TSRS_IAS_Sales & Methodology Toolkit

A S SU S U RA R A NC N C E A ND ND A DVISORY BU S I N E S S SERVICES e R I S K S O L U T I O N S

IT IAS Team T eamiing/ ng/Out Outsou sourrcin cing g Sales and Methodology Toolkit Last Updated May, 1999. FOR INTERNAL INTERNAL USE ONLY ONLY

Not for distribution outside outside of the firm.



Table of Contents

TABLE OF CONTENTS _________________________________ ___________________________________________________ ___________________________I-I _________I-I IT INTERNAL AUDIT SERVICES— OVERVIEW__________________________________ OVERVIEW________________________________________ ______1-1 1-1 OVERVIEW .......................... ....................................... .......................... .......................... ......................... ......................... .......................... .......................... .......................... .......................... ..................... ........ 1-1 PRACTICE MANAGEMENT POLICIES AND PROCEDURES ......................... ...................................... .......................... .......................... .......................... ................... ...... 1-2 INTEGRATED AUDIT CONSIDERATIONS ........................ ..................................... .......................... .......................... .......................... ......................... ......................... .................... ....... 1-2 PROGRAM SPONSORS AND RESOURCES .......................... ...................................... ......................... .......................... .......................... .......................... ......................... ................. ..... 1-3

IT INTERNAL AUDIT SERVICES— SALES PROCESS PROCESS _____________________________ __________________________________ _____2-1 2-1 OVERVIEW .......................... ....................................... .......................... .......................... ......................... ......................... .......................... .......................... .......................... .......................... ..................... ........ 2-1 Service Service Delivery Delivery Methodology......... Methodology...................... ......................... ......................... ......................... ......................... .......................... ......................... ......................... .................. ..... 2-1

OUR VALUE PROPOSITION .......................... ....................................... .......................... .......................... .......................... .......................... .......................... .......................... ....................... .......... 2-2 TARGET MARKET FOR IT INTERNAL AUDIT SERVICES ........................ ..................................... .......................... .......................... ......................... ..................... ......... 2-3 Identifying Companies to Target ...................... .......... ............ ........... ............ ........... ............ ........... ............ .................... .......... .......... 2-3 Target Target Industries........ Industries..................... .......................... ......................... ......................... ......................... ......................... .......................... ......................... .......................... ...........................2-4 .............2-4 Targeting Targeting Best Practices...... Practices................... ......................... ........................ ......................... ......................... ......................... ......................... ......................... .......................... .................. ..... 2-4 Client Targeting........... Targeting........................ ......................... ......................... .......................... ......................... ......................... ......................... ......................... ........................... .........................2-5 ...........2-5 Triggering Triggering Events ......................... ..................................... ......................... .......................... ......................... ......................... ......................... .......................... ........................... .................... ....... 2-6

MAKING THE SALE........................ ..................................... .......................... .......................... .......................... .......................... .......................... .......................... .......................... ....................... .......... 2-7 Identifying Whom in the Company to Target for I T Teaming Services............ ............ ............ ............ ...... 2-7 Buyer Profiles ........... ........... ............ ........... ............ ........... ............ ........... ............ ........... ........... ........... .... 2-7 Entry Strategies ............ ........... ............ ........... ............ ........... ............ ........... ............ ..................... .......... ........... .......... 2-10

SERVICE PRICING GUIDELINES .......................... ....................................... .......................... .......................... .......................... .......................... .......................... .......................... ............... 2-10 IT INTERNAL AUDIT SERVICES SALES PROCESS .......................... ....................................... .......................... .......................... .......................... .......................... ............... 2-12 Overview.................... Overview................................ ......................... .......................... ......................... ......................... ......................... ......................... .......................... ........................... .........................2-12 ...........2-12

THE QUALIFYING CALL .......................... ....................................... .......................... .......................... .......................... .......................... .......................... .......................... .........................2-12 ............2-12 THE EXPANDED CAPABILITIES CALL .......................... ....................................... .......................... .......................... .......................... .......................... .......................... .................. ..... 2-15 THE CO-DEVELOPMENT MEETING: ......................... ...................................... .......................... .......................... .......................... .......................... .......................... ..................... ........ 2-16 OTHER STEPS .......................... ....................................... .......................... .......................... .......................... .......................... .......................... .......................... .......................... .......................... ............... 2-17 Specific Specific Projects Projects ......................... ...................................... ......................... ......................... .......................... ......................... ......................... .......................... ........................... .................... ...... 2-17 Proposal Proposal .......................... ....................................... .......................... .......................... .......................... .......................... .......................... .......................... .......................... ........................... ................ .. 2-17 Letter of Understanding................. Understanding..... ............ ........... ............ ........... ............ ........... ............ ........... ........... ............... .......... ..... 2-17

COMPETITIVE ASSESSMENT ........................ ..................................... .......................... .......................... .......................... .......................... .......................... .......................... ..................... ........ 2-17 FREQUENTLY ASKED QUESTIONS AND COMMON OBJECTIONS .......................... ....................................... .......................... .......................... .................. ..... 2-19 SUCCESS STORIES.......................... ....................................... .......................... .......................... .......................... .......................... .......................... .......................... .......................... ..................... ........ 2-21 Aon......... ........... ........... ........... ........... ........... ........... ........... ........... ........... ........... ............ ..................... .......... ........... ... 2-21 Novell................ Novell..... ........... ........... ............ ........... ........... ........... ............ ........... ........... ............ ..................... .......... ........... ........... . 2-23

i-i i

T able of Contents

IT INTERNAL AUDIT SERVICES— METHODOLOG METHODOLOGY Y _________ ______________ __________ __________ __________ __________ _____ 3-1 OVERVIEW......................... ...................................... .......................... .......................... .......................... .......................... .......................... .......................... .......................... ......................... ......................3-1 ..........3-1 STAGE 1—CO-DEVELOP EXPECTATIONS WITH CLIENT .......................... ....................................... .......................... ......................... ......................... ...................3-5 ......3-5 Introduction ...................... .......... ............ ........... ........... ........... ........... ........... ............ ........... ........... ........... ........... .......... 3-5

SUMMARY OF STAGE 1 ACTIVITIES .......................... ...................................... ......................... .......................... .......................... ......................... ......................... ........................3-6 ...........3-6 SUMMARY OF STAGE 1 DELIVERABLES .......................... ....................................... .......................... ......................... ......................... .......................... .......................... ................. .... 3-6 STAGE L ACTIVITIES ......................... ...................................... .......................... .......................... .......................... .......................... .......................... .......................... .......................... ....................3-6 .......3-6 Activity 1.1 Understand client’s needs..... ........... ............ ............ ........... ............ ........... ............ ........... ...... 3-6 Activity 1.2 Understand client’s business ............ ............ ............ ............ ........... ............ ............ ............... .......... ..... 3-9 Activity 1.3 Determine scope of the engagement and risk assessment methodology ........... ............ ........ 3-12 Activity1.4 Determine deliverables ............ ............ ............ ............ ........... ............ ............ ........... ........... . 3-14 Activity 1.5 Develop fee estimation and define cli ent billing procedures ...................... .......... ............ ............ ............ .. 3-15

STAGE 2: CONDUCT RISK ASSESSMENT.......................... ....................................... .......................... .......................... .......................... .......................... .......................... ............... 3-16 Overview Overview ........................ ..................................... .......................... ......................... ......................... ......................... ......................... .......................... .......................... ........................... ....................3-16 ......3-16 Our Risk Assessment Assessment Framework Framework ........................ .................................... ........................ ........................ ........................ ........................ ........................ ........................3-16 ............3-16

SUMMARY OF STAGE 2 ACTIVITIES .......................... ....................................... .......................... .......................... .......................... .......................... .......................... ....................3-17 .......3-17 SUMMARY OF STAGE 2 DELIVERABLES .......................... ....................................... .......................... .......................... .......................... .......................... .......................... ............... 3-18 ACTIVITY 2.1 - PLAN THE RISK ASSESSMENT .......................... ....................................... .......................... .......................... .......................... .......................... .................. ..... 3-18 Introduction ...................... .......... ............ ........... ........... ........... ........... ........... ............ ........... ........... ........... ................... .......... ......... 3-18

SUMMARY OF PRINCIPAL WORKSTEPS ......................... ...................................... .......................... .......................... .......................... .......................... .......................... ................ ... 3-18 PRINCIPAL WORKSTEPS ........................ ..................................... .......................... .......................... .......................... .......................... .......................... .......................... .......................... ............... 3-18 2.1.1 Identify and Orient Project Project Team ........................ .................................... ......................... .......................... ......................... ......................... .........................3-18 ............3-18 2.1.2 Identify Key Client Personnel to be Involved/Interviewed..............................................................3-20 2.1.3 Develop Develop Risk Assessment Assessment Workplan Workplan ......................... ..................................... ........................ ........................ ........................ ......................... ......................3-20 .........3-20 2.1.4 Determine Timeframe and Budget for Risk Assessment..................................................................3-21

ACTIVITY 2.2—UNDERSTANDING THE ENTITY’S BUSINESS GOALS, STRATEGIES, OBJECTIVES AND CRITICAL SUCCESS FACTORS.......................... ...................................... ......................... .......................... .......................... .......................... ............... 3-22 Introduction ...................... .......... ............ ........... ........... ........... ........... ........... ............ ........... ........... ........... ................... .......... ......... 3-22

SUMMARY OF PRINCIPAL WORKSTEPS ......................... ...................................... .......................... .......................... .......................... .......................... .......................... ................ ... 3-22 PRINCIPAL WORKSTEPS ........................ ..................................... .......................... .......................... .......................... .......................... .......................... .......................... .......................... ............... 3-22 2.2.1 Identify Identify relevant relevant information information held by E&Y ........................ .................................... ........................ ........................ ........................ .........................3-22 .............3-22 2.2.2 Confirm and Build Understandin Understanding g .......................... ....................................... .......................... .......................... .......................... ......................... ...................3-23 .......3-23

ACTIVITY 2.3—UNDERSTAND THE MEGA & MAJOR BUSINESS PROCESSES AND RELATED IT REQUIREMENTS .......................... ....................................... .......................... .......................... .......................... .......................... .......................... .......................... ............... 3-24 Introduction ........... ........... ........... ........... ........... ........... ........... ............ ........... ........... ........... ................... .......... ......... 3-24

SUMMARY OF PRINCIPAL WORKSTEPS ......................... ...................................... .......................... .......................... .......................... .......................... .......................... ................ ... 3-24 PRINCIPAL WORKSTEPS ........................ ..................................... .......................... .......................... .......................... .......................... .......................... .......................... .......................... ............... 3-24 2.3.1 Identify the mega and major business processes ........... ........... ............ ........... ............ ............ ....... 3-24 2.3.2 Identify the key business processes ............ ........... ............ ............ ........... ............ ........... ........... ..... 3-25 2.3.3 Understand how IT supports the t he mega and major business processes and its potential impact on the business. ........... ............ ........... ............ ........... ............ ........... ........... ............... .......... ..... 3-25

ACTIVITY 2.4 —IDENTIFY THE IT RESOURCES AND RELATED PROCESSES.......................... ....................................... ..........................3-27 .............3-27 Introduction ...................... .......... ............ ........... ........... ........... ........... ........... ............ ........... ........... ........... ................... .......... ......... 3-27

SUMMARY OF PRINCIPAL WORKSTEPS ......................... ...................................... .......................... .......................... .......................... .......................... .......................... ................ ... 3-27 PRINCIPAL WORKSTEPS ........................ ..................................... .......................... .......................... .......................... .......................... .......................... .......................... .......................... ............... 3-28 2.4.1 Identify and Document IT Resources..............................................................................................3-28 2.4.2 IT Processes............ Processes......................... ......................... ......................... ......................... ......................... .......................... ......................... .......................... ............................ .................. .... 3-29

ACTIVITY 2.5–DOCUMENT RISK ASSESSMENT AND VALIDATE WITH MANAGEMENT ....................................3-31 2.5.1 Document results/overall risk assessment conclusions...................................................................3-31 2.5.2 Prioritize Prioritize risk areas ........................ .................................... ........................ ........................ ......................... ......................... ........................ ........................... .......................3-31 ........3-31 2.5.3 Validate Validate with Management Management ......................... ...................................... .......................... .......................... .......................... .......................... .......................... ...................3-31 ......3-31

iii-ii

STAGE 3—PREPARE ANNUAL IT AUDIT PLAN .......................... ....................................... .......................... .......................... .......................... .......................... ................ ... 3-32 Introduction ........... ........... ........... ........... ............ ........... ........... ........... ........... ........... ........... ........... ........ 3-32

SUMMARY OF STAGE 3 ACTIVITIES ......................... ...................................... .......................... .......................... .......................... .......................... .......................... ..................... ........ 3-32 SUMMARY OF STAGE 3 DELIVERABLES.......................... ....................................... .......................... .......................... .......................... .......................... .......................... ............... 3-32 STAGE 3 ACTIVITIES ......................... ...................................... .......................... .......................... .......................... .......................... .......................... ......................... .......................... ................... ..... 3-33 Activity 3.1 Understand Management’s Expectations Regarding Risk Coverage ............ ........... ............ 3-33 Activity 3.2 Prioritize Audits........... Audits ........... ........... ............ ............ ........... ............ ............ ........... ............ ........... . 3-34 Activity 3.3 Understand Engagement Economics ..................... .......... ........... ............ ........... ........... ............ ........... ...... 3-35 Activity 3.4 Agree Audit Plan ...................... .......... ............ ........... ........... ............ ........... ........... ........... ............ ............. .......... ... 3-35

STAGE 4—EXECUTE AUDIT PLAN ......................... ...................................... .......................... .......................... .......................... .......................... .......................... ....................... .......... 3-36 Introduction ........... ........... ........... ........... ............ ........... ........... ........... ........... ........... ........... ........... ........ 3-36

SUMMARY OF STAGE 4 ACTIVITIES ......................... ...................................... .......................... .......................... .......................... .......................... .......................... ..................... ........ 3-36 SUMMARY OF STAGE 4 DELIVERABLES.......................... ....................................... .......................... .......................... .......................... .......................... .......................... ............... 3-36 STAGE 4 ACTIVITIES ......................... ...................................... .......................... .......................... .......................... .......................... .......................... ......................... .......................... ................... ..... 3-37 Activity 4.1 Scope the IT audit project ........... ........... ........... ............ ........... ............ ........... ........... ........... .......... . 3-37 Activity 4.2 Understand the IT audit areas ............ ........... ............ ........... ............ ........... ........... ........... ... 3-39 Activity 4.3 Identify and Assess Risk ............ ........... ............ ............ ............ ........... ............ ........... ........... .......... . 3-40 Activity 4.4 Control Identification Identif ication and Evaluation.............. Evaluation.. ............ ........... ............ ........... ............ ........... ........... .......... . 3-41 Activity 4.5 Design Testing Strategy and Perform Tests ........... ............. ............ ............ ............ ............ . 3-43 Activity 4.6 Conclude and Report ........... ........... ........... ............ ........... ........... ........... ............ .................. .......... ........ 3-46

STAGE 5: COMMUNICATE RESULTS ......................... ...................................... .......................... .......................... .......................... .......................... .......................... ..................... ........ 3-48 Introduction ........... ........... ........... ........... ............ ........... ........... ........... ........... ........... ........... ........... ........ 3-48

SUMMARY OF STAGE 5 WORK ACTIVITIES ......................... ...................................... .......................... .......................... .......................... .......................... ....................... .......... 3-48 STAGE 5 ACTIVITIES ......................... ...................................... .......................... .......................... .......................... .......................... .......................... ......................... .......................... ................... ..... 3-48 Activity 5.1 Understand Communication Protocols ........... ........... ............ ........... ............ ............ ........... 3-48 Activity 5.2 Prepare for Executive Management/Audit Committee Meetings ............ ............ ............ ...... 3-49 Activity 5.3 Communicate Results ........... ........... ............ ............ ........... ............ ........... ............ ........... .... 3-49 Activity 5.4 Complete the Relevant Qualit y Control Procedures ........... ............ ............ ............ ............ . 3-50 Activity 5.5 Complete Billing Billi ng Procedures............. ........... ............ ............ ............ ............ ........... ............. .......... ... 3-50

APPENDIX APPENDIX A _________ ______________ _________ _________ _________ ________ _________ _________ _________ _________ _________ _________ _________ ________ ___ A-1 APPENDIX APPENDIX B ________ _____________ __________ __________ __________ __________ __________ __________ __________ __________ __________ _________ ________ ____ B-1 APPENDIX APPENDIX C ________ _____________ __________ __________ __________ __________ __________ __________ __________ __________ __________ _________ ________ ____ C-1 APPENDIX APPENDIX D ________ _____________ __________ __________ __________ __________ __________ __________ __________ __________ __________ _________ ________ ____ D-1 APPENDIX E____________________________ E___________________________________________ _____________________________ _________________________E-1 ___________E-1 APPENDIX F_______________________ F______________________________________ _____________________________ _____________________________ ________________F-1 _F-1 APPENDIX G ___________________________ _________________________________________ ____________________________ _________________________ ___________ G-1

Confidential—All materials in this document are not to be distributed outside of Ernst & Young LLP without written approval.

