Nt1310 Unit 9 Final Project
Information and Communication
Audit Work Program
Project Team (list members):
Project Timing:
Date
Comments
Planning
Fieldwork
Report Issuance (Local)
Report Issuance (Worldwide)
Audit Objectives
The purpose of this audit work program is to assess, at a high level, and validate key controls in place for Information and Communication. Inadequate or ineffective controls in this area may give rise to financial and operational risks.
Risks addressed in this audit work program include:
Management does not monitor relevant external information and does not consider the impact on the entity.
Entity-wide operating results are not reviewed and compared against budgets at regular intervals.
The adequacy of the information technology …show more content…
structure is not considered by senior management.
Managers and other personnel do not have the required information in sufficient detail to carry out their responsibilities and there are not mechanisms in place to ensure changing needs are met.
Management does not have a strategic plan for IT systems or a plan that is linked to the entity's overall strategies.
Procedures are not in place to provide assurance that relevant information is identified, captured, processed and reported by IT systems in an appropriate and timely fashion.
Management does not adequately staff and design the IT department to support the entity's overall business objectives.
There are not defined responsibilities for individuals responsible for implementing, documenting, testing, and approving changes to computer programs and systems.
There is not a regular back-up of application programs and data files.
The entity does not have a disaster recovery plan in place that allows for the timely recovery of information. The disaster recovery plan is not tested regularly and is not updated as the business changes.
Employee duties and control responsibilities are not timely and effectively communicated.
Communication across the organization is not adequate, complete and timely to enable people to perform their responsibilities effectively.
There is not an established channel of communication for people to report, anonymously when appropriate, suspected improprieties and management does not encourage employees to utilize such channels when necessary.
Reported problems are not investigated in a timely manner and disciplinary actions are not taken when necessary.
There are not realistic mechanisms in place for employees to provide …show more content…
recommendations.
Time
Project Work Step
Initial
Index
I. Audit Procedures
A. Disaster Recovery Plan
1. Obtain a copy of the Disaster Recovery Plan.
2. Verify that testing has occurred in (insert year).
B. Employee Goals
1. Inquire with VP of HR concerning the process for employees to follow for determining Critical Success Factors (CSF).
2. Obtain documentation (i.e. policies, guidelines, or communications from HR) regarding the CSF process.
C. New Employee Orientation
1.
Obtain documentation related to the new employee orientation, including agendas, presentations, handouts, etc.
2. Verify that employee duties and control responsibilities are communicated.
D. IT Incident Resolution Policy
1. Obtain a copy of the IT Incident Resolution Policy.
2. Through inspection, verify that the policy defines the procedure to be followed to identify and resolve IT problems as well as the roles and responsibilities of the individuals involved.
C. Budgets and Forecasts
1. Generate a random sample of two months from the period selected for testing, (insert date) to (insert date).
2. Obtain copies of the X Report verifying it was completed for the months selected for testing.
3. Inquire with finance personnel to verify that senior and executive management review the monthly X Report.
D. Incident Hotline
1. Obtain the Company ABC Employee Hotline Policy and Procedures.
2. Inspect the policy and procedures and verify a process exists that facilitates the reporting of Code of Ethics, legal, and regulatory violations by employees.
3. Obtain evidence verifying the distribution of the hotline communications including the fliers to be placed at all locations.
E. IT Policies and
Procedures
1. Obtain a copy of the IT Policy.
2. Through inspection, verify that the policy defines procedures for changes to infrastructure and applications, including roles and responsibilities for initiating, executing, and approving changes.
F. Strategy
1. Obtain agendas, meeting minutes, documentation and plans resulting from the (insert year) offsite strategy meeting.
2. Verify that the attendees of the meeting included the top X individuals of the company
3. Through inspection, verify that the company's performance in relation to the strategic plan as well as strategic developments and their related benefits and risks were discussed.
G. Disciplinary Action (Code of Ethics)
1. Obtain the Code of Ethics policy and verify that it proscribes the disciplinary action to be taken for violations.
H. Open Door Policy
1. Obtain a copy of the Employee Handbook and verify the existence of the open door policy.
G. SOX Certification
1. Obtain copies of the SOX Certifications from each in-scope location.
2. Through inspection, verify that the SOX Certifications have been completed and that they outline controls within the process.
H. Strategic Operational Review
1. Generate a random sample of two quarters from the period selected for testing.
2. Obtain evidence of the X meetings for the quarters selected for testing.
G. Company Newsletter
1. Generate a random sample of two quarters from the period selected for testing.
2. Obtain a copy of the Company ABC Newsletter distributed for the quarters selected for testing.
3. Verify that the Company ABC Newsletter contains a statement from the CEO regarding the company’s activities and outlook and that the Newsletter was distributed.
