software vendors have become more diligent in ensuring that their customers
remain in compliance. IT leaders, members of the C-suite and shareholders have come to
expect increasingly more from their investments, including those which rely on IT functions.
As IT auditors, it is critical that software and IT asset management processes and controls
are well understood. Its not just about cost management strong IT asset management
processes affect the following, as examples:
IT service management IT asset management is critical to effectively locate and
service assets, replace and retire existing assets, etc.
Information security Without a clear view of existing IT assets and software, its
\a^[mdllghjagjalar]Yf\]nYdmYl]l`]Ykkg[aYl]\k][mjalqjakcg^l`gk]Ykk]lk&
IT contract management It is understandable that without an effective way to manage
Yfgj_YfarYlagfkALYkk]lk$aleYqZ]]imYddq\a^[mdllgmf\]jklYf\o`Yl[gfljY[lk]paklwith vendors for those assets, whether they are managed in a cost-effective manner and
whether any violations from contracts may exist.
Software'IT assetmanagement
-
7/27/2019 Key Considerations for Your Internal Audit Plan AU1607
29/40
27Insights on governance, risk and compliance | May 2013
The audits that make an impact Cey iuestions to evaluate during audit
IT and software asset management process and control
audit Assess the design and effectiveness of processes and
controls that IT has deployed related to software and IT asset
management. Review the impact of these processes on related
IT processes such as IT service management, IT contractmanagement and information security.
Do we have a comprehensive approach to IT asset and
kg^loYj]eYfY_]e]fl7
@goo]dd\go]eYfY_]kg^loYj]da[]fk][gklk7
Is there an IT and software asset management technology
kgdmlagfafhdY[]lgkmhhgjll`]k]hjg[]kk]k7A^fgl$k`gmd\l`]j]Z]7
Software license review H]j^gjeYj]na]og^ka_fa[Yfl
software license agreements (e.g., ERPs) and evaluate the
effectiveness of ITs software asset management process in
practice. Assess opportunities for cost reduction from improving
the management of software licenses.
Are there opportunities to renegotiate software licensing
agreements based on the way we actually utilize software
n]jkmkl`]oYqgja_afYd[gfljY[lko]j]f]_glaYl]\7
9j]o]nagdYlaf_Yfq]paklaf_[gfljY[lmYdY_j]]e]flk7
IT contract management assessment Evaluate the IT
organizations ability to manage contracts and how effectively
IT and supply chain coordinate to manage costs and negotiate
effective agreements.
Are IT asset and software contracts planned, executed,
eYfY_]\Yf\egfalgj]\]^^][lan]dq7
Are there shadow IT contractual agreements executed in
gl`]jhYjlkg^l`]gj_YfarYlagf7
Effective software asset
management: how to
j]YhalkZ]f]lk
www.ey.com/GRCinsights
Recommended reading
Opportunities for integrated audits between IT and operational audit
-
7/27/2019 Key Considerations for Your Internal Audit Plan AU1607
30/40
28 Insights on governance, risk and compliance | May 2013
The social media elements that generate business opportunity for companies to extend
their brands are often the same elements that have created IT-related risk. Like the
borderless nature of social media itself, the various risks surrounding social media can
be borne by multiple enterprise functions at the same time, challenging companies to
understand how, when and where to engage their IT functions or plug risk coverage
gaps. Legal, compliance, regulatory, operational and public relations issues are at the top
of the list of potential IT-related social media risks that can ultimately cause erosion of
customers, market share and revenue. For example, on most of the popular sites (Twitter,
>Y[]ZggcYf\Dafc]\Af!$mk]jkYj]YZd]lg[j]Yl][gehYfqhjgd]kYf\[geemfa[Yl]gf
behalf of the organization through social media channels. This can create marketplace
confusion because of multiple messages and different audiences, policies and practices.
Gl`]jegj]kh][a[`]Y\daf]%_jYZZaf_]pYehd]kg^kg[aYd%e]\aY%j]dYl]\jakckaf[dm\]2
Employees involved in social media inadvertently leaking sensitive company information
;jaeafYd`Y[c]jkj]%]f_af]]jaf_[gf\]flaYdaf^gjeYlagf]&_&$dg_%afkYf\hYkkogj\k!
based on information obtained from employee post
Employee misuse of social applications while at work
Hacked, faked or compromised corporate or executive Twitter or Facebook fan page
or individual accounts Multiple platforms creating more access for viruses, malware, cross-site scripting
and phishing
Damage to a brand or company reputation from negative, embarrassing or even
incriminating employee or customer posts, even those that are well-intended
Failure to establish complete and fully compliant archiving and record-retention
processes for corporate information shared on social media, especially in the health
[Yj]$fYf[aYdk]jna[]kYf\ZYfcaf_af\mklja]k
IT is heavily relied on to enable social media strategies in coordination with marketing
strategies. It is critical that IT audit has an understanding of the organizations social
media strategy and the related IT risk and adds value by providing leading practice
enhancements and assurance that key risks are mitigated.
Social media
risk management
-
7/27/2019 Key Considerations for Your Internal Audit Plan AU1607
31/40
29Insights on governance, risk and compliance | May 2013
The audits that make an impact Cey iuestions to evaluate during audit
Social media risk assessment Collaborate with the IT
organization to assess the social media activities that would
create the highest level of risk to the organization. Evaluate the
threats to the organizations information security through the
use of social media. This audit may be combined with a sociale]\aY_gn]jfYf[]Ym\allgl`]f[gfjehgda[a]k`Yn]Z]]f
design