©1999 Ernst & Young LLP All rights reserved. Ernst & Young is a registered trademark.

i-iii iii

IT Internal Audit Services— Overview

Overview The primary purpose of this sales and methodology toolkit is to describe a consistent framework of procedures that we use to sell and deliver a business process focused approach to providing IT internal audit services. It is designed to provide a consistent value proposition and facilitate the effective and efficient delivery of high quality IT internal audit services to clients throughout the world. This toolkit contains two major components: the Sales Process and the Service Delivery Methodology. The sales process contains key sales components related to the IT Internal Audit Services market, company targets, key individuals within the company to target, value propositions, critical success factors, key selling points re lated to our methodology, and single frames. Our Service Delivery Methodology contains five major stages, which include: •

Co-develop the Co-develop the client’s expectations regarding our relationship. We also begin to understand the client’s business, goals, objectives and strategies, as well as their objectives for the IT internal audit function (Stage 1).

•

Conduct risk assessment by assisting client management responsible for the IT internal audit function in developing a risk assessment with respect to the company’s processes and auditable units (e.g. location, division, etc.—Stage 2).

•

Prepare the annual IT audit plan, which is approved by client management responsible for the internal audit function, executive management and the Audit Committee (Stage 3).

•

Execute the audit plan, as agreed with client management responsible for the IT internal audit function. We focus on evaluating the effectiveness of controls established by management to ensure that the selected processes achieve their financial reporting, operating and compliance objectives (Stage 4).

•

Communicate the results of our work to client management responsible for the internal audit function, executive management and the Audit Committee (Stage 5).

The stages of our service delivery methodology are the logical framework that we, or our clients, would perform to deliver any IT Internal Audit Services. However, the nature of the engagement determines the extent to which the individual activities and worksteps are implemented. The scope of our IT internal audit services engagements may vary, from limited engagements to perform a single IT internal audit project on a teaming basis, to more comprehensive IT internal audit outsourcing engagements. Because of the

1-1 1

O

verview

variety in IT internal audit engagements, the procedures described in this document are not intended to be a “one-size-fits-all”, “one-size-fits-all”, prescriptive methodology. methodology. These procedures are most applicable to our on-going teaming and outsourcing engagements. However, our overall methodology framework, as outlined in this toolkit, should be followed on a goforward basis. Maintaining a common language language and process will will drive consistency, consistency, productivity, and an improved knowledge knowledge management structure. structure. In situations where we perform smaller engagements, our teams should still consider the value of completing each stage and activity, even if abbreviated, to ensure high quality and high value to our client.

Practice Management Policies and Procedures While we have a certain amount of flexibility in determining the specific procedures we perform during an IT internal audit services engagement, we must adhere to certain professional and firm standards when providing IT internal audit services. The ISAAS Policies and Procedures Workbench and the Internal Audit Services—Policies and Procedures Manual describe our practice management policies and procedures for providing IT internal audit services. The policies and procedures describe, among other things, our policies for: •

Client and engagement acceptance and engagement letters (Letters of Understanding),

•

Independence matters,

•

Working papers and our documentation requirements,

•

Responsibilities for review of IT internal audit working papers,

•

Communicating the results of our work and providing for appropriate follow-up, and

•

Responsibilities for reviewing IT internal audit reports prior to issuance.

Integrated Audit Considerations Many of our IT internal audit outsourcing and IAS engagements are part of an “Integrated Audit”. In an integrated audit, our internal audit procedures are an extension of our external audit arrangement. Therefore, portions of the IT internal audit work may be performed for, and relied on by, those performing the external audit. In these situations we, as well as our clients, derive benefits from our coordinating our internal and external audit efforts. When we are performing integrated audits, we discuss internal audit and external audit integration requirements with the coordinating partner and other engagement team members, as appropriate, in Stage 1 - Co-Develop Expectations. We also refer to applicable portions of the Ernst & Young LLP Audit Process (Audit Process) for additional guidance. See Appendix B-1 for more detailed information on the applicable portions of the Audit Process.

21-2

Program Sponsors and Resources For additional information regarding this service, please contact: ISAAS Sales

Jamie Ross (ISAAS Program Coordinator) Phone (216) 861-2297 EY COM 3297677 Cleveland Scott L. Miller (ISAAS MSE) Phone (216) 583-4915 EY COM 2576455 Cleveland

IAS Sales

Tom Sliwinski (IAS Sales) Phone (216) 583-3865 EY COMM 2887549 Cleveland

ISAAS Methodology

Jamie Ross (ISAAS Program Coordinator) Phone (216) 861-2297 EY COM 3297677 Cleveland Jerry DeVault (National Director of ISAAS Assurance Services and Program Sponsor) Phone (216) 861-2214 EY COM 3953308 Cleveland IAS Methodology

Sam Johnson (IAS Operations) Phone (216) 737-1680 EY COMM 2575648 Cleveland

1-3 3

IT Internal Audit Services— Sales Process

Overview The internal audit environment, especially IT internal audit, is changing. In addition to traditional attest and compliance functions, internal audit departments are being challenged to provide more value to the business. Management is demanding an audit function that reduces risk, creates cost efficiencies, and continually delivers increased value to the company’s stakeholders. A world class audit function is being recognized as a valuable and strategic corporate asset. However, the investments required to build and maintain an effective audit function are growing exponentially, especially in the areas of technology, knowledge, and people. At the same time, domestic and international growth, mergers and acquisitions, increasingly complicated transactions, and significant information technology changes have created more complex companies with different, and in many cases, higher risk profiles than in the past. Internal audit departments have difficulty keeping pace with these developments because of staffing and budget constraints. Insight from the internal audit marketplace indicates that most companies have not invested in the required IT audit human resources and other critical investments (e.g., knowledge, technology, training, etc.) to adequately cover their key business and information risks. These companies, are also finding it difficult to invest in subject matter expertise, audit methodologies, technology, tools and training to cover the organization’s risk areas. Our E&Y IT Internal Audit Services (IT IAS) are designed to either partially team or fully outsource a company’s IT internal audit function by providing: •

More effective and efficient IT risk assessment and / or

•

Supplemental IT internal audit testing related to significant information systems risks not currently being covered.

We can go to market with E&Y Internal Audit Services (IAS) or work the client direct channel (e.g., Director of Internal Audit). Service Delivery Methodology

Our basic methodology involves a five step process. A high-level overview of this methodology follows. Additional detail is available in Section 3—Service Delivery Methodology.

2-1 1

S

ales Process

Co-develop Expectations With Client: We listen and learn about our client’s business goals, objectives and strategy. This critical step helps us to understand the business and ensure we apply our resources in the right areas. Also, we co-develop expectations with the client to serve as the foundation for our working relationship. Conduct Risk Assessment: Our business process oriented IT risk assessment begins with understanding the key business processes and how IT resources (i.e., applications, operating systems, hardware, data, people and facilities) and processes support and enable the business. Prepare Annual IT Audit Plan , which is responsive to the risk assessment and business needs, for approval by client management responsible for the internal audit function, executive management and the audit committee. Execute Audit Plan: We focus on evaluating the effectiveness of controls established by management to ensure that the selected processes achieve their financial reporting, operating and compliance objectives. In addition, we make recommendations for improvement based on what we learned. Communicate Results of our work to client management responsible for the internal audit function, executive management and the audit committee.

Our Value Proposition As previously noted, expectations of internal audit functions are changing. Enterprise and IT management expect internal audit functions to provide more consultative, or “value-added”, recommendations while also expanding their risk coverage, particularly in IT related issues, where even IT management has difficulty keeping up with the pace of technology. Such dramatic changes in the internal audit function’s charter and culture require significant investments in people, knowledge, technology and methodologies. However, internal audit is also expected to make these transformations while maintaining, or even reducing, costs. Most companies are finding it extremely difficult to meet these challenges. For example, the task of finding and keeping the appropriate resources is, itself, exhausting. Experienced and qualified IT auditors are extremely difficult, and expensive, to recruit and retain. In addition, most companies operate on multiple platforms, applications, locations, etc. Most IT internal functions cannot afford to recruit the number of individuals necessary to adequately evaluate risk. Beyond recruiting resources, many organizations do not have the resources to invest in knowledge, technology and methodologies or the infrastructure to support or maintain them. Our IT Internal Audit Services are designed to assist our clients in better aligning their IT internal audit coverage with their key business risks. Through our investments in people, knowledge, technology and methodologies, we can assist our clients in accelerating to world-class expectations. Specifically, we can provide them: More business insight from the IT perspective—we leverage the knowledge and experience of thousands of global IT risk professionals to provide our clients with strategic and operationally focused recommendations in the areas of IT risk

2-2

management and technology technology enablement. enablement. We help accelerate a comprehensive comprehensive improvement agenda which cuts the time from assessment to solution dramatically. More comprehensive risk coverage—our business process oriented IT Risk Assessment focuses our technology specialists on the areas most important to your business. We team with the client to develop a risk approach for the key IT areas and assign professionals with appropriate industry experience and deep technology skills to create an innovative assessment and testing solution. Operate more efficiently—using our people, state-of-the-art tools, technology, and knowledge resources your IT risks are assessed, tested and communicated to management in a timely and comprehensive manner. manner. Together with the client, client, we focus on the process of designing an efficient and effective world-class internal audit function, while meeting management’s growing expectations.

Target Market for IT Internal Audit Services The primary goal for our IT Internal Audit Service offering is to grow to $40 million in revenue by the year year 2002. Much of this revenue revenue is expected to be recurring. This includes both engagements where we team with IAS and engagements where we provide IT internal audit services independent of an IAS relationship. Our focus is on targeting targeting relatively large internal audit functions that are struggling struggling to build world-class IT audit capabilities. A critical success factor is being able to clearly articulate current gaps in IT risk coverage and to effectively position E&Y to assist our clients with improvement opportunities. Identifying Companies to Target

Because larger engagements tend to be more profitable and we want to focus our investment in the sales process, we concentrate on targets where we think that there is potential for significant significant fees on an annual basis. basis. (i.e., at least $250,000 per year) year) Factors to consider when identifying IT IAS targets include: •

Annual Revenues - although companies have different requirements for an internal

audit function based on size, industry and regulatory requirements, experience shows that companies start building internal audit functions when they reach $250 - $500 million in revenue. Therefore, in order to focus on larger opportunities, a guideline for potential targets would start at $1 billion in annual revenues. •

History of Outsourcing - some companies have a history, or pre-disposition, to

outsourcing non-core competencies to third parties, while other companies are extremely opposed to outsourcing any services. In order to optimize our sales efforts, we want to focus on companies that are open to teaming opportunities and avoid targets who we know are opposed to using outside assistance. •

Recruiting Difficulties - while many companies recognize the value of an IT audit

function, or are striving to build a “world-class” audit function, they experience significant difficulty with recruiting IT internal audit candidates. This may be related to their industry, geographic location or strategic vision for internal audit.

2-3

S

ales Process

Target Industries

Initial considerations for the primary industries to target should include: •

An industry that is designated a national priority industry group - the best target industries include: −

Consumer Products

− −

Telecommunications, computers and electronics Energy

−

Financial services

−

Insurance Healthcare

− •

Whether business process models have been developed by the National Assurance Support Center and our firmwide practice has industry SMEs,

•

Industries that have typically made investments in internal audit departments. FSI and Insurance have historically made the largest investments in internal audit functions. However, these two industries also present the most significant independence and regulatory challenges.

Targeting Best Practices

Many areas conduct periodic (e.g., weekly) meetings to review ISAAS and IAS pursuits and share information. The topics for discussion may include: •

Brainstorming on pursuit strategy to determine how to best position E&Y to win

•

Review of IT needs on current pursuits

•

Re-evaluating lost pursuits to discover themes for the future

•

Re-examining stalled or lost IAS pursuits to determine if there is a opportunity for IT audit services

•

Replicating winning strategies from other areas

We should be proactively working with IAS to manage manage our pipeline together. The IAS client pursuit list can be found in the AABS IAS V6 PowerPack on the KnowledgeWeb. See below: Internal Audit Services PowerPack: Document Title:

United States IAS Client List & Engagement Information

Author/Contact Person:

Barbara R. Bandera

Source:

National Internal Audit Services

Date Published:

May 1999

Keywords:

Client References, Engagement Information, Fortune 500

Originating Country:

United States

File Attachment:

IAS clients May99 with Fortune.xls

2-4

Client Targeting

We have segmented the target market into components: AABS audit clients and nonaudit clients versus IAS targets and non-IAS targets. High-potentiall IAS Target High-potentia

•

•

Low-potential IAS Target ISAAS-only Target

•

•

AABS Audit Client Top priority - “Hot” Opportunity Leverage IAS and AABS knowledge and relationships “Warm” opportunity for ISAAS Leverage AABS relationships relationships

• •

• •

Non-AABS Audit Client “Warm” opportunity Leverage IAS knowledge and relationships

“Cold” opportunities START initiatives

AUDIT CLIENT BASE Because we already have key relationships established with these clients, these clients should be our initial targets. The audit client base base spends an estimated estimated $3 billion annually on their internal audit functions (IT, financial and compliance). We should focus on clients who are trying to build their IT internal audit capabilities, or clients that view IT internal internal audit as strategic to their organizations. Our experience indicates we have a higher success rate with current AABS clients. Targeting our own AABS clients also helps to alleviate the potential threat of our competitors gaining a strategic foothold into our client base through the internal audit department.

NON-AUDIT CLIENT TARGETS Ernst & Young may be at a disadvantage with non-clients because of the incumbent auditor. However, some client boards are not willing to outsource or team with the independent auditor. Therefore, it is important important to understand the competitive situation prior to spending a significant amount of time or resources on non-clients. Our non-audit client targets should large, strategic targets or companies that have a interest in significant outsourcing or teaming for IT internal audit services. Again, where our IAS practice already has a relationship with a target, work closely with them to ensure that we are capitalizing on already existing relationships and that we are coordinating our development efforts. In addition, our competitive competitive position should should be considered. Refer to the competitive competitive assessment section for additional information.

IAS TARGETS In many cases, our IAS practice may already be in discussions regarding a teaming or outsourcing opportunity with a target. Where the IAS practice has built a relationship, we should work closely with them to ensure that we are capitalizing on the relationship and that we are coordinating our business development efforts. Your area should closely link with IAS. Our experience indicates we have the most success when we work together with IAS.

NON-IAS TARGETS There are opportunities in this segment, but these opportunities will be for teaming on IT IAS only.

2-5

S

ales Process

Triggering Events

In addition to targeting specific companies and industries, we also target based on key triggering events. The following table highlights some common triggering events that may be used to generate leads: Triggering Events Turnover among among key members of

Questions •

the buying group (e.g., CFO, Director of Internal Audit)

New Technologies - the

some companies may have difficulty covering risk where there have been significant changes in the business, such as: acquisitions, acquisitions, global expansion, new business segments, consolidations, consolidations, etc.

2-6

•

Willingness to take a non-traditional non-traditional approach

•

Interest in changing the status-quo

•

Are you satisfied with internal audit’s performance and capabilities related to IT risks?

•

How are you considering the risks and designing the controls associated with new ERP, eC or ESM investments?

•

Difficulty addressing new technology risks. (Even world-class internal audit functions have difficulty developing the skill sets and tools necessary to address adequately.)

•

How is the internal audit function responding to (or are there any pending) recent changes in your business?

•

IT internal audit functions may have difficulty keeping pace with the risks associated with the major business changes.

implementation of new technologies technologies such as ERP applications, electronic commerce, and enterprise systems management solutions Significant Business Changes -

Do you have a solid understanding understanding about your audit function’s IT capabilities?

What To Look For

Making The Sale Identifying Whom in the Company to Target for IT Teaming Services

In general, we target the Director of Internal Audit or the executive to whom the IT internal audit function reports. Where we are pursuing IAS opportunities, we should also target the CFO or the executive to whom the internal audit function reports. If we are teaming with IAS and have a relationship with the internal audit director, we should proactively communicate with the internal audit director in order to maintain our IT Teaming opportunities if IAS outsourcing is not elected. Buyer Profiles

We often need to “sell” to several different stakeholders in order to successfully secure an IT audit services services win. The significant stakeholders stakeholders in an IT internal audit pursuit are typically: •

Director of Internal Audit

•

CFO

•

Audit Committee

•

CIO

Each one of these stakeholders should be viewed as potentially requiring a separate process that requires the full attention and focus of the pursuit team. Each buyer may view the benefits of of IT audit teaming from a different perspective. As a result, we may need to position our value proposition differently depending on the audience.

