Upload File

sample audit plan

7
Audit Scope The objective of this audit is to assist UNCCG in reviewing its enterprise data warehouse technology platform. The scope of work for this audit will consist of <XXXX> hours of professional services and the objectives for this audit will include a review of the following control points: Data Warehouse Management o Data Warehouse Governance o Financial Management o Risk Management o Human Resources o Portfolio Project Management Data Warehouse Operations o DW Architecture and Integration o Systems Development and Testing o Change Management o System Monitoring o Problem Management o Logical Security o Data Transmission o Metadata Business Integration o Service Delivery (Business Process Integration and Analysis) o Project Management o Help Desk Audit Approach Our approach for the execution of this audit engagement will consist of interviews with key employees, review of documents, inspections, data extractions and the usage of applicable audit tools. The audit will consist of the components described below. The phases are listed in sequential order and should provide an overview of the sequencing of the proposed engagement. Phase description Deliverables 1. Mobilization phase– GF Consulting will perform the following: Develop and provide to UNCCG an advanced data request (ADR) of the relevant documents and materials that will support our fieldwork. Develop and provide to UNCCG an initial interview list of those business and IT professionals that we anticipate Advanced data requests (see appendix for a sample request) Interview lists of key employees that we would like to interview (see appendix for a sample list) Detailed Audit Program document(s) for each of

Upload: maher-manan

Post on 19-Jul-2015

127 views

Category:

Business


1 download

Report

TRANSCRIPT

Page 1: Sample audit plan

Audit Scope

The objective of this audit is to assist UNCCG in reviewing its enterprise data warehouse technology platform. The scope of work for this audit will consist of <XXXX> hours of professional services and the objectives for this audit will include a review of the following control points:

Data Warehouse Management o Data Warehouse Governance o Financial Management o Risk Management o Human Resources o Portfolio Project Management

Data Warehouse Operations o DW Architecture and Integration o Systems Development and Testing o Change Management o System Monitoring o Problem Management o Logical Security o Data Transmission o Metadata

Business Integration o Service Delivery (Business Process Integration and Analysis) o Project Management o Help Desk

Audit Approach

Our approach for the execution of this audit engagement will consist of interviews with key employees, review of documents, inspections, data extractions and the usage of applicable audit tools. The audit will consist of the components described below. The phases are listed in sequential order and should provide an overview of the sequencing of the proposed engagement.

Phase description Deliverables

1. Mobilization phase– GF Consulting will perform the following:

Develop and provide to UNCCG an advanced data request (ADR) of the relevant documents and materials that will support our fieldwork.

Develop and provide to UNCCG an initial interview list of those business and IT professionals that we anticipate

• Advanced data requests (see appendix for a sample request)

• Interview lists of key employees that we would like to interview (see appendix for a sample list)

• Detailed Audit Program document(s) for each of

Page 2: Sample audit plan

needing to meet with in order to perform this audit.

Develop an audit program to guide activities during the course of this audit. The audit program guide should include a list of the controls that would be reviewed along with a defined approach for understanding the design of the control and how it would be tested to determine if it was operating effectively.

the following areas: Data Warehouse Management, Data Warehouse Operations and Business Integration.

2. Execution phase – Once the audit program has been finalized, and the appropriate resources have been identified, fieldwork will proceed in accordance with the audit plan.

• Results from the execution of the detailed Audit Program

• Working papers that support the results from the detailed Audit Program

3. Reporting phase – All IT audit work is summarized in the IT audit report. Our team will compile and present a draft report to UNCCG management within three weeks of completing the execution phase. The purpose of this draft is discussion and incorporation of any comments prior to issuing a final report to UNCCG.

• Draft report for discussion containing an executive summary, audit findings and recommendations for improvement.

• Final report with edits and comments from UNCCG management

Risk Assessment

Based on the information provided by UNCCG during our initial conversation, combined with our understanding about the business environment in which UNCCG operates, we have formulated the following risk considerations that we understand are relevant to your business. Our goal is to incorporate these risk considerations in our audit program to be developed in the Mobilization Phase of this engagement.