H. IT Strategy
1. Obtain a copy of the IT strategy and review it for appropriateness.
II. Reporting Procedures
A. Compile results from this process review into a report for management to review.
B. Schedule a meeting with management and appropriate process owners to discuss results.
C. Receive sign-off from management on the report results and document action steps to address process deficiencies.
Audit Work Program
Project Team (list members):
Project Timing:
Date
Comments
Planning
Fieldwork
Report Issuance (Local)
Report Issuance (Worldwide)
Audit Objectives
The purpose of this audit work program is to assess, at a high level, and validate key controls in place for Information and Communication. Inadequate or ineffective controls in this area may give rise to financial and operational risks.
Risks addressed in this audit work program include:
Management does not monitor relevant external information and does not consider the impact on the entity.
Entity-wide operating results are not reviewed and compared against budgets at regular intervals.
The adequacy of the information technology …show more content…
structure is not considered by senior management.
Managers and other personnel do not have the required information in sufficient detail to carry out their responsibilities and there are not mechanisms in place to ensure changing needs are met.
Management does not have a strategic plan for IT systems or a plan that is linked to the entity's overall strategies.
Procedures are not in place to provide assurance that relevant information is identified, captured, processed and reported by IT systems in an appropriate and timely fashion.
Management does not adequately staff and design the IT department to support the entity's overall business objectives.
There are not defined responsibilities for individuals responsible for implementing, documenting, testing, and approving changes to computer programs and systems.
There is not a regular back-up of application programs and data files.
The entity does not have a disaster recovery plan in place that allows for the timely recovery of information. The disaster recovery plan is not tested regularly and is not updated as the business changes.
Employee duties and control responsibilities are not timely and effectively communicated.
Communication across the organization is not adequate, complete and timely to enable people to perform their responsibilities effectively.
There is not an established channel of communication for people to report, anonymously when appropriate, suspected improprieties and management does not encourage employees to utilize such channels when necessary.
Reported problems are not investigated in a timely manner and disciplinary actions are not taken when necessary.
There are not realistic mechanisms in place for employees to provide …show more content…
recommendations.
Time
Project Work Step
Initial
Index
I. Audit Procedures
A. Disaster Recovery Plan
1. Obtain a copy of the Disaster Recovery Plan.
2. Verify that testing has occurred in (insert year).
B. Employee Goals
1. Inquire with VP of HR concerning the process for employees to follow for determining Critical Success Factors (CSF).
2. Obtain documentation (i.e. policies, guidelines, or communications from HR) regarding the CSF process.
C. New Employee Orientation
1.
Obtain documentation related to the new employee orientation, including agendas, presentations, handouts, etc.
2. Verify that employee duties and control responsibilities are communicated.
D. IT Incident Resolution Policy
1. Obtain a copy of the IT Incident Resolution Policy.
2. Through inspection, verify that the policy defines the procedure to be followed to identify and resolve IT problems as well as the roles and responsibilities of the individuals involved.
C. Budgets and Forecasts
1. Generate a random sample of two months from the period selected for testing, (insert date) to (insert date).
2. Obtain copies of the X Report verifying it was completed for the months selected for testing.
3. Inquire with finance personnel to verify that senior and executive management review the monthly X Report.
D. Incident Hotline
1. Obtain the Company ABC Employee Hotline Policy and Procedures.
2. Inspect the policy and procedures and verify a process exists that facilitates the reporting of Code of Ethics, legal, and regulatory violations by employees.
3. Obtain evidence verifying the distribution of the hotline communications including the fliers to be placed at all locations.
E. IT Policies and
Procedures
1. Obtain a copy of the IT Policy.
2. Through inspection, verify that the policy defines procedures for changes to infrastructure and applications, including roles and responsibilities for initiating, executing, and approving changes.
F. Strategy
1. Obtain agendas, meeting minutes, documentation and plans resulting from the (insert year) offsite strategy meeting.
2. Verify that the attendees of the meeting included the top X individuals of the company
3. Through inspection, verify that the company's performance in relation to the strategic plan as well as strategic developments and their related benefits and risks were discussed.
G. Disciplinary Action (Code of Ethics)
1. Obtain the Code of Ethics policy and verify that it proscribes the disciplinary action to be taken for violations.
H. Open Door Policy
1. Obtain a copy of the Employee Handbook and verify the existence of the open door policy.
G. SOX Certification
1. Obtain copies of the SOX Certifications from each in-scope location.
2. Through inspection, verify that the SOX Certifications have been completed and that they outline controls within the process.
H. Strategic Operational Review
1. Generate a random sample of two quarters from the period selected for testing.
2. Obtain evidence of the X meetings for the quarters selected for testing.
G. Company Newsletter
1. Generate a random sample of two quarters from the period selected for testing.
2. Obtain a copy of the Company ABC Newsletter distributed for the quarters selected for testing.
3. Verify that the Company ABC Newsletter contains a statement from the CEO regarding the company’s activities and outlook and that the Newsletter was distributed.
H. IT Strategy
1. Obtain a copy of the IT strategy and review it for appropriateness.
II. Reporting Procedures
A. Compile results from this process review into a report for management to review.
B. Schedule a meeting with management and appropriate process owners to discuss results.
C. Receive sign-off from management on the report results and document action steps to address process deficiencies.