DIRECTOR OF INTERNAL AUDIT Position Analysis: •

Interested in understanding the potential positive and negative implications on their department

•

Wants to know exactly what value E&Y will bring to a team effort and how this will make the internal audit function world-class

•

Depending on the situation, the Director of Internal Audit may feel threatened. For example, they may feel the prospect of supplementing or outsourcing the IT audit function is an indicator they are not performing well. It is critical to assess this issue quickly and develop our sales strategy accordingly. −

If the DIA is ⇒ a progressive thinker, ⇒ understands the need to team to take the company’s internal audit to the next level, and ⇒ is striving to make continuous improvement in the company’s internal audit function, then the DIA will play a key role in the sales process. In this situation, the pursuit would initially focus on the DIA and progress to the CFO with the DIA playing the role of advocate and coach.

2-7

S

ales Process

−

If the DIA is supported by company management but is a fairly traditional thinker and is resistant to the concept of Ernst & Young teaming/outsourcing, then the DIA should be included in the sales process but should not be the initial focus of the pursuit. In this case, the pursuit would focus on the CFO and progress to the DIA with the CFO playing the role of advocate and coach.

−

If the internal audit function is considered by company management to be sub-par and in need of improvement and the DIA is part of the problem, then the DIA should not be included in the sales process. The pursuit would focus on the CFO or others as the key buyer.

Sales Profile: • Buyer - The director of internal audit is usually the buyer of incremental internal audit investments. May have the budget to buy buy without approval, however however usually requires approval from the CFO. •

Sponsor - if progressive, often sponsors IT IAS services

•

Likely to be an active member in the decision process

CHIEF FINANCIAL OFFICER Position Analysis: • Wants to be comfortable with the investment and will expect a financial analysis to justify the decision •

Wants to understand what additional value our services will deliver

•

Coordination with business strategy is a priority - Wants to know how internal audit capabilities fit into the execution of the business strategy.

•

Has access to funding and the authority to to spend the funding

Sales Profile: • Approver or Buyer - the person usually making the ultimate buy decision •

May be sponsor if the Director of Internal Audit is not progressive

•

Likely to be an active member in the decision process

It is also useful to understand what the CFO’s top IT concerns are. A summary of top CFO IT concerns is presented below: CFO’s Top IT Management Issues

•

Prioritizing technology investments Establishing and maintaining an effective dialog between IS and users Ensuring year 2000 systems compliance Identifying the appropriate level of technology investment Upgrading/replacing legacy systems Identifying how IT can improve or influence business processes Maintaining effective, productive relationships with the IS function Using technology to drive business change Determining when and how to adopt emerging technologies Educating top management on the value of technology

•

Evaluating/measuring the return on technology investments

• • • • • • • • •

Source: “IT and the Bottom Line,” CIO Magazine, June 15, 1998

2-8

AUDIT COMMITTEE Position Analysis: •

•

In general, we have less frequent opportunity to interact with audit committee members. When we do, it’s important to recognize their interests lie in three fundamental areas: −

Assessing the processes related to the company’s risks and control environment

−

Overseeing financial reporting

−

Evaluating the internal and external audit processes

Any contact with the audit committee should focus on addressing one of the three areas above. IT internal audit services can address all three and should be discussed within this context.

Sales Profile: •

Approver - based on the recommendation of the CFO and/or DIA.

•

Not likely to be active members of the decision process.

CHIEF INFORMATION OFFICER Position Analysis: •

This may be our most difficult buyer. CIO’s may not be as interested in internal audit capabilities.

•

The CIO may not want to be “audited.”

•

They have access to funding

Sales Profile: •

Influencer - Should not be left out of the process because they can influence the outcome

•

Co-developer - they will often need to be active in developing our IT risk assessment plans and providing access to resources to carry out these plans.

2-9

S

ales Process

Entry Strategies

Once we identify the key buyer(s), our entry strategy may vary, as discussed below. W h en

Initial Contact

E&Y Resource

Emphasize

Relationship Quality of work IT internal audit teaming value proposition Our investments in IT internal audit people, technology, methodology and knowledge IT internal audit teaming value proposition Our investments in IT internal audit people, technology, methodology and knowledge

AABS Client (or CS, Tax) (“Hot” Opportunity)

Director of IA or CFO via ISAAS and/or Engagement Partner to Client ISAAS SE

AABS Partner Area AS Leader Area IT Internal Audit Champion

Non-client IAS Target (“Warm” Opportunity)

Leverage IAS knowledge and relationship ISAAS SE

No prior relationship (“Cold Opportunity”)

START Center ISAAS SE

IAS Pursuit Partner Area AS Leader Area IT Internal Audit Champion Area AS Leader Area IT Internal Audit Champion

IT internal audit teaming value proposition Our investments in IT internal audit people, technology, methodology and knowledge

Service Pricing Guidelines Fees for our IT internal audit teaming service will vary based on several variables: •

Relative complexity of environment

•

Skill of client employees

•

Number of client locations

•

Number of business processes

•

In cases where we are part of a larger IAS engagement, the mix of IT to traditional audit should be considered

•

Other factors

An objective of our sales program is to establish IT internal audit teaming as a complementary offering to IAS offerings and as a stand-alone service offering. Not as a loss-leader or an “add-on service” to be discounted to our clients. We believe the market for these services is very large and there is great demand for those capable of delivering the highest quality service. Our typical fees are outlined below:

Fee Range: Typical Fee:

2-10

Risk Assessment

Execute Audit Plan

$50,000 - $250,000

$100,000 - $2,000,000

$ 1 0 0, 0 0 0

$300,000

These fees are based on our experience to date and vary widely within this range. Our goal is to build these engagements into larger, profitable annuity projects. Because we are able to leverage the skill sets and resources that our clients cannot, or do not, want to invest in, we should be basing our fees on the value we deliver, not on the number of hours or rate per hour. Therefore, when proposing fees, we should avoid quoting or committing to a certain number of hours for a fixed fee. Best practice is to quote a fixed fee for a level of risk coverage or a percentage of standard based on the actual effort to complete the co-development audit plan. Generally, our target realization should be 70%. This realization, combined with our standard rates results in a business that is very profitable. Recent wins and current pursuits confirm this strategy.

2-11

S

ales Process

IT Internal Audit Services Sales Process Overview

The sales process is a multi-step methodology that begins with a brief qualifying call and ends with a letter of understanding. The steps in between may vary vary from client to client, but typically include an expanded meeting on Ernst & Young’s IT internal audit and IAS capabilities and either a co-development session, or a discussion regarding a specific project. Detailed goals for each of these meetings along along with a description description of tools available to support these meetings are described in the section below.

IT Internal Audit Services Sales Process Co-Develop Vision & Needs

Qualifying Call

Proposal (If Necessary)

Expanded Capabilities Call

L.O.U.

Specific Projects

The Qualifying Call Goals/Objective of Meeting–There are three main goals for this meeting: •

2-12

Qualify: Qualify the lead by answering several questions: −

Does the client opportunity warrant the effort of a pursuit?

−

What is the potential for success?

−

Is the client contact the appropriate buyer?

−

Are they adequately addressing IT risks?

−

Do they view internal audit as a strategic function?

−

Have they worked with consultants, third parties, outsourcers in the past?

−

What is internal audit’s mission (e.g., compliance/value add/ leadership development focus)?

•

Credentialize: Demonstrate some of our potential value to familiarize the prospect with our capabilities.

•

Next Step Commitment : Get another meeting to discuss our capabilities in detail or start with a co-development session. The next step will often involve additional people from the client and E&Y. Determine the appropriate attendees, content to cover and aggressively set a date for the meeting.

The initial call is typically no longer than 30-60 minutes, but will vary depending on the relationship with the target. For example, for an AABS client we might have a longer meeting which combines elements of the extended capabilities call or a co-development session. We do not share all our information with the the client at this initial meeting–or meeting–or we won’t have a legitimate reason to follow up. Remember, the goals are to qualify, credentialize and determine next steps. We will typically not close on the first call. Pre-Meeting Preparation: You will want to perform research on the company and industry prior to making contact. You should use, at minimum, the resources of the ASC and the CBK and contact the appropriate coordinating or client partner. Other resources include the targets annual report, website, D&B r eports, etc. Agenda/Structure: There are three major segments to cover: −

Introduction and qualifying

−

Credentialize - Briefly review E&Y capabilities

−

Determine next steps

Introduction and Qualifying “Script” and probing questions (customize and use as appropriate) •

•

•

•

• • • • • • • •

We appreciate the opportunity to share our investments and capabilities in IT internal auditing, but before we get into that would you spend a few moments to..... .....give me an understanding understanding the current internal audit capabilities - number of staff and key skills .....give me a quick overview of your IT internal audit function today - capabilities and skill sets. Current organizational changes - How have industry / company changes affected / impacted your department - what challenges have they presented? presented? (need to have done research to demonstrate that you have a high level understanding and insight of the company and its industry) Is the company implementing implementing any new technologies? technologies? (e.g., eC, ERP, ESM) How are you addressing the associated risk? risk? What have been your challenges? challenges? What is internal audit’s charter? What does management expect of you? What is the focus / priorities of internal audit ?(compliance, ?(compliance, value, leadership development) development) How are you performing against your charter? How do you measure success? What are you most significant challenges? How do you currently assess your business risks? How do you determine and assess IT risks as they relate to your business? What is your current risk assessment framework? How do you prioritize your areas for review? What are your priorities and projects for this year? Are you going to achieve your targets?

2-13

S

ales Process

Credentialize–Brief review of E&Y capabilities. •

• •

Use a maximum of 5-7 slides. The goal of the IT Internal Audit Services presentation is to create a dialogue between Ernst & Young and the potential project sponsor to solicit and identify needs and issues. We intend this discuss to provide the client with an opportunity to discuss some of the issues and concerns they have with how their IT internal auditors are assessing risks for the business. An example of Qualifying Call singleframes is included in the appendix. We should not expect the client to be able to understand the single frames without our talking points. We should use the singleframes as discussion guides. We should walk the client through the ideas that are illustrated in the single frames to solicit their feedback and hear them talk about their concerns. Our ability to listen and learn the organizations needs will enhance our ability to deliver on expectations. −

Use the “Expectations are Changing” slide which can be customized for their business environment

− −

Challenges & Investments - customize for IT internal audit Qualifications slide - key points to sell about E&Y IT internal audit services

−

Client list

−

Service & Support Capabilities Global Capabilities

−

Determine Next Steps •

Assess interest - “We have had a chance to discuss some of your needs and our capabilities. Based on this information, would you be interested in continuing these discussions? Perhaps with a larger audience?”

•

Determine the next logical step. Our goal is a co-development session. “What we have found to work well is to have the key stakeholders participate in co-development of the solution.” This typically includes the Director of Internal Audit, CFO, CIO (potentially), key existing IT internal audit managers (for teaming scenarios).

•

Alternatively, we can suggest the “Expanded Capabilities Call” (see below) if they want more information.

•

Discuss the possibility of a “test drive” or S MEs for specific projects highlighted by the client.

2-14

The Expanded Capabilities Call Goals/Objective of Meeting

Our goal is to demonstrate our skill sets and value propositions and to get agreement to move on to next steps: co-development session or special project assistance. Pre-Meeting Preparation: Based on what you have learned from the Qualifying Call, structure a meeting to address the client’s primary concerns and interests. You will want to customize the singleframe presentation and talking points to highlight client issues. Agenda / Structure:

Script •

Recap information from previous discussion, what we learned about client needs / concerns from the previous meeting, updating new players in meeting on previous meeting “This is what we heard, is that valid? Have we missed anything? This is what we are going to cover. Does this meet your expectation for this meeting?” (Note: This is not a co-development session - this is setting the stage for why we are having the expanded capabilities call). This should be only confirming the expectations we developed with the meeting sponsor beforehand.

•

Go through the Agenda for the meeting.

•

Include key slides from the 30 minute qualifying call to bring any additional participants to a common level of understanding.

•

An example of The Expanded Capabilities Capabilities Call along with talking points is included in the appendix.

•

Use “Barrier” slide as lead in, but customize customize for client specific issues and terminology. terminology. You may consider using “the gap slide” to summarize our investments, however, need to make “the barrier” and “the gap” slides consistent.

•

Stress our flexible approach to developing solutions.

•

Highlight IT risk assessment approach, people, tools, methodologies, knowledge.

Determine Next Steps •

Assess interest - “We have had a chance to discuss some of your needs, our capabilities and solutions. Based on this information, would you be interested in moving closer to a solution? Who should be involved in these decision?

•

Determine the next logical step. The goal is a co-development session. “What we have found to work well is to have the key stakeholders participate in the co-development of solution - Director of Internal Audit, CFO, CIO (potentially), key IT internal audit managers (for teaming scenarios).

2-15

S

ales Process

The Co-Development Meeting: Goals/Objective of Meeting–Goal is to discover and define client expectations for a relationship and to align E&Y service delivery with these client needs. When you get to this step in the sales process, you will have a well qualified prospect that is far along the sales cycle. This step in the sales methodology actually “overlaps” with the service delivery process. When conducting a co-development session, you are actually starting the first step of service delivery and providing value to the client. Pre-Meeting Preparation: A productive co-development session requires a half day and involves several “hard to reach” client personnel including the Director of Internal Audit, CFO, CIO and other key client members. Because of the time commitment on the part of the client, a commitment to hold the session should be viewed as a serious buying signal.

Prepare for the co-development meeting as though this this is the beginning beginning of our engagement. E&Y attendees should include the coordinating partner, the relationship manager, the sales executive and other key members of the pursuit team/future engagement team.

Rules of Thumb for Co-Development •

Not a presentation

•

Share rather than tell

•

Demonstrate teamwork

•

Never contradict each other

•

Let the client talk

•

Arrive on time and stay until the end

•

Do not appear to “check-out” after your component is complete

•

Be careful of references

•

Challenge, do not confront

•

Have fun

For additional information on client co-development sessions, refer to the IT IAS Delivery Methodology section of this document.

Agenda/Structure

The basic agenda for the meeting is as follows:

2-16

•

Co-develop relationship Objectives

•

Establish relationship protocols

•

Understand business goals and objectives

•

Understanding your business strategies and risks

•

Develop action plan

Presentation and Talking Points

The singleframes presentation for this is included in the appendix. Determine Next Steps: •

Trial Close - “We want to team with you to become your IT internal audit provider. Based on the co-development co-development action plan, are you you interested in having having us submit a letter of understanding (or a proposal) for you to consider?”

•

Our goal goal is NO PROPOSAL. PROPOSAL. If the client is not ready for a letter of understanding, set minimum expectations for a proposal document. Determine the next logical step - Proposal and / or LOU.

Other Steps Specific Projects

During our discussions, it may become apparent that the client is not interested in a large teaming engagement engagement or outsourcing their IT IT internal audit function. However, they may want help from Ernst & Young Young with a specific specific project. In these instances, instances, we should respond appropriately with with a targeted LOU or proposal for the work. work. These proposals should be treated seriously - they may be a “trial run” to consider Ernst & Young for later work. Proposal

An example Proposal is included in the appendix Letter of Understanding

An example LOU is included in the appendix

Competitive Assessment Ernst & Young: •

World-class people, methodology knowledge management, technology and tools

•

Fastest growing growing internal audit practice

•

Leadership - emerging as the leader in internal audit services

PriceWaterhouseCoopers: •

Has become our strongest IT internal audit competitor to date

•

Much of their technology investments have come from Coopers & Lybrand

•

Broad cross-selling with IAS equivalent

•

Global capabilities with a strong FSI practice

•

Focus is on large, blue-chip, global clients

•

Portray Ernst & Young as a “loose confederation of franchisees” rather than global

•

Willing to price aggressively for strategic targets

•

Solid Growth

2-17

S

ales Process

Arthur Andersen: •

Solid competitor - Initial market “pioneer”

•

Initial approach to outsourcing was not favorable to Internal Audit Director

•

Focus on both teaming and outsourcing

•

Integrated risk management framework

•

Global Best Practices Database

•

Highly leveraged staffing model

•

Aggressive pricing in competitive situations

•

Strong market recognition

•

Solid Growth

Deloitte & Touche: •

Co-sourcing focus for overall overall internal audit - has been a losing strategy.