Risk category: Regulatory Risk

1 As a publicly traded company, UNCCG is subject to compliance with the Sarbanes-Oxley Act of 2002 (SOX). As a result, UNCCG’s management must:

• Accept responsibility for the effectiveness of the company’s internal control over financial reporting.

• Evaluate the effectiveness of the company’s internal control over financial reporting using suitable control criteria.

• Support is evaluation with sufficient evidence, including documentation.

Page 3: Sample audit plan

• Present a written assessment of the effectiveness of the company’s internal control over financial reporting as of the end of the company’s most recent fiscal year.

Although this legal requirement may not have a direct impact on the data warehouse applications subject to this audit, once it is not categorized as a “financial reporting related” application, it may have an indirect impact in the case that technology infrastructure is common among the financial reporting systems and the data warehouse applications. Technology infrastructure (operations, security, processes, people) that support financial reporting systems are subject to SOX compliance requirements.

Risk category: Techonology/Reputational Risk

2 Privacy regulations

The Personal Data Privacy & Security Act of 2005 bill states that organizations must “adopt reasonable procedures to ensure the security, privacy and confidentiality of personally identifiable information” and notify relevant governing bodies when security breaches occur. The bill also states that, if there is reason to believe the stolen data can be used for identity theft, then the organization must make public notification. We have seen increased pressure in the marketplace pushing companies to move to a better defined and better controlled data privacy controls environment. We understand that a significant portion of UNCCG’s revenue comes from check cards, credit and debit card transactions on which some consumer information is collected, processed and may or may not be stored. It is our understanding that payment information processing is processed externally. In addition, UNCCG’s consumer loyalty program collects and stores consumer private information such as telephone numbers, addresses, names and a history of purchases. Based on those facts, we understand that current and future privacy regulations are a relevant risk to the business at UNCCG that has both a regulatory impact and also a brand impact, given that fact that future privacy breaches will be required to be made public.

Risk category: Operational Risk

3 External Vendor’s access to enterprise data

Based on the information provided by UNCCG during our initial conversations, we understand that credit and debit card payment processing is outsourced with an external vendor.

In addition, UNCCG indicated that it relies on a third party vendor, located in India, to perform program change and program development functions for the data warehouse (DW) management system. This external vendor has remote access to the UNCCG environment. We understand that, even though UNCCG has outsourced program change and program development functions to a third party vendor, it is still responsible for ensuring the accuracy, completeness and appropriateness of program changes and developments on the DW environment.

In order to perform their business function, both these vendors will have the ability to get access to sensitive enterprise data including consumer information. Based on that fact, we consider that this is a relevant risk to the company’s IT environment.

Page 4: Sample audit plan

Risk category: Credit Risk/Technology Risk

4 Unavailability of credit and/or debit card processing application

We understand that a significant portion of UNCCG’s revenue comes from check cards, credit cards and debit cards transactions, which are processed externally (for approval purposes) and stored by one of the company’s mainframe based systems (for reconciliation and historic purposes). Unavailability of either the external processing vendor or of the mainframe-based system would cause point of sales systems (POS) at the stores to operate in an “offline mode” and only cash payments would be allowed, until functionality is completely restored. Based on that information, we consider that unavailability of card payment applications is a relevant risk to the business that has a direct impact on the customer’s perception of quality of service and a direct impact on sales.

Communications

Through regular meetings and ongoing communication with management, we will establish a relationship of openness and teamwork through which we can discuss significant audit findings, recommendations for improving internal controls or operations, and current industry issues (or any other issues management wishes to discuss), and ultimately develop solid solutions without surprises. We commit to holding regular meetings with management, both formally and informally, to foster such a relationship.

Management letters and communication are an important element of professional service. It is our policy to discuss our findings and recommendations with the appropriate members of management prior to issuance so that we can verify factual accuracy. Our final report will only include findings and recommendations considered significant. Other matters will be communicated throughout the engagement and during our regular meetings and fieldwork.

Planned schedule

GF Consulting estimates this engagement will require approximately xxxx weeks of effort, and we are prepared to begin fieldwork on a date mutually agreed upon with UNCCG. In addition, we understand the final report for this audit must be completed no later than July 15, 2006.