•

D&T is shifting to outsourcing

•

Strong Director of Internal Audit relationships because of co-sourcing strategy

•

Strong Retail industry practice

•

Low Growth

KPMG:

2-18

•

Insignificant competitor - little strategic direction

•

Still in start-up mode

•

Few competitive advantages - they compete primarily on relationships

•

Defensive position, only compete on their clients

Frequently Asked Questions and Common Objections What about your Independence?

Independence is an issue for both internal and external auditors. In our teaming approach, management and the Director of Internal Audit remain responsible for approving the risk assessment, audit plan, and internal audit program. We help execute the risk assessment and audit plan. This separation ensures that independence is preserved. It is not uncommon for a company’s external auditor to also assist in the execution of internal audit procedures. Ernst & Young assists many clients, including publicly traded companies, in this area. In fact, approximately 70% of companies who have fully outsourced their internal audit function or are teaming have done so with their external auditor. Acknowledging this trend and the SEC’s interest in this area, the AICPA issued an ethics interpretation in May 1996 specifying that these services can be performed by a company’s external auditor without impairing independence. We adhere strictly to AICPA rules governing external auditor independence which state that: “The performance of extended audit services which include assistance in the performance of the client’s internal audit activities would not be considered to impair independence with respect to a client for which the member also performs a service requiring independence, so long as the member or his or her firm does not appear to act in a capacity equivalent to a member of client management or as an employee.”

The key requirements of these rules include: •

The Company must designate an individual to be responsible for performing management functions (e.g., approving the audit scope, evaluating the audit results, etc.).

•

The Company must maintain the internal control structure.

•

The Company must approve the internal audit program and related risk analysis.

•

The Company must evaluate the results of internal audit activities.

To maintain independence, the Ernst & Young internal audit staff will report directly to the Director of Internal Audit. As a result, any issues that arise as a result of our audit procedures will be directed to the Director of Internal Audit for follow-up and disposition. In some cases, a client may be concerned that E&Y internal audit staff will share findings with E&Y external auditors before management has a chance to address them. An appropriate solution is to set up a robust process that ensures the potential issues affecting our external audit are discussed with management before being communicated with the external audit team. (e.g., “a Firewall”) We use Internal Audit as a Training Training Ground for Leadership. Leadership. How does that Impact that Mission?

The experience that internal audit provides is invaluable as a skill to help build a solid understanding of business. In some some pursuit situations, the client may use the internal audit function as a training ground for future company leaders. This kind of client is not likely to outsource their entire internal audit function.

2-19

S

ales Process

To overcome this objection, do not push for “full-outsourcing” of the internal audit function. Rather, we should stress two important client benefits of working with Ernst & Young: •

Teaming opportunities - This is an excellent chance to stress the benefits of a teaming arrangement. arrangement. By working with Ernst & Young, Young, the future leaders can help analyze and understand the client’s strengths and weaknesses and team with us to address these weaknesses. This has the effect of making their internal audit an even stronger “grooming ground” for the client’s high potential managers.

•

Knowledge Transfer - We will transfer our knowledge to the client through handson work with our people, methodologies, methodologies, technology and tools. This also has the effect of making their internal audit a stronger function function and their future leaders more valuable.

You don’t Understand Our Business in Enough Detail

In some pursuits, the client will be concerned that Ernst & Young does not have a sufficient detailed understanding understanding of their business. business. We have several respon responses ses to this objection including:

2-20

•

ASC - The Ernst & Young Assurance Support Center generates in-depth client and industry research. Comprised of more than 50 partners and senior managers who are thought leaders in their particular industries, the ASC works closely with audit teams in the field to build and deploy industry knowledge, business process risk models and benchmarking data along with leading-practice IT internal audit approaches and techniques. techniques. Over 50 industry segments are supported by the ASC.

•

Process Models - Ernst & Young has developed process models models for most major industry segments. The leading-practice knowledge and understanding incorporated in these models may help provide value to the company by uncovering opportunities for improvement.

•

Relationship Manager - The client relationship manager is a critical part of our service delivery methodology. methodology. This individual is the person who is responsible responsible for transferring business insight from and client needs to the Ernst & Young work team. The relationship manager manager is a senior executive who has a strong industry background and a thorough understanding of the client business.

•

Stable Core Team - Our philosophy on staffing is to select a core team to serve our clients and manage the engagement on an ongoing ongoing basis. This allows us to develop in-depth knowledge of the business and relationships within the company, in addition to bringing them more specialized skill sets on a “just-in-time” basis. We assemble the best possible team, based on the skills and experience, to conduct our engagement in an effective and efficient manner.

•

Co-Develop Expectations - Finally, one of our strongest responses to this question is to co-develop co-develop expectations with the client. client. We will assemble assemble the core team and other resources based on the jointly defined expectations. The purpose for this step in the process is to make make sure the client gets what they expect. If part of the expectation is that we understand their business, (as typically is the case) Ernst & Young will make certain this expectation is met.

Success Stories Aon Company Background: Our client is a holding company composed of commercial insurance brokerage and consulting, and consumer underwriting companies. With 1997 annual revenue of approximately $5.8 billion and offices in more than 100 countries, the client is a world leader in insurance and consulting services. The Company is a current Audit, Tax and Consulting client. Client Business Issue: The client maintained IT audit staff in Chicago, London and Rotterdam. The client experienced rapid turnover turnover in the IT Audit group globally. The client has also been relying increasingly on new technologies including PeopleSoft and various eCommerce applications. They found it difficult to get proper audit coverage as they could not attract and retain skilled IT audit staff. Additionally, the IT environment was changing so rapidly that it was becoming cost prohibitive to continually retrain the IT audit staff. Our Service Delivery Approach

1. Co-Developed Client Expectations–With the client, we developed an understanding of the risks in their industry, business and ongoing projects. Senior management preferred to have a single single source responsible responsible for the delivery of the IT audit service and asked us to coordinate IT audit activities globally from Chicago. As such, we worked from Chicago with the client IT Audit staff and appropriate EY ISAAS personnel in the UK and Rotterdam to develop a unified global IT audit plan. 2. Conduct Risk Assessment–We interviewed a dozen CIOs and other IT executives in the US to gain an understanding of projects in process and their areas of concern. This information was used as the base for a risk assessment matrix. A similar process was followed in the UK and Rotterdam. 3. Developed Annual IT Audit Plan–We developed an annual audit plan defining the different projects to perform during the year. This plan was approved by the Vice President Internal Audit and included all global projects. We are now completing the first year of the engagement, and have developed our second year audit plan based on the updated risk assessments, and submitted them to management for approval. 4. Execute the Annual Audit Plan–Because the engagement was so large, a team was assembled with an ISAAS manager assigned to each major business line with another manager acting as the account leader. The account leader is responsible for reviewing work programs and for ensuring quality delivery of service. Per the global IT audit schedule, individual audits are scheduled and performed by the ISAAS manager responsible for that area. 5. Communicate Results–We have a standing meeting every month to report US and Rotterdam results to the the Vice President Internal Audit. Audit. We report status by project including hours hours and fees incurred that month. Additionally, we we have a video conference with the UK every month with the Vice President Internal Audit to discuss the status of the UK projects. Audit reports are issued in the standard client Internal Audit report format and are typically distributed to a wide variety of senior management.

2-21

S

ales Process

Value Received by the Client • •

•

•

•

The client received higher quality risk coverage with a focus on its IT issues. We provided management with recommendations for improved controls and enhanced IT process improvements. We identified several single points of failure (SPF’s) that the client had not addressed as part of a business continuity audit. The major findings in the review were that Business Continuity Planning (BCP) policies or or standards did not exist. As the client had been growing through acquisition, and actively merging operations where possible, it had unknowingly introduced several SPF’s into the environment. Our review caused the client to focus on its time critical business processes and realize that it was vulnerable to disruption. Because of the lack of standards and policies, it is unlikely that management would have recognized this weakness without our assistance. We identified IT security weaknesses in the UNIX, Windows NT, Oracle, Lotus Notes and Dial-in environments as part of an IT security infrastructure audit. The main findings from this audit included weaknesses in the Security Policies, Standards, and Procedures. As these platforms were supporting mission critical business processes, the client was risking the integrity, availability and confidentiality of its systems and data. We provided detailed security enhancement suggestions for PeopleSoft HRMS and Financials implementations. We also provided suggestions for process improvements related to the business processes associated with these implementations. The main findings from this audit were: −

−

−

2-22

Weaknesses in System Security. Weaknesses noted in system security settings were so severe as to allow most individuals in the accounting department to modify current and prior period data without leaving an audit trail. This weakness could potentially lead to an inability to balance accounts and close the books in a timely fashion. Application Development and Change Control. The company was in the process of rolling out these applications to various other operating units. In order to support these operating units, additional complex modifications would be required. Without proper application development and change control procedures, the company created a risk that these modifications would be erroneous. This situation had the potential to create inaccurate financial information. Re-structure of the Business Processes supported by the application. The various departments using these applications were still learning how the system operated. Hence, the lack of specific procedures created the risk that users would enter inaccurate or incomplete information into the system. This could potentially have a significant impact on the Company’s ability to close the books and produce accurate financial reports.

Novell Company Background: Our client is a leading provider of network operating software enabled by directory services. Its Internet solutions solutions make networks more manageable and secure, and reduce the total cost of ownership for organizations of every kind and size. The client also provides group collaboration software that links teams of users working on a project as well as software that manages networked PCs from a central location. The company earns more than than $1 billion billion in annual revenue and is an Ernst & Young audit client. Client Business Issue: The client was performing less well as in earlier years and realized that it needed to look at every revenue opportunity. opportunity. Together with the client’s Internal Audit group, we uncovered a potential revenue assurance opportunity by collecting outstanding outstanding software licensing fees. Based on our existing methodology and global network, Ernst & Young ISAAS IT IAS was selected to coordinate and execute the software licensing audits. Our Service Delivery Approach: Using our Royalty Audit methodology (Royalty audits for TCE companies located in the national revenue program catalog), we audited licensees on behalf of the client using both domestic and International Ernst & Young resources. So far we have visited licensees licensees in more more than 30 different countries. The reviews were performed to ensure compliance to agreement and reporting requirements of our client. Value Received by the Client: To date we have recovered more than $16 million in outstanding licensing licensing fees, providing a ten to one return on the client’s investment. The client received increased value and assurance through a successfully managed and coordinated project that used a consistent methodology that controlled travel expenses by using our International network of professionals.

Based on our findings and recommendations, we are now involved with the client in a business process re-engineering project that will provide the following: •

Improved operating efficiencies by reducing administration costs associated with the license management life-cycle.

•

Increased profits by identifying and implementing controls to better track revenue from active licenses.

•

Improved customer satisfaction by improving the quality and consistency of the license management services.

•

Improved understanding of license agreements by both licenser and licensee

•

Better structured agreements up front.

•

Better reporting systems and processes to accurately report revenues.

•

Timeliness of cash receipts.

•

Reduced incidence and expense of royalty audits.

•

Improved accurate, timeliness & completeness of reporting.

2-23

IT Internal Audit Services— Methodology

Overview Our IT Internal Audit Services methodology provides ISAAS professionals with guidance in performing IT Internal Audit Services. The methodology is intended to guide the process whereby we evaluate, risk and control processes related to information systems. The methodology is structured around five stages designed to focus on the client’s risks, to generate value, and to assist us in performing our IT internal audit procedures in an effective and efficient manner. The following IT Internal Audit Services Project Routemap gives a description of the major stages and activities in the methodology:

IT Internal Audit Services Project Routemap s e g a t S

s e i t i v i t c A

Co-develop Expectations with Client

Conduct Risk Assessment

• Understan Understand d the client’s client’s needs

• Plan Plan the the risk risk assessment

• Understan Understand d the client's client's business at a high level

• Underst Understand and the client’ client’s s business goals, strategies, and critical success factors

• Determin Determine e the scope scope of the engagement and risk assessment methodology

• Develop Develop understan understanding ding of the mega and major business processes

• Determin Determine e deli delivera verables bles and obtain agreement from the client

• Develop Develop understan understanding ding of IT resources and related IT processes

• Develop Develop fee estim estimation ation and define client billing procedures

• Valid Validat ate e our our understanding of IT and risk

* s e l b a r e v i l e D

• Strate Strategy gy Memoran Memorandum dum • Fee estimation for risk assessment • Letter of Understanding • Client Client Assista Assistance nce Listin Listing g • Relationship and communication protocols • Value Scorecard

• Summar Summaryy of busine business ss goals, objectives and mega and major processes • Summar Summaryy of how IT supports the business • High-leve High-levell IT Process Process documentation

Prepare Annual IT Audit Plan • Unde Underst rstand and management’s audit coverage expectations • Prio Prioriti ritize ze audit audits s • Unde Underst rstand and engagement economics • Agree Agree audit audit plan plan with with client

Major Stages & Activities with Deliverables

Execute Audit Plan • Scope Scope the the IT audit audit project • Understan Understand d the the IT audit areas • Identify Identify and and assess assess risks • Identify Identify and and evaluate evaluate controls • Design Design test testing ing strategy and perform tests • Conc Conclude lude and and report report

• Plan of resourc resources es / skill sets needed • Summary of areas to be audited • Preliminary budget • Preliminary timeline

• Scope Scope docume document nt • Detail Detailed ed project project plans plans • Detailed Detailed documentati documentation on

Communicate Results • Unders Understan tand d communication protocols • Prepare Prepare for for meeting meeting with Executive Management or Audit Committee • Meet with Execu Executive tive Management or Audit Committee • Complet Complete e releva relevant nt quality control procedures

• Summary reports to Executive Management or Audit Committee

• Detail Detailed ed findin findings gs and recommendations reports • Client satisfaction feedback

• Risk Assessment * NOTE: Internal deliverables are in italics; all others are external.

Privileged and Confidential. No part of this may be reproduced or transmitted without permission of Ernst & Young LLP.

3-1 1

M ethodology

The procedures in this document are not necessarily executed in a sequential fashion. While there is a natural order to performing the stages, activities and worksteps, and they are interdependent, we might not conduct the activities or procedures in a standard sequence. The following summarizes the processes defined in this document: Stage 1—Co-Develop Client Expectations : We co-develop and confirm the basis for our relationship with the client. We develop a mutual understanding of the scope of our IT internal audit services among client management responsible for the IT internal audit function, the client’s executive management, the Audit Committee of the Board of Directors, and the engagement team(s) responsible for our internal and, external audit services as appropriate. We co-develop expectations with the client in order to understand and document our relationship objectives and our relationship protocols. Additionally, we begin to understand the client’s business goals, objectives, strategies, and risks. Stage 2—Conduct Risk Assessment: We assist client management responsible for the IT internal audit function in developing a risk assessment of the client’s IT processes and IT components supporting the business processes. The purpose of the risk assessment is to identify where significant IT risks exist, to assess the relative levels of risk, and to align the IT internal audit approach with the areas of the company that will provide an appropriate level of risk coverage. The risk assessment establishes risk priorities and forms the primary, but not only, basis for the allocation of resources in the annual IT audit plan. Our risk approach is a flexible, business and IT process focused methodology, see Appendix A for detail methodology blueprint. The risk assessment is reviewed and approved, at least annually, by the client’s executive management and the Audit Committee. Stage 3— Develop Annual IT Audit Plan: We work with client management responsible for the IT internal audit function to develop the IT annual audit plan. The annual IT audit plan defines the individual projects to perform during the year along with an estimate of the total number of hours required for each project. In assisting with the development of the plan, we consider the total available hours for the overall engagement, the need for special management discretionary projects, and the number and mix of specialized resources required to perform each audit. The annual IT audit plan, which includes an “outlook” of projects to be performed on a rotating basis over a specified period of time (e.g., three years), is reviewed and approved by the client’s executive management and the Audit Committee. It is updated as required, at a minimum yearly, to reflect significant changes in the client’s risk profile that may result from changes in the organization structure, business operations, technology infrastructure and/or new products and services.

3-2

Stage 4— Execute the Annual Audit Plan: This stage is made up of five activities designed to guide the execution of individual projects defined in the Annual IT Audit Plan. All or part of certain sub-activities may or may not be performed depending upon the scope of the particular project determined in Stage 3—Annual IT Audit Plan. The activities are: Activity 4.1  Scope Scope the IT Audit Project : This is performed at the outset of each

project and provides focus and direction for the remainder of the procedures performed during the execution of fieldwork. In this activity, we establish the objectives, scope, and timing of the project and communicate these expectations to management through a project scoping document. Activity 4.2  Understand Understand the IT Audit Areas : This builds on our initial

understanding of the processes and/or areas selected for the audit which was gained in Stage 2—Risk Assessment . In this activity, we consider what additional information is required for us to document an understanding of the audit area. We also confirm the team members and agree roles and responsibilities. Activity 4.3  Identify and Assess Risks : This builds on our initial understanding of the related risks, including key performance indicators, gained in Stage 2— Risk Assessment . In this activity, we consider where errors could occur in the IT

process or area (or business process where we are teaming with Internal Audit Services) that would keep the process from achieving its financial reporting, operating, or compliance objectives and walk through the process to confirm our understanding. In this activity we determine the inherent risks as they relate to the audit project and agree our risk assessment with management. Activity 4.4  Identify and Evaluate Controls: This builds on our initial understanding of the related controls gained in Stage 2—Risk Assessment . During

this activity, we preliminarily evaluate the effectiveness of the process’ design and the controls in place to address the potential for errors to occur. This preliminary evaluation is used in the next activity where the controls are tested, as applicable. We also may provide management with recommendations for improving the controls and enhancing process performance. Activity 4.5  Design Testing Strategy and Perform Tests : This builds on our

preliminary evaluation of the selected processes and related controls in the previous activity. Where appropriate, the controls identified and preliminarily evaluated as effective in the previous activity, we design and execute tests of controls to determine if the controls were operating as we understood. Exceptions noted in our testing are communicated to management and may result in recommendations for improvement in our final report. Activity 4.6 Conclude the Audit/Reporting : We conclude the audit project by: Conclude  •

•

• •

Reviewing all working papers, supporting documentation, and the draft report. Determining whether we have performed work sufficient to satisfy our objectives and our conclusions are adequately supported. Communicating the results of our work to management. Requesting feedback from management on whether or not we have met their expectations.

3-3

M ethodology

Stage 5  Communicate Communicate Results: Working with client management responsible for the IT internal audit function, we communicate the results of our internal audit work to executive management and the Audit Committee based on expectations codeveloped in Stage 1—Co-Develop Client Expectations . At appropriate times during the audit year, formal approval of the risk assessment and annual IT audit plan is obtained. We also periodically communicate the results of our IT audit projects, including significant issues, and the value we have provided to the company through our Value Scorecard.

3-4

Stage 1—Co-Develop Expectations with Client Introduction

The first stage in our IT Internal Audit Services methodology is to co-develop expectations with the client. We develop a mutual understanding of the scope of our IT internal audit services with key client management and, where applicable, the engagement team responsible for our internal and, in an integrated audit, external audit services. Co-developing expectations involves key activities, such as determining expectations related to our services, deliverables, and basis for measuring the value we deliver. To help us gain this understanding, we conduct co-develop expectation meetings with key client and engagement personnel to discuss and document the following: •

IT Internal Audit Objectives

•

Scope and timing of procedures

•

Client’s Business and IT Goals, Objectives, and Strategies

•

Communication protocols, including measuring and communicating value, as well as engagement issues and status

The process of co-developing expectations and communicating value begins during the sales process, continues throughout the engagement, and involves periodic discussions with appropriate management. Co-developing expectations for integrated audits requires us to understand both the internal audit and external audit requirements. Appendix B-1 includes a discussion of necessary considerations within an integrated audit. As with any engagement, we also must ensure that we have followed specific firm guidelines for client and engagement acceptance. For non-audit clients, we follow guidance and perform the procedures set forth in the Policy and Practice Statement, Client and Engagement Acceptance-Other AABS Manual. Generally, co-development begins during the Sales Process. We obtain an understanding understanding (LOU) signed by of client expectations and document them in a letter of understanding the appropriate management personnel of the client. The LOU documents (at a highlevel) services to be provided as agreed in Stage 1 - Co-develop Expectations with Client. This letter also documents the billing requirements and must include our standard terms and conditions for ISAAS consulting engagements and the alternative dispute resolution provision, which may be applicable in those rare instances when the firm and a client cannot resolve a matter informally. (See ISAAS Policies and Procedures Workbench for the standard LOU’s, terms and conditions, and alternative dispute resolution provision.) Additional co-development sessions may be necessary to refine our project scope and expectations or further refine requirements.

3-5

M ethodology—Stage 1

Summary of Stage 1 Activities In order to scope the IT Internal Audit Services engagement properly, we identify several activities to guide the team through the initial meetings with the client: 1.1 Understand the client’s needs and learn the basis for setting the service expectations. 1.2 Understand the client’s business at a high level to establish a basis for a better understanding of how IT is used to support the business . 1.3 Determine the scope of the engagement and risk assessment methodology to provide the basis for building the workplan. 1.4 Determine the deliverables and obtain agreement from the client. 1.5 Develop fee estimation and define client billing billing procedures. procedures.

Summary of Stage 1 Deliverables After completing this stage, the following documents should be developed: •

Letter of Understanding

•

Strategy/Planning Memorandum

•

Client Assistance Listing

•

Relationship and Communication Protocols

•

Fee Estimate

•

Co-developed Value Scorecard

Examples of these documents are located in Appendix B or within the ISAAS Policies and Procedures Workbench .

Stage l Activities Activity 1.1

Understand client’s needs

IT Internal Audit Services engagements will, in most cases, be sponsored by the Director of Internal Audit and top management of organizations. Like other ISAAS services, it is necessary to understand what the client’s concerns, needs, and expectations are and how we can assist in meeting their needs. Once we have identified the necessary participants (generally the client’s Internal Audit Director, Chief Financial Officer, Chief Information Officer, and other key executives) we should set objectives for the meetings. For internal audit teaming and integrated audits, we ordinarily have the coordinating partner, the IAS engagement partner and possibly other members of the external audit team participate in these meetings. In preparing for the meetings, we make a preliminary assessment of our relationship with the client and our knowledge of the client’s business and industry, its needs and expectations, and its goals and objectives. In addition, we review and consider the results of any prior ISAAS projects, client satisfaction surveys, and previous discussions with management. This preliminary assessment also is important in considering which

3-6

engagement team members should participate in the discussions, and it allows us to preliminarily determine the commitments we are willing to make. During the co-develop expectations meetings, we obtain sufficient information to meet the following objectives: •

Understand the client’s specific concerns regarding IT risk and risk coverage in their organization.

•

Determine how to customize the IT Internal Audit Services methodology to address the client’s situation. For example, if the client uses a service bureau to maintain the computing environment, our methodology will require customization to address the service bureau processes according a ccording to the client’s expectations.

•

Description of the relationship between the client and Ernst & Young in such a way that it can be measured afterwards. These measurements should be agreed with the client and documented within a value scorecard.

•

High level setting of expectations regarding the IT Internal Audit Services engagement and the client expectations regarding our service delivery.

•

Documentation of the above.

To obtain meaningful information, the meetings require in-depth discussion between the client’s decision makers and the more experienced E&Y team members. While understanding the client’s concerns, three key elements for a successful relationship will be discussed: •

Obtaining insight to the client’s understanding of the organizations issues and problems;

•

Ensuring we have a sufficient understanding in the client’s business;

•

Standards for providing and performing effective and efficient service.

The success of the relationship strongly relies on our ability to provide value to the client. This value could be expressed by means of a project or service charter and a value scorecard to measure the value delivered. Defining the expectations and service level together with the client and discussing these elements is a continuous process throughout the engagement. The value scorecard is an important tool for use to measure our success. The service charter and value scorecard can be found in Appendix B-2 and B-3.

3-7


clie cl ient nt na m e

Co-Develop Re lati lationship onship Ob jecti jectives ves

Co-Develop Exp E xp ec ta tio ns

Internal Audit D riv e r s

Focu s

Risk Coverage

Business Process

• G a p Cl Cl o su su r e s • E a r ly ly W a rn rn i n g De tec tio n

Value Creation

Strategic Insight

• S h a re re h o ld ld e r V a l u e • I d e a G en en e r a ti ti o n • K n o w l ed ed g e T r a n sf sf e r

Audit Efficiency

Respect Management

M e a s u re m e n t

• M i n im im a l D i s r u p ti ti o n • Client Satisf Satisfaction action • C o m p l et et io io n o f A u d i t Pl an

cli c lien en t n a m e

Establish Relationship Protocols Our Team

Risk Focus

Value Scorecard

Communication Protocols

3-8

Special Projects

c li en t n a m e

Establish Relationship Protocols Risk Focus Our Team Subject Matter Expertise • • • •

Communication Protocols Executive Management/ Audit Committee • • • Reporting • • •

Activity 1.2

Value Scorecard Components • • Other IA Measures • • Frequency of Communications • •

Processes • • Geographic Areas • • Functional Units • •

Special Projects • • • • •

Understand client’s business

To better understand client expectations, deliver value to our clients and assist in developing an internal audit IT risk assessment, we need to obtain a high level understanding of the client’s business. This understanding will allow us to effectively perform a risk assessment and therefore appropriately focus our professionals. In addition, we will gain credibility by demonstrating an appropriate depth of knowledge of the client’s industry and business. To understand the client’s business, we consider the f ollowing objectives: •

Understand the organization’s business objectives, goals a nd strategies;

•

Understand the critical success factors of the organization to successfully achieve these objectives. In addition identify any strengths, opportunities and challenges for the business to achieve these objectives;

•

Understand what influences exist, both internally and externally, to the organization that will impact the business objectives and critical success factors;

•

Understand how the organization is structured including current staff capabilities; and

•

Obtain a high-level understanding of the business processes and determine the key business and IT processes.

We might obtain much of our understanding through a facilitated discussion with appropriate company management. Within these meetings, we will discuss the company’s current state and the desired future state, as well as the business strategies and risks. Before the discussion, we also may need to gain an understanding of the market forces and other environmental factors affecting the company, as well as the influences of the stakeholders.

3-9


Following are example templates which can be used in our discussions to meet the above objectives:

client name

Understanding Your Business Goals and Objectives Current State • Domina Dominate te in domes domestic tic markets • Excel Excellent lent growth growth pote potential ntial • Signif Significa icant nt cross cross marketing potential • Decent Decentral ralized ized systems systems/ / processes

Future State Key Performance Indicators Critical Success Factors

3-10

• Managing Managing 25% growt growth h with with high profitability • Maximu Maximum m servi service ce penetration through distribution channels • Sh Share ared d serv service icess

• •

• Premi Premiere ere retaile retailerr worldwi worldwide de

•

Business Risks

•

client name

Understanding Your Business Strategies and Risks Critical Success Factors

Key Performance Indicators

• Ma Manag naging ing gro growth wth

• St Stoc ock k pri price ce

• SG& SG&A A reduc reductio tions ns

• EPS

• Enterp Enterpris risee system system implementation

• Inv Invento entory ry turnove turnoverr

• •

• •

Business Risks • Depart Departure ure of key key management • Incr Increased eased compe competitio tition n • Lack of system system integ integration ration • •

Using the knowledge obtained, we will be able to identify the higher level risks inherent to achieving the business objectives of the organization and the system of controls over these higher level risks. We also determine if the organization currently has a risk framework in place. Risk frameworks will vary from client to client, but will include the identification of the most significant high level risks faced by the organization. There are various sources of information available that can be used to help us obtain our high level understanding. If the organization is a current client of Ernst & Young, we may be able to obtain useful information from external audit team, workpapers, deliverables, IAS resources and intelligence, or the Business Intelligence Memorandum (BIM) produced by the Assurance Support Center (ASC). Up-to-date market, industry regulatory and technology information and trends can be obtained through the ASC Custom Databases . In addition, industry Business Process and IT Process Models with example business objectives, critical success factors, etc., are located in the ASC Industry Link Database. Both the ASC Custom Databases and the ASC Industry Link Database can be accessed through ASC Online on the ISAAS Workbench. We should also obtain, if appropriate, the client’s Strategic Business Plan, IT Strategic Plan, and organization charts. This information should be collated and kept in a central location (e.g., a background binder, account plan document or Lotus Notes team database) for engagement team members to review for background information prior to performing any work with the client.

3-11


Activity 1.3

Determine scope of the engagement and risk assessment methodology

Within the previous activities of this stage, we obtained an understanding of the client’s expectations and needs as well as a high-level understanding of the client’s business and IT processes. We also obtained information regarding the importance of IT supporting these processes. This information is useful and necessary to determine the scope of the engagement, which is the goal and output of this step. The project team should be mindful that as the project progresses it may be appropriate and necessary to focus on areas other than those initially selected. If the scope changes, we assess whether it is

necessary to revise the LOU, our fee estimates and/or timetables for completion. The Risk Assessment is the primary driver for the development of the IT Internal Audit Services Audit Plan. Therefore, we must appropriately co-develop the scope of the Risk Assessment with the client. This is done by using the information gained through the previous steps of this stage, and analyzing that information using the understanding and knowledge of the major IT subprocesses as defined in C OBITTM . Further discussion of the major IT subprocesses and E&Y’s use of the C OBITTM methodology can be found in Activity 3 within Stage 2 of this document. We also must determine whether a Risk Assessment Methodology is already being used by the organization. The client may want us to follow a pre-developed Risk Assessment Methodology. If there is a methodology already in place, we will need to review the methodology to determine it’s adequacy and whether we feel comfortable following the procedures. In the absence of a client risk framework, we should consider using the business process/IT process framework outlined in this methodology.

3-12

Through our client meetings, we need to ensure we have a mutual understanding regarding the scope of our procedures. We meet with key client personnel to co-develop expectations for IT Internal Audit procedures and document the results in a Strategy Memorandum (Example in Appendix B-4). We should obtain agreement in the following areas of the engagement: •

Scope—Define the specific procedures to be performed by E&Y. Identify any

items (business processes, IT processes, divisions, locations, etc.) which should not be included as part of the risk assessment. In addition, we need agreement on the depth of our risk assessment. This initial scope may be changed as other areas are studied and issues are identified in those areas. Scope changes should be documented as addendum’s to the strategy memorandum and, if necessary, to the Letter of Understanding. We should also discuss management’s expectations and communication protocols for ad-hoc consultations and projects which are outside the initial scope of one agreement an annual audit plan. Considerations include: who approves scope changes, fee and billing arrangements, etc. •

Timing—Define a basic timeline for the performance of the procedures and key

deadlines (milestones). •

Roles and Responsibilities—Present our IT Internal Audit team and confirm that

we have the right service team to meet the client needs. We may allow the client to provide input on the staff to be used on the engagement. We also define the responsibilities of the client and the E&Y engagement team. In this process, we identify the need for knowledge transfer activities or the inclusion of client personnel as part of the engagement team. When teaming with IAS and/or the external audit team, we coordinate closely to ensure that we have consistent application of agreed relationships (i.e., the client should see us as one entity, not IAS and ISAAS). We apply the same amount of care and due diligence in coordinating with IAS and external audit as we do with the client internal audit function. •

•

the methods and approach for communicating with the client, both informally and with formal findings and recommendations, to ensure that all interested parties are notified of the engagement’s status and results on a timely basis. One method for communicating interim results would be to have periodic meetings at key points throughout the review process. This can include a listing of key issues noted to date with a status check of those issues that are still unresolved (periodic issues list). Communication

Mechanisms —Define

Assumptions—Define any assumptions that may affect the scope, timing, or

responsibilities of the review (e.g., the internal audit department will provide assistance in the definition of key business processes). This should be documented in a formal appendix to the Letter of Understanding, as well as taken into consideration in preparation of the Client Assistance Package. (Example in Appendix B-4). Other —Define —Define other areas of management’s concern that may be encompassed

with the engagement (e.g., implementation of a new access control software system).

3-13


Scoping the IT internal audit risk assessment and procedures is a complex process which requires significant skills and professional judgment. It should therefore be performed by the most senior and experienced team members. These team members should also have knowledge about the major and sub IT processes. Activity1.4

Determine deliverables

In addition to defining the scope of the project, we discuss with our client how we will deliver the results of our review. The last work step within this stage of the methodology is to agree upon the deliverables or report format. The discussion would likely include the following: •

The form of the deliverables (written report, oral presentation or both);

•

The contents of the deliverables (e.g., to what extent should the basis for the observations and the recommendations be included in the report). This matter becomes critical when there is the potential to include certain sensitive information in the report.

•

The timing, or “turn-around”, of reports (e.g., draft report issued within 15 business days after the end of fieldwork). Many internal audit functions are concerned with timely completion of audit reports, therefore it is critical that we understand and discuss their expectations to ensure client satisfaction.

•

Management responses and timing. Some clients prefer that the draft reports have initial management responses, while others prefer for management responses be gathered at the time of the final closing meeting. The client’s preference could significantly impact our ability to meet report turn-around requirements. In addition, some clients set deadlines for management responses (e.g., 10 business days after the draft report is issued). These expectations are communicated to our engagement team and to relevant client personnel to ensure that timing requirements are understood and accepted.