Page 5: Sample audit plan

APPENDIX I – Sample Advanced Data Request

The following information would be helpful in evaluating the existing data warehouse environment to the extent it already exists.

1. Organization Chartsa. Technology (Development and Operations)b. Business

2. Telephone Directory

3. User Documentationa. Data warehouse user training guidesb. Data warehouse user operational manuals

4. Systems documentationa. Application architecture (including an explanation of any automated interfaces) b. Systems operations overview (platform and network) c. Third party vendor agreements

5. Management procedures and policiesa. Operations Management (system monitoring, maintenance, and or scheduled

support)b. Information Security (logical access) c. Change Management (change control and configuration management)d. Business Continuity Plan(s)e. Disaster Recovery Plan(s) f. Problem Management

Page 6: Sample audit plan

APPENDIX II – Sample Interview request

The following is a list of individuals we anticipate will be likely requested to participate in a one-hour interview with one of our team member. Shedule will be arranged by our team in observance to UNCCG’s personnel commitments and priorities. Other interviews may be determined necessary as we make progress and we will make our best efforts to communicate this as soon as possible so it can be scheduled in a non-disruptive manner.

Individual RoleJerry Lewis Chief Information OfficerBrunno Rodriguez Chief Security OfficerChris Poknis Vendor Relationship ManagerAndy Tatum IT Operations ManagerAndrew Deloach Database Administrator (DBA)Chris Maiden Data Warehouse LeadMike Maher Data Warehouse Service Delivery ManagerJosh Smith Data Warehouse ArchitectAmanda Fernandez SAP Project LeadSteve Lucas Data Warehouse Senior Analyst

Page 7: Sample audit plan

APPENDIX II – Sample Interview request

The following is a list of individuals we anticipate will be likely requested to participate in a one-hour interview with one of our team member. Shedule will be arranged by our team in observance to UNCCG’s personnel commitments and priorities. Other interviews may be determined necessary as we make progress and we will make our best efforts to communicate this as soon as possible so it can be scheduled in a non-disruptive manner.

Individual RoleJerry Lewis Chief Information OfficerBrunno Rodriguez Chief Security OfficerChris Poknis Vendor Relationship ManagerAndy Tatum IT Operations ManagerAndrew Deloach Database Administrator (DBA)Chris Maiden Data Warehouse LeadMike Maher Data Warehouse Service Delivery ManagerJosh Smith Data Warehouse ArchitectAmanda Fernandez SAP Project LeadSteve Lucas Data Warehouse Senior Analyst


audit sample lengkap.doc

Factory Audit Sample Report

Sample Core Technical Audit Report.pdf

Audit Testing and Sample Sizes

Audit Report 2011 Sample

Sample Audit Program

Affinio audience audit sample report

Risk-Type Audit Sample Report

Sample Social Media Audit

U.S. Lender Audit Sample Audit

Sample Audit Procedures

Audit Report Sample

Sample Audit Programs Manual

Home Depot Strategic Audit Sample

Sample Audit - redacted

Audit Question Sample

Sample Strategic Audit Plan

Sample audit tool

Sample Forensic Audit 26045678

Sample Securitization Audit

Comparative Brand Audit Sample

Sample Audit Reports

Sample OC Audit Report - fairtrading.nsw.gov.au

Energy Audit Sample Report

Audit report model and sample

APPENDIX - Pinellas County Audit Sample Documents. APPENDIX . 1. Audit of Annual Accounting Checklist 2. Audit of Inventory Checklist 3. Review of Annual Plan Checklist 4. Clerk’s

Sample Energy Audit

Audit Penggajian Pada Sample Corporation

seopler.com Sample Website Audit Report

Sample Maintenance Audit Report - lifetime-reliability.com · Sample Maintenance Audit Report.docx Your Company Name Page 1 of 19 Sample Maintenance Audit Report NOTES: 1.0 This sample

Sample Communication Audit Report

User Experience Audit: Sample Report

Sample Website Audit & Keyword Analysis

Audit Sample Report

Energy Audit Report Sample