•

Report Ratings. Client management may request that we apply ratings to our reports. We discourage the used of ratings for two reasons: −

We do not want to give the impression that we are issuing an opinion, or attestation, on controls; and

−

Ratings do not foster and open environment for communication and resolutions of issues.

On some engagements, the Director of Internal Audit or the audit liaison is responsible for assigning assigning ratings ratings based on our detailed reports. However, if the client requests us to assign the ratings, detailed guidance is provided in the Internal Audit Services - Policies and Procedures Manual . The rating categories should be co-developed with the client and documented in the strategies memorandum. We may also request representation from client management management acknowledging that the ratings do not constitute an opinion or attestation on the adequacy of controls. The form and content of deliverables could, in this stage of the engagement, possibly be set out on a provisional basis. While performing the engagement, the outlines of the deliverables will become more clear and could be discussed with the client in more detail.

3-14

Activity 1.5

Develop fee estimation and define client billing procedures

Develop fee estimation

As we have been determining the scope and timing of the engagement, we must also ensure that fees have been agreed upon with the client. Engagement economics and pricing models will differ between clients depending on internal and external circumstances. We follow the firm guidelines for pricing all engagements. It is advisable to avoid selling IT Internal Audit Services as a flat fee engagement. Pricing engagements using hourly rates helps ensure that we are able to staff the engagements with the appropriate expertise and helps avoid unpaid scope change requirements. Any agreed upon pricing module should be included within the Letter of Understanding. See Appendix B-5 for an example fee estimation template that can be used to evaluate the staffing mix and fee structure. Define client billing procedures

The engagement team partner and team leader should establish the billing procedures with client management. Procedures should include: •

Who is authorizing personnel to bill;

•

Payment/Collection requirements;

•

Expense policy (firm’s or client’s) or capatation requirements for engagement expenses.

3-15


Stage 2: Conduct Risk Assessment Overview

All entities are involved with risk management and assessment on a daily basis. Based on management objectives, direction of work performance and management style, employees conduct their activities to minimize risk to their company. A risk assessment is performed to take a snap shot in time of these activities and their impact on mitigating all forms of business risk. Therefore, a risk assessment is applicable for a period of time and should be reperformed on a regular basis if used to plan or make decisions. There is no practical way to reduce risk to zero. Risk is inherent to conducting business. Management must practically manage its risk processes to determine how much risk is to be accepted versus mitigated, controlled, insured, etc. Risk management and risk assessments are not only based on the control objectives of a company, but should also identify and analyze risks relative to achievement of the business objectives. This forms the basis for determining how the risks should be managed or monitored to contribute to the success of the business. Success is a measurement that also needs to be identified. Business success can be measured in many forms and isn’t only based on the profitability of the company. Short-term business strategies may include discounting until profitable to gain entrance into a new market or to improve overall market penetration for a product. We must understand the key business measurements in order to identify the elements that management includes in the measurement of risk mitigation. Understanding the business and the impact of IT on the business is key to performing IT risk management. Ordinarily, IT management gains an understanding of the business requirements and priorities, in order to most effectively prioritize efforts and allocate resources. IT risk management efforts are similar. IT management implements controls and processes based on the relative risk and impact to the business. Accordingly, IT risk assessment should incorporate a business requirements analysis to ensure that IT internal audit resources are focused on areas of most value to the business. In all cases, our engagement executives work with the client to determine how we ensure that the risk assessment is aligned with overall business requirements. This can include engagements where we already have a long standing external audit relationship, or where client management doesn’t want a business process risk assessment included in our scope of service. Our Risk Assessment Framework

Our IT risk assessment approach is a flexible, business and IT process focused risk approach that maximizes the use of the firm’s methodology, technology, tools, and knowledge, combined with the auditor’s training, judgment and industry experience. Our approach involves the assessment of the business requirements and IT Risks through our understanding of the client’s business goals and objectives (Activity 2). This will enable us to focus the scope of our risk assessment on the areas where IT is most important to the business (Activity 3). This understanding also enables the ISAAS team to more appropriately assess the impact of any observations or findings in subsequent stages of the risk assessment and audit plan delivery.

3-16

At a high level, our risk assessment approach can be summarized in the following steps: •

understanding business goals, objectives, and critical success factors;

•

understanding the business processes and the related IT requirements, including the potential impact if the business requirements are not met, and

•

understanding the IT resources and processes that management has implemented to meet the business requirements.

This can be illustrated by:

Appendix A provides a detailed description of the different elements of our risk assessment framework and definition of key terminology. Professionals should read and understand this framework before proceeding with Stage 2.

This section outlines our approach for the IT risk assessment process assuming we are performing Stages 1-5 of the methodology for the client. However, a client may request that we only perform Stage 1 and 2, or certain activities within Stage 2. These expectations should be discussed during the Sales Process and Stage 1–Co-Develop Expectations. Based on client expectations and quality assurance requirements, we modify our approach as required.

Summary of Stage 2 Activities To conduct the IT Risk Assessment, we perform the following activities: 2.1 Plan the risk assessment to ensure that we have the proper project team, project organization, and an effective project plan in place. 2.2 Understand the business goals and objectives, strategies, and critical success factors to focus our scope to areas where IT is most important to the business. 2.3 Understand the mega and major business processes and related IT requirements to identify the key business processes and assess the importance and impact of IT. 2.4 Identify the IT Resources and related IT processes in place to further develop our understanding of the IT environment and the potential risks. 2.5 Document our overall risk assessment and validate with management for input into the IT audit plan.

3-17


Summary of Stage 2 Deliverables •

Summary of business goals, objectives, and critical success factors.

•

Identification of the key business processes.

•

Summary of the IT resources that support the business processes and the potential business impact.

•

High-level documentation of the IT processes.

•

Risk assessment conclusions.

Activity 2.1 - Plan the Risk Assessment Introduction

To ensure a successful risk assessment, team involvement and project organization, an effective plan and project charter should be developed and reviewed with the client.

Summary of Principal Worksteps 2.1.1 Identify and Orient Project Team 2.1.2 Identify Key client Personnel to be Involved/Interviewed 2.1.3 Develop Risk Assessment Workplan 2.1.4 Determine Timeframe and Budget for Risk Assessment

Principal Worksteps 2.1.1 Identify and Orient Project Team Identify Project Team: When developing the project team, ensure the following areas receive proper attention:

3-18

•

Delivering IT internal audit services requires experience in many aspects of IT systems, audit and controls. Implicit within the development of this methodology is the understanding that the professional, or at a minimum the project team as a collective user, will have experience with understanding business processes, understanding the major IT controls, and analyzing IT business processes to determine whether they are helping ensure IT supports business objectives and operations.

•

The engagement team should ideally include a leader or key team member who is experienced in the industry served by the client organization. Such experience is valuable in helping the client identify needs and issues relevant to their particular industry.

Well developed interpersonal skills are required. To be effective, the project team members will be required to gather information from various sources through interviews. Team members should be skilled and comfortable with significant interpersonal contact with high-level executive and senior management with the client organization. •

Additionally, the projects are often designed to touch many areas of the organization. Therefore, the project manager must be skilled in managing a complex engagement. The engagement will be comprised of components that involve many of the business units, and will use multiple means of gathering data and information. Ensuring that all are executed smoothly and concurrently requires well developed project management skills.

Specific engagement team/project management team roles and responsibilities are included in Appendix C-1. See additional guidance regarding engagement teams, review responsibilities, independence requirements, etc., in the ISAAS Policies and Procedures Workbench and the IAS Policies and Procedures Manual. Orient the Project Team: Due to the size and complexity of IT Internal Audit Engagements, special attention must be paid to orienting the project team, particularly in area of setting expectations, and discussing roles and responsibilities. Specific areas for consideration and communication are: •

Project Charter : As a result of Stage 1–Co-develop of Expectations , we develop a

brief project charter which defines the areas to be assessed and the scope of our procedures. It also sets expectations for status reporting, communication, etc. The project charter should be communicated to all team participants. •

Engagement Roles & Responsibilities: As a part of the planning phase, we will

also develop a project workplan, budget and timeframe for the risk assessment. The engagement executives and project manager ensure that the engagement team understands each of their roles and areas of responsibility in performing the risk assessment. Discussion points could include specific areas for evaluation, supervision and review responsibilities, performance review expectations, etc. •

Integrated Audit Considerations: Where we are performing internal audit procedures for a current audit client, during Stage 1–Co-Develop Expectations, we

identify areas where internal audit will perform procedures that will be relied upon in the external audit. To ensure that these procedures are performed adequately and timely, it is critical for each of the engagement team members to understand the external audit requirements and their responsibilities for addressing these requirements and communicating the results to the client, the internal audit team and the external audit team. See an example of a Summary of Financial Audit considerations user plan in Appendix C-7. •

Project Documentation Standards : Prior to performing any work on the

engagement, we determine the form and content of the workpapers If the client is a firm client, and the work to be performed in the risk assessment is to be relied upon by the external audit team, then documentation standards promulgated by the firm should be adhered to for the engagement. The risk assessment should also incorporate firm standard for workpaper documentation as prescribed by the ISAAS Policies and Procedures Workbench notes database. Although we strive for

3-19


workpaper efficiency, our workpapers should contain evidence of the procedures performed which is sufficient enough to allow a reviewer to reperform the procedures if necessary. •

Status Reporting Procedures: To ensure the proper level of executive involvement

and supervision, we establish internal status reporting procedures. These include when, where and how often the we update the project team on our progress. In addition, the client may have certain expectations and concerns regarding status reporting and issue resolution. These expectations are also communicated to the engagement team. •

Use of Technology/Tools: The tools to be used to complete the risk assessment are

identified during the planning phase. The tools can include firm products(i.e. EYCheckPoint, business process mapping tools, EY/AWS) or client preferred risk assessment tools. If a client tool or methodology is adopted by the E&Y risk assessment team, then the team leader or local ISAAS champion may need to assess the quality of the clients risk assessment methodology and tools. Other Administrative Matters: Ensure that the client has designated an appropriate work area. The area should ensure privacy and confidentiality of company information and the engagement team. 2.1.2 Identify Key Client Personnel to be Involved/Interviewed

We obtain management’s input regarding key client resources who should be involved in the risk assessment process. Based on our knowledge of the client, the industry, and our previous experience with risk assessments, we may have to guide them through the identification process or provide them with suggestions regarding key personnel to be interviewed. As a minimum, consider involving the following types of client personnel: Senior Management: Identify the client’s key decision makers (generally the client’s Chief Financial Officer, Chief Information Officer, Director of Internal Audit, and other key executives) to participate with key members of our team and client management responsible for the internal audit function in the assessment of business requirements. For integrated audits, we ordinarily have the coordinating partner and possibly other members of the external audit team participate. Business Managers: Identify the client’s key Mega and Major business process owners for assessing the business requirements and IT resources. For clients that do not manage their businesses with a process orientation, those with responsibility for the processes may be more difficult to identify. In these cases, identify the functional managers who are responsible for key aspects of each business process. IT Management: Identify key IT management personnel and functional responsibilities that support the IT processes. These personnel are ordinarily responsible for the application and management of the IT resources and key IT processes. 2.1.3 Develop Risk Assessment Workplan

Depending on the size of the engagement, expected client reporting and client team involvement, a workplan should be developed that details significant engagement worksteps. An example plan is contained in Appendix C-2.

3-20

2.1.4 Determine Timeframe and Budget for Risk Assessment Develop Risk Assessment Budget

As we determine the scope and timing of the engagement, we must also ensure our fees support the budget of personnel and hours. Engagement economics, staffing, hours and pricing models will differ between clients depending on internal and external circumstances. We develop a preliminary budget for the risk assessment defined in the co-development of expectations. This preliminary budget provides an estimate of the total number of hours required as well as staffing levels and experience need to complete the assessment. We also consider the number of hours required of ISAAS specialists (e.g., Network, SAP, Continuity, eCommerce). Considerations in developing the budget include: •

number and level of personnel involved,

•

number of locations, domestic and international, to visit (time and travel cost if local staff support is not appropriate or available),

•

depth and breadth of risk assessment, and

•

number of hours required of ISAAS specialists.

Determine Timeframe

As we set the timeframe for the risk assessment, we need to consider several fa ctors: Availability of Client Personnel–Timing consideration needs to be made to compensate for vacations, holidays, significant company events, financial closings, etc. •

•

Number of Locations–Depending on the client organization, we may need to perform interviews and evaluations at a number of sites, domestically and internationally. This needs to be agreed to in the co-development of expectations with the client. Availability of E&Y Personnel –Availability of staff and firm experts is considered in the timing of the risk assessment.

3-21


Activity 2.2—Understanding the Entity’s Business Goals, Strategies, Objectives and Critical Success Factors Introduction

Developing our understanding of the client business goals and objectives enables us to focus the scope of our work on the areas where IT is most important to the business. This understanding also enables the project team to assess the impact of any observations made in subsequent stages of the engagement. Due to the nature of this activity, the facilitator needs to have experience with the client or in the client’s industry. The engagement team should consider involving the coordinating partner—for current clients—or an executive from IAS with relevant industry experience to assist in facilitating the session. The goal of this activity is not to evaluate or question the client’s business direction. We are gaining an understanding of the business to ensure that our risk assessment is focused and performed in the appropriate context. The results of this activity are documented and incorporated into the workpapers with the risk assessment and should be communicated to the entire engagement team.

Summary of Principal Worksteps 2.2.1 Identify relevant information held by E&Y from Stage 1–Co-develop of Expectations of the project and from other internal departments . 2.2.2 Confirm and build our understanding with senior client management.

Principal Worksteps 2.2.1 Identify relevant information held by E&Y

Use the knowledge acquired from Stage 1–Co-develop of Expectations to prepare a draft summary of the business goals, objectives, strategies and critical success factors. Consider using the ASC Industry Process/Business Risk template as a starting point. Depending upon specific circumstances, the engagement team may decide to use only the output from Stage 1, rather than to perform additional work in this area. The decision as to the level of detail required should be based on the professional judgment of the ISAAS executive and the specific engagement requirements. If the entity is already a client of the firm, give consideration to whether sufficient relevant information exists within other E&Y engagement documentation. Examples of this may include: •

—Information collated from Audit Process Activity 7 (Understand Business Audit —Information Goals, Objectives, Strategies and Critical Success Factors). This information is likely to be documented using the ASC Industry Process/Business Risk template as the example in Appendix B.

•

Internal Audit Services —Information from activities related to modeling the

business (Understand Business Goals, Objectives, Strategies and Critical Success Factors).

3-22

•

Corporate Finance —Background information on the client.

•

Consulting Services —Background information on the client.

•

Tax—Background information on the client.

If client acceptance procedures have been performed by another E&Y practice on a separate engagement, this indicates that E&Y is likely to hold information on the entity and the engagement team should consult that information. 2.2.2 Confirm and Build Understanding

Senior management is responsible for determining the goals and objectives, strategies and critical success factors of the business. Therefore, it is critical to ensure appropriate meetings are held with relevant client management. Even where other E&Y practices have relevant information it will be necessary to meet with the client to ensure that the information is factual, current and relevant to our engagement. Useful questions to confirm our understanding of the business might be: Goals & Objectives •

What is the mission statement of the business?

•

What is the overall goal of the business and it’s c omponents?

•

What are the specific objectives set by the company?

•

What performance measures are used as a basis for executive remuneration?

Strategies •

Does a formal business strategy exist? (If so, review the document to ascertain what the strategies are.)

•

What are the business strategies used to achieve the business objectives?

•

What investments/significant changes is the company making to achieve its goals?

Critical Success Factors •

What initiatives must be achieved if the strategy is to be successfully implemented?

•

If only a critical few of these key results could be achieved, which ones would they be? And why?

See example documentation of business objectives, critical success factors, etc. in Appendix C-3.

3-23


Activity 2.3—Understand the Mega & Major Business Processes and Related IT Requirements Introduction

Understanding the entities mega and major business processes and how these relate to the critical success factors of the business enables us to identify the key business processes. Determining how and what IT supports the key business processes will provide an understanding the importance of IT to the business. This understanding allows us to perform a more business focused IT risk assessment and direct our workplans to provide the most value and comprehensive risk focus to the client.

Summary of Principal Worksteps 2.3.1 Identify the mega and m ajor business processes by using guidance from industry standards documents and discussing the business processes with management. 2.3.2 Identify which of the major business processes are ‘Key’ by matching the major business processes to the critical success factors of the business. 2.3.3 Document how IT supports the mega and major business processes.

Principal Worksteps 2.3.1

Identify the mega and major business processes

We obtain business process documentation directly from the client or from available E&Y resources, such as IAS or external audit, or select a normative business model for the industry that relates to the entity. These models are typically available from industry PowerPacks and in the ASC Industry databases on Lotus Notes. Gain a high level understanding of the clients documents or customize the normative industry models using the information collected during co-development of expectations. The purpose of this workstep is to enhance our understanding of the business for purposes of our IT risk assessment. Our intent is not to perform a business risk assessment or model the business. Therefore, our documentation and inquiries should be at a high level. Confirm who the owner of each business process is and obtain the following information: • Process Name—The name should reflect the common language that the client uses • Purpose/Objective—Why the process exists • Owner of the Process—Who is responsible for ensuring the process achieves is objective • Beginning and Ending—The boundaries of the process • Inputs and Outputs—What is required to perform the process and what is produced from the process that can be passed on to other processes. Summarize the information. See examples of major and mega process documentation in Appendix C-3.

3-24

For clients that do not manage their businesses with a process orientation, identifying the business process owners may be more difficult. In these cases, identify the functional managers who are responsible for key aspects of each business process. For example, in such a client, we may correlate the major processes to organizational components (e.g., department, division, subsidiary), and their functional managers. The following illustrates one way to relate major business processes to functional departments: Department Process

A

B

C

D

X Y Z

2.3.2

Identify the key business processes

It is essential that we understand which of the major business processes are most important (key) to the business. This is necessary in order to focus our efforts on these processes. The key business processes can be identified by developing an understanding of which major processes have the greatest impact on the achievement of the client’s critical success factors. One proven method of identifying the client’s key business processes is the use of a matrix of the processes and critical success factors to assess the effects of a number of major processes on the client’s critical success factors. See and example of the matrix in Appendix C. In less complex clients, it may be possible to understand the re lationships without using a matrix. Alternative methods may be used (e.g., making this correlation at the mega process level). Professional judgment should be applied when determining the final approach to be undertaken. 2.3.3 Understand how IT supports the mega and major business processes and its potential impact on the business.

In workstep 3.2, we identified the key business processes and gained an understanding of why they are critical to the success of the business. Our next step is to understand the role that IT plays in enabling and/or ensuring that the key business processes are successful. In order to understand the impact and importance of IT, we must understand: •

Where are the key business processes supported by it?

•

What is the potential impact to the business if IT is not functioning as required?

•

Have there been any previous issues with IT not meeting the business requirements?

3-25


Understand How IT Supports the Key Business Processes

We meet with the business process owners and confirm our understanding of the business process, key inputs and outputs, objective of the process, etc. We then gain an understanding of IT’s role in the business process. Key questions that we might ask include: •

Is the process highly automated?

•

Is success of the process reliant on IT and, if so, how or why is it reliant on IT (e.g., the process performs complex calculations, it produces information key to the decision making process, etc.)?

•

Does IT perform significant control functions or calculations as part of the process?

•

What business information requirement (i.e., (i.e. , availability, confidentiality, integrity, efficiency or effectiveness) of IT is most important to the process and why?

Understand IT’s Potential Impact on the Business

After we understand how and what IT resources support the key business processes, the next step in performing the risk assessment is to understand the potential impact to the business if IT is not functioning as necessary. “Impact” can be defined in a number of different ways, some of which are monetary. Other detrimental impacts could include: damage to public image, embarrassment, damage to key customer/supplier relationships, non-compliance with regulatory requirements, loss of service, etc. In addition to understanding the nature of the impact, we have to understand the potential severity of the impact. Generally, for consistency we rate potential severity as high, medium or low. However, high / medium / low can mean different things to various clients or to business units within the same client. Therefore, we must discuss and define impact ratings with the client before we perform the risk assessment. Questions to ask regarding the potential impact include: •

What are the likely business consequences if the enabling IT does not meet the needs of this business process (e.g., monetary loss, damage to relationships, regulatory non-compliance)?

•

If the computer systems were unavailable, how long could the process continue to operate?

•

Would a discontinuity in this process halt the functioning of other key processes?

Additional interview questions and business impact templates are included in Appendix C-4. Understanding Previous Issues

We make additional inquiries of the business process owners to determine if there have been any previous issues related to availability, confidentiality, integrity, efficiency and effectiveness. Sometimes previous issues or situations highlight existing, potential or uncontrolled risks. After completing our interviews, the information should be summarized in to an overall assessment for each business process.

3-26

Activity 2.4 —Identify the IT Resources and Related Processes Introduction

In Activity 3, we develop a high level understanding of the entity’s mega and major business processes and supporting IT environment from the business prospective. To help us complete this understanding, we also identify the specific technology platforms and infrastructure that support the business processes. We obtain entity-level information about the client’s IT environment (e.g. platforms, processing locations) by focusing on those computer applications and technology that support the client’s mega and major business processes. We may identify significant business risks based upon our discussions with the IT resource owners, and if we do, we consider these risks. For example, an entity’s IT strategies may be significantly out of alignment with its business strategies, resulting in a risk that the company’s IT infrastructure cannot support the future processing requirements resulting from the business’ planned planned growth. Or IT management management may be planning significant changes in the infrastructure of which the business process owners are not specifically aware. After documenting the IT resources, the project team needs to consider how the IT processes are implemented implemented to manage the IT resources effectively. The project team should consider the policies and procedures that the IT organization has in place, both formal and informal, to: •

Develop the IT strategy and plans,

•

Develop, deliver and maintain the IT infrastructure,

•

Operate the IT environment,

•

Monitoring and control the IT processes.

In addition, it is very important to gather information about whether any significant changes are planned for the IT processes or the IT IT environment. Discussion with key IT management is critical for learning this this information. Additionally, review review of the IT strategic plan is helpful in determining the changes that are planned.

Summary of Principal Worksteps 2.4.1. Identify and Document the IT Resources—develop a combined hardware/software map of the IT infrastructure to the organizations mega and major business processes. 2.4.2. Understand and Document the IT Processes at a high level— develop an understanding of the principle processes that the IT organization uses to meet the business requirements.

3-27


Principal Worksteps 2.4.1

Identify and Document IT Resources

In addition to documenting IT from the business process perspective, we identify and document IT resources from the IT organization’s perspective. This assists us in gaining a more complete understanding of the entity’s IT resources and organization. As a result this workstep, we may also identify additional risks which need to be addressed in our audit plan (i.e., that were not previously identified in our interviews of the business process owners). The IT resources to consider, include: People– People–understanding the IT organization and structure and how it supports the business and IT processes. Data– Data–understanding high-level data structure, maintenance and administration. Applications– Applications–identifying applications and mapping them to the appropriate business process. Mapping applications to the business processes identifies software concentrations within the business processes and helps us understand how software supports the business. We also map the applications to the supporting technology to identify the interrelationships between critical software and associated hardware platforms. We obtain information such as the name and description of each application system supported, the location of each piece of hardware that supports the respective system, whether the system is purchased or developed internally, and the date of any planned changes. For Ernst & Young LLP external audit clients, this information should already be documented within the Technology Summary forms. Technology– Technology–We document the supporting technology and map it to both the applications and business processes to identify the specific hardware concentrations within business processes and applications. We obtain the name of each piece of hardware and the number of systems on each piece of hardware that support each major business process. Facilities– Facilities–understanding the number and location of processing facilities. This may impact our risk assessment and plan of audit.

See Appendix C-5 for sample templates. In addition, this information could be documented in EY/Checkpoint . While we are gathering information on IT resources, we may identify potential areas of risk that weren’t identified during the the business impact impact assessment. Issue to consider include: •

3-28

People −

Is the IT organization structure consistent with the business requirements?

−

Does there appear to be adequate segregation of duties?

−

Do individuals appear qualified?

•

•

•

•

Data −

Have there been previous data integrity issues?

−

Is data concentrated in one or a few databases, or throughout several databases?

Applications −

Do a few applications support several business processes?

−

Are there significant “off-line” or desktop systems in the business units?

−

Are applications new or old based on industry comparison?

−

Have there been recent implementations or are any planned?

Technology −

Is the client using the latest technologies or older versions?

−

Have there been availability or connectivity issues?

−

Have there been recent implementations or are any planned?

−

Do a few systems support several applications or business processes.

Facilities −

2.4.2

Are systems/resources concentrated in a few locations or many

IT Processes

IT processes normally are a key enabler of an entity’s business processes and often significantly affect how management controls it’s business processes. Our objectives in this activity are to: •

Obtain a high-level understanding of the client’s IT processes that support the client’s business processes and consider any business risks we identify.

•

Obtain an understanding and preliminarily evaluate the design of the controls related to IT processes that affect our risk assessments for significant business process IT requirements.

To assist us in understanding the IT processes and how they support the client’s business processes, we use the E&Y Information Technology Process Model—A Major Process View. The major IT processes in this model are: Planning the IT Environment, Developing and Delivering IT Solutions, Operating the IT Environment, and Organizing and Monitoring IT Processes. Factors influencing the importance the client places on developing controls in the information technology processes include the nature, materiality, and volume of information processed; the risk to the organization of poor business decisions based on inaccurate or unreliable information generated by the information systems; the presence or absence of manual controls around the IT processes; and the degree of disruption that would occur if the client was forced to operate without certain information systems for any length of time.

3-29


Factors which may influence our risk assessment, or indicate potential risk related to certain IT processes, include:

3-30

•

Level of change expected in the environment (Planning, Developing and Delivering),

•

Unusual number of failed projects or amends after implementation (Developing and Delivering),

•

Poor response time or connectivity issues (Operating),

•

Above average IT spending (Planning, Monitoring),

•

Significant business changes, e.g., mergers, acquisitions, expansion, downsizing (Planning, Developing and Delivering, Operating)

Activity 2.5–Document Risk Assessment and Validate with Management 2.5.1

Document results/overall risk assessment conclusions

Conclude the results of completing the risk assessment summary. This should include a demographic view of the Major Processes and their relative risk for each auditable unit. For each auditable unit identified, considerations need to be included for industry/product segment attributes, management business objectives and overall company conduct and goals. The resulting output is an overall risk assessment for each auditable unit that serves as a basis for allocating audit resources and preparing the annual audit plan. 2.5.2

Prioritize risk areas

By applying client environment, business objective, and industry attributes, along with overall experience among ISAAS professionals participating in the risk assessment, we should be able to prioritize the results of our risk assessment. Additional factors to consider include: financial exposure (i.e., materiality), quality of internal control systems at both the entity level and application/process level (given either our preliminary assessment or understanding based on prior experience), changes in management structure, prior audit results, time or significant events since last audit, and location risk. 2.5.3

Validate with Management

While we perform a number of procedures and assist in the development of the risk assessments as described in this activity, the scope of our internal audit services, the internal audit risk assessment and the frequency of internal audit activities remain the responsibility of the client. Therefore, we present the results of our work to client management responsible for the internal audit function and discuss its effect on the annual audit plan. Validating the information gathered and findings produced to date is important to ensure that that client supports our analysis that will be used in finalizing the scope the risk analysis.

3-31


Stage 3—Prepare Annual IT Audit Plan Introduction

We assist client management responsible for the internal audit function in developing the annual IT audit plan. The annual IT audit plan is primarily based on the risk assessment developed during Stage 2. It defines the specific IT audits to be performed, how frequently the audits are to be performed (e.g., every one, two, or three years), the scope of the IT audits, the resources required for the projects, and the estimated total hours required to complete the projects. This plan should be reviewed and approved by the appropriate client management. In subsequent years, the audit plan is updated as required to reflect significant changes in the client’s risk profile resulting from changes in the client’s business operations, changes in IT infrastructure or processes, changes in client needs or regulatory requirements.

Summary of Stage 3 Activities In order to prepare the IT Audit Plan, we perform the following activities: 3.1. Understand Management’s Audit Coverage Expectations to help select areas for evaluation. 3.2. Prioritize Audits and development of the audit strategy and preliminary budget and timeline. 3.3. Understand Engagement Economics to determine the total available resources and hours for the overall engagement based on the specifications set forth in our engagement letter. 3.4. Agree Audit Plan from executive management of the client.


Summary of Areas to be Audited

•

Preliminary Budget and Timeline

•

Plan of Resources / Skill Sets Needed

Examples of these documents are located in Appendix D.

3-32

Stage 3 Activities Activity 3.1

Understand Management’s Expectations Regarding Risk Coverage

Management’s expectations regarding our IT audit coverage are a critical component to deriving our preliminary audit plan. Based on the results of information obtained in Stage 1 - Co-Develop Expectations and Stage 2 - Conduct Risk Assessment , we have obtained information from management regarding their risk tolerance and processes that impact the critical business objectives of the organization. The next step is to co-develop a preliminary audit plan that meets management’s expectations as well as aligns our IT audit resources to those processes that are higher risk to the objectives of the organization. This information is best obtained by making specific inquiries of management. We incorporate the feedback from these inquires in our audit plan for the following reasons: •

The preliminary IT audit plan must be co-developed with management as they are ultimately responsible for the internal audit function and have engaged us to provide internal audit services to their organization.

•

The nature and scope of our work is determined solely by agreement between the client and engagement team, and, generally the work is performed for the benefit of the client.

•

Management serves as the liaison between the internal audit function and management of the organization, external auditors, regulators and other third parties, whose needs/requirements impact the audit plan.

•

Management’s expectations regarding audit coverage will have an impact on the prioritization of audits when allocating IT audit resources.

•

The results of the IT risk assessment should compliment management’s assessment of risk which will drive the audit areas selected for the current year audit plan.

•

Management may expect the audit plan to incorporate areas of lower risk or procedures for external auditors or regulators.

Since the preliminary IT audit plan needs to be co-developed with management, the following questions should be asked to help us obtain sufficient understanding of the client expectations regarding audit coverage: •

How much risk exposure are you willing to accept?

•

Which audits will be performed on an annual basis or for the current year?

•

Are there any audits which can be cycled and what frequency best fits management’s comfort level (audit coverage for the moderate and lower risk areas?)

•

What amount of audit hours need to be allocated to fulfill needs of external auditors, regulators or other third parties?

Although the client may expect us to determine the answers to some of the above questions, especially for integrated audits, we should ask if they have any specific expectations in these areas.

3-33


Activity 3.2

Prioritize Audits

3.2. 3.2.1 1 Sele Select ct Proj Project ectss to Perf Perfor orm m

After we understand management’s expectations regarding risk coverage, we assist client management in selecting and prioritizing the IT audits to be performed. The following points influence our decisions during this process: •

prior year internal audit plan and risk coverage;

• •

external audit plan and integration requirements; management’s expectations regarding the audit coverage;

•

results of the risk assessment process;

• •

previous audit results; third party expectations;

•

geographical locations of projects;

• •

client requests to include resources for discretionary projects; resource availability; and

•

estimated engagement profitability.

With the above information, we begin the process of building the audit plan. 3.2.2 Identify Identify Managemen Management’s t’s discretion discretionary ary projects projects

Management may have also requested that the internal IT audit plan set aside some time for the performance of management determined projects. Examples of these types of projects include system conversion procedures, participation in Year 2000 status meetings, etc. Usually management indicates that a percentage of budgeted hours or a fixed amount of hours are to be designated for such projects. These resource needs are typically set aside initially when putting together the audit plan with the remaining resources being appropriately allocated. As these projects are hot buttons of management, we assign a high priority to allocating resources for these needs. 3.2.3 3.2.3 Developin Developing g the audit audit strateg strategy y and prelim preliminary inary budget budget

At this point, our prioritization of projects is complete. The next step is to develop an audit strategy and develop preliminary budgets and timetables. We build the budget by developing high-level workplans for each project and estimating the time to complete the procedures. As the individual audits can incorporate a number of different services and require different skill sets, we consider the number of hours required for different skill sets and levels. For example, a Year 2000 review would require more experienced resources than a operating system security assessment using one of our automated tools. Although we are not creating detailed budgets in this phase, we still consider the nature, the risk and the relative skill sets needed for the individual audits in developing the preliminary budget. We then allocate types and levels of resources required for each audit based on these preliminary budgets. We will include the timeframe for each project within our budgets to ensure resources are appropriately scheduled and client conflicts are detected early. A sample Annual Audit Plan template is located in Appendix D-1 to assist in documenting the audits to be performed during the year.

3-34

Activity 3.3

Understand Engagement Economics

While the scope of the annual IT audit plan must be responsive to management’s risk coverage expectations and needs, the plan also should be equally responsive to engagement economics. After completing the preliminary audit plan and determining the staffing mix for the engagement, the executive on the account will be able to compute the estimated profitability of the engagement and determine whether or not the returns fall within the desired profitability thresholds. One of the firm tools, Engagement Planning Tool (EPT), can be used to help in the planning process to determine profitability and the appropriate staffing mix. Other templates or matrix’s can also be used to assist in initially pricing work as well as estimating the profitability of the engagement (See examples in Appendix D-2). There are no defined profitability measurement thresholds, as each engagement has unique characteristics that must be taken into consideration. However, early detection of potential unfavorable engagement economics allows the engagement executives the opportunity to re-challenge the timing, staffing, and scope of services delivered in the preliminary audit plan over the contractual period to enhance the engagement economics. If the results are not acceptable, the engagement team revisits the preliminary audit plan to determine alternate strategies to develop an audit plan that takes the following into consideration: •

Management’s expectations regarding audit coverage;

•

The results of the risk assessment;

•

Contractual fees;

•

The engagement’s desired profitability threshold.

If our desired profitability thresholds are not met, alternative strategies to improve the estimated engagement economics could include: •

Re-challenge the frequency of our lower and moderate risk audits;

•

Revisit the staffing mix;

•

Request management to allow us to bill administrative expenses and out of pocket expenses, if not included in the contractual fees.

Activity 3.4

Agree Audit Plan

As discussed in Activity 1, the nature and scope of our work is determined solely by an agreement between us and the client. Therefore, it is critical that we have incorporated management’s concerns into the preliminary audit plan presented. We walk through the factors and thought process that were taken into consideration in building the plan. Modifications to the audit plan are required based on the feedback received from the client. Formal approval of the audit plan is typically gained before executing any of the projects outlined in the plan. The audit plan should be updated at a minimum on an annual basis to reflect changes in the client’s risk profile resulting from changes in the client’s business or operations. In addition, as events and circumstances occur that affect the client’s business objectives, management may request that we reallocate our audit hours to address certain areas that may modify the current year’s audit plan. Any changes made to the audit plan should be immediately communicated and approved by appropriate management.

3-35


Stage 4—Execute Audit Plan Introduction

After performing the risk assessment and developing an audit plan, we must execute the plan. When performing IT Internal Audit Services, our client has engaged us to report on the adequacy of the control environment within the business processes, IT processes or other specific areas. The execution of the audit plan provides the value of our Internal Audit Services. Due to the fact that the execution of individual audits will vary by client and scope, we cannot provide detailed workplans for each situation. Therefore, this section and the principle activities should be used as a framework for executing each step of the audit plan.

Summary of Stage 4 Activities In order to execute the IT Internal Audit Services engagement properly, we identify several activities to guide the team through the planning of the project to reporting the results to the 4.1. Scope the IT audit project to provide clear guidance to the audit team and ensure there is a common understanding of the project. 4.2. Understand the IT audit areas (major business process, IT process, application, etc.) included within the scope of the engagement. 4.3. Identify and assess risks around the processes that could cause an organization’s objectives not to be achieved. 4.4. Identify and evaluate controls to give an initial assessment on their effectiveness at preventing or detecting risk. 4.5. Design testing strategy and perform tests of controls to evaluate the effectiveness of the controls. 4.6. Conclude and Report our findings and recommendations.


Scope Document

•

Detailed Project Plans

•

Detailed Documentation

•

Issues Summary

•

Detailed Findings and Recommendations Reports

•

Client Satisfaction Feedback

Examples of these documents are located in Appendix E and the ISAAS Workbench.

3-36


Scope the IT audit project

4.1.1 4.1.1 Revisi Revisitt Origin Original al Risk Risk Asses Assessme sment nt

During the Risk Assessment activities, sufficient understanding of the organization’s business processes, IT processes and supporting technology was obtained to identify the significant inherent risks that would cause the organization’s business objectives not to be achieved. We should use this information to help us scope the IT audit engagement. For example, we will be able to identify critical success factors, IT resources (data, application systems, technology, facilities, people), critical sub-processes and high-level controls from our Risk Assessment that will be important to properly scope the engagement. This information should be revisited and assimilated prior to meeting with client management to develop and agree the scope of the audit. It should be the basis of discussions during this scoping meeting. 4.1. 4.1.2 2 Revi Revisi sitt Audi Auditt Strat Strateg egy y

When developing the scope of the IT audit project, also revisit the audit strategy developed within Stage 3 Prepare Annual Audit Plan as this will provide initial direction for the scope. A high-level audit strategy will have been developed, documented and agreed with client executive management, during this Audit Planning process. Our strategy may have outlined: •

The nature of the audit, e.g. high-level process wide review or detailed risk and control analysis in a particular part of the process.

•

Which sub-processes were to be the focus of the IT audit.

•

A particular part of the process that executive client management wants included or excluded from the scope.

•

Any additional work necessary to meet integrated audit requirements.

4.1.3 4.1.3 Develop Develop Prelimi Preliminary nary Audit Audit Scope Scope and and Meeting Meeting Agenda Agenda

Using our high-level process understanding and the audit strategy, a preliminary IT audit scope should be developed to detail: •

Areas, such as the major process and associated sub-processes, hardware and software, to be included in the IT audit.

•

Nature of the audit work to be performed.

•

Timescales and protocols for the IT audit.

•

Who will perform the IT audit.

An example scope document can be found in Appendix E-1. (Depending on the nature of our fee and billing arrangements, we may choose not to include budget and hour information). As we are required to meet with management to develop and agree upon the IT audit scope, it would be pertinent to develop an agenda for the m eeting.

3-37


The agenda will differ from client to client and from audit to audit, however, it should generally cover the following areas: •

Attendee introductions;

•

Purpose of the audit;

•

Changes in the environment since initial risk assessment;

•

Proposed scope of engagement;

•

Additional changes required in the proposed scope;

•

Requirements of the client;

•

Key client and Ernst & Young contacts;

•

Timing of review and deliverables;

•

Questions and concerns of management.

4.1.4 4.1.4 Meet Meet with with Client Client Manag Manageme ement nt

The agenda should be briefly discussed and agreed at the beginning of the meeting. From this meeting, we should have an initial agreement on the project-level expectations regarding the audit scope, specific deliverables and communication protocols. During the meeting, we also identify any issues or conflicts in the organization that could hinder the efficiency or effectiveness of the audit project. The meeting should also be used to gain an understanding of management’s risk and control awareness. Although this may not be directly “audited” or “reported” it will provide useful insight when undertaking the audit. 4.1.5 4.1.5 Finali Finalize ze IT Audit Audit Scope Scope Update/Prepare Project Plan

Prior to performing the risk assessment, we should have obtained a signed Letter of Understanding from the client. If we have not obtained this document, we must prepare a Letter of Understanding before commencing our work. See the discussion of the Letter of Understanding in Stage 1 - Co-develop Expectations with Client . For each specific audit project, we should update or develop a project plan which should include the following: •

Major process and associated sub-processes or specific area to be included in the IT audit.

•

Anything that will be excluded from the audit.

•

Nature of the audit work to be performed.

•

Fieldwork start and completion dates.

•

Draft and final reporting protocols and deadlines.

•

Who will perform the audit.

This document should be shared with Client Management to ensure that all expectations are consistent. Confirm Required Resources

Depending on the size of the IT audit engagement, members of the project team may perform various roles in executing fieldwork. A planning meeting should be held with the audit team members to plan the audit and agree roles and responsibilities. We also will outline the budget for the review and provide team members with performance expectations and goals. We may want to hold a team orientation meeting to discuss the

3-38

details of our project plan and role assignments. This meeting would provide the team direction on the objectives, scope, and timing of the project. Activity 4.2

Understand the IT audit areas

4.2. 4.2.1 1 Revi Revisi sitt Risk Risk Asses Assessm smen entt

During the Risk Assessment activities, sufficient understanding of the organization’s business processes, IT processes and supporting technology was obtained to identify the significant risks inherent that would cause the organization’s business objectives not to be achieved. This understanding should have been updated to reflect discussions undertaken during Activity 1 - Scope Audit Project . It is necessary to determine the level of further analysis that is required to develop a full understanding of the risks and related controls to ensure that the time allotted for the audit project is not spent inefficiently, e.g. documenting a process to an unnecessary depth of detail. We may develop a high-level plan around what further information is required for us to obtain our understanding. Essentially, we are required to understand how the process or control area actually does what it has been designed to do and how it achieves it’s objectives. 4.2.2 4.2.2 Acquire Acquire Informa Information tion from from Client Client Manage Management ment and and Staff Staff

Having developed a plan outlining what additional information is required, we need to interview appropriate client personnel for us to obtain the additional information which was outlined above. It is likely that more than one meeting will be required to fully develop our understanding to the appropriate level. In recognizing this it is important that a top-down approach is taken to these meetings, e.g. meet with management first, before moving to the staff. We must also always be cognizant of tests of controls that can be performed at the same time that we are obtaining our high-level understanding. We will typically be required to go back to these individuals, however, it will be more efficient to test some controls at the same time we are obtaining our high-level understanding. understanding. 4.2.3 4.2.3 Docume Document nt Unders Understan tandi ding ng

To facilitate identification of risks and controls and to confirm our understanding of the major process and associated sub-processes, we should document our understanding of the processes. Caution must be used when doing this as it can be unnecessarily inefficient to document too much detail or to try to perfect our understanding. When reviewing IT processes, we can document our understanding using the Documentation of IT Controls form used as part of the Ernst & Young Audit Methodology. Efficiencies will be gained in integrated audits by using these external audit forms and templates. In addition, we need to consider other audit process considerations which may be beneficial in an integrated audit. Normally accepted methods of capturing our knowledge include process diagrams, narrative notes, as well as control analysis forms (CAF). Firm tools such as Permit and the ISS toolkit are also acceptable. There are significant benefits to both E&Y and our clients, if we capture this information in a consistent manner/structure.

3-39


Process Flow Diagrams

There are a number of diagramming techniques available to document processes. One of the most commonly used, is process data flow diagramming. An example process flow diagram can be found in Appendix E-3. Even where diagrams are used some supporting narrative notes will be required to supplement the diagrams. Typically, information on objectives, critical success factors and key performance indicators, should be documented in narrative style. Narrative Notes

When documenting our understanding of the audit area, it is important to structure the narrative notes. Information that may need to be included (as applicable) in the narrative notes includes: • Purpose • Objective • Critical success factors and key performance indicators used to monitor these factors • Process Beginning • Inputs - what data is used by the process and what is the data source • Key Transformations that take place with the data received • Outputs - what data is passed from the process and where does the data go • Process Ending • Supporting Information Technology systems •

Reliance on human resources

See an example document in Appendix E-4. Activity 4.3

Identify and Assess Risk

4.3. 4.3.1 1 Iden Identi tify fy Ris Risks ks

The amount of work to be performed depends on the extensive nature of the risks identified during the IT Risk Assessment process process and updated during the scoping of the audit. Review Known Risks

The first step in identifying the risks is to review the risks already identified for the process or sub-processes. Analyze these risks with respect to the business objectives, process objectives and critical success factors to determine whether any further high-level risks may exist. Identify Additional Risks

Using your understanding (process flow diagrams or narrative notes), specifically the inputs, outputs, key transformations, how IT enables the process and how people enable the process, identify what risks could cause the objectives not to be a chieved, by asking:

3-40

•

What will prevent achievement of the objectives, or what must go right?

•

What can go wrong which could prevent the process or area under review from achieving the business requirements?

•

Could any external events affect the process?

4.3. 4.3.2 2 Asse Assess ss Risk Riskss

After identifying the most significant risks, we must assess the risks to help us focus on identifying controls for the higher risk areas. To do this, we consider both the impact and likelihood of the risk arising to help us prioritize the controls which will be identified and reviewed. For example, if the control objective is to ensure continuous service that satisfies the business requirement, we may have identified “unavailability of computer systems due to damage by fire” as a risk. For most organizations, the impact of a fire to the computer facilities will have a high risk as the business could be seriously damaged. The likelihood of a fire, however, will be lower due to the fact that the risk is not likely to occur. Due to the high impact of the risk, we may assess the overall risk as high. Therefore, we will want to prioritize our work to ensure we identify and evaluate the controls which help reduce the likelihood of the risk, as well as the recoverability controls in place in the event the risk occurs. Once we have assessed the risks identified, it is important to discuss and agree these with management. 4.3.3 4.3.3 Agree Agree Risk Risk Assessm Assessment ent With With Manag Manageme ement nt

Depending on the size of the engagement and the depth of the identification of risks, we may want to consider agreeing the existence of the risks identified and our assessment of each risk with management. Agree Risks Identified

Discuss with management, or arrange for management to review, each of the risks identified and obtain agreement that the risk exists. Where management disagree with the risk, draw their attention to our process understanding and explain the logic for deriving the risk. Agree Risk Assessment

Discuss and outline inherent risk, e.g. the worst possible impact and likelihood of the risk, irrespective of any control that management may have. Walk-through each risk, discussing the rationale for the likelihood and impact selection and get management’s agreement. Listen very carefully and assess any differences of opinion that management may have regarding the risk. Where our assessment is incorrect, based on management’s “argument” adjust the assessment accordingly. Activity 4.4

Control Identification and Evaluation

4.4.1 Identify Controls

Management incorporates into its processes various control and monitoring activities designed to manage risks to ensure that objectives are achieved and to alert them to areas where they are in danger of not achieving their objectives. Our objective becomes to identify the controls in place over the identified risks (as appropriate). We may have already identified the controls in place in previous activities. For example, during Activity 2 - Understand the IT Audit Areas we may have already documented controls in place. If further information is needed, additional walkthroughs may be necessary to ensure that controls have been identified. To perform a walkthrough, we

3-41


would follow a transaction or control through the process to ensure that our understanding as to the intended functioning of the control procedure is correct and document the process and results. At this point, we may want to meet with the appropriate process owners to confirm the completeness and our understanding of the key controls. The information we gain about controls during our inquiries of client personnel should be detailed enough to enable us to identify the controls, understand how the various controls are performed, who performs them, and what data, reports, files, or other material are used in performing them. Furthermore, we determine what physical evidence, if any, is produced as a result of performing the controls and what the best method is for testing the controls. Once we have identified the controls, any required testing of the effectiveness of the procedures can begin. 4.4.2 4.4.2 Evalua Evaluate te Effect Effective ivenes nesss of Contr Controls ols Evaluate Individual Controls

From our understanding and/or walkthroughs, we may have enough information to initially evaluate the individual controls. Therefore, before performing additional tests of controls, we evaluate whether the process and related controls identified are likely to be effective in achieving the relevant objectives. Consider each risk in turn and evaluate each control that has been identified as mitigating the risk. Consider the effectiveness of the control in respect of the likelihood or impact of the risk: •

Does the control prevent or detect the risk?

•

What is the nature (manual or IT) of the control?

•

Is the control effective and if this control was the only one operating would it mitigate the risk in its own right?

•

Is the control effective, but only when it operates in conjunction with other controls?

•

Is the control ineffective at mitigating the risk?

Evaluate Combination of Controls Over Each Risk

Having identified and evaluated individual control effectiveness, consider how effective the combination of controls is over each risk. This is achieved by considering the mix of controls, their respective effectiveness, type and nature. Attempt to identify any scenarios where the risk could occur, even if the controls operate effectively. Optimal Control Mix

Even if the controls are effective, they may not be the most efficient or effective controls possible. View the controls over the risks to consider if a more efficient and effective way of providing the same (or better) coverage over the risk exists. 4.4.3 4.4.3 Raise Raise Issues Issues and and Agree Agree with with Manag Manageme ement nt

In making our preliminary evaluation, we may identify certain weaknesses in the design of controls that we should bring to management’s attention. Even though we may identify additional issues regarding the operation of controls in Activity 5 - Design Testing Strategy and Perform Tests, we may bring issues to management’s attention as

3-42

they are identified. To facilitate this communication, we may use an Issue Summary template (see example at Appendix E-5) to document the issue, develop our recommendation to improve the design of the control, and communicate the issue to management for follow-up and corrective action. We also need to consider communicating issues to the integrated audit team, specifically the external audit team when issues may impact our evaluation of risk and controls related to the financial audit. However, client management should be consulted prior to any communication of issues to the financial or external audit team. Activity 4.5

Design Testing Strategy and Perform Tests

4.5. 4.5.1 1 Deve Develo lop p Audi Auditt Prog Progra ram m

Depending on the scope of the audit engagement and our evaluation of the effectiveness of controls, we may need to design and perform tests of operating effectiveness. If we will be designing tests of controls, it is important to develop an audit program to ensure that we are evaluating the controls which we preliminarily evaluated as effective over the significant risks and that we perform the most efficient and effective tests. The audit program will also outline the specific tasks and give guidance to all members of the engagement team. Specific workplans can be found within the ISAAS Workbench - ISAAS International Knowledge Network which can be customized depending on the client and scope of the engagement. Determine Which Controls to Test

In Activity 4 - Control Identification and Evaluation , we already evaluated the effectiveness of controls at mitigating risk. Judgment is required when determining which controls to test. If a control is preliminarily deemed effective at mitigating risks, then the only factor that would cause a control not to be tested is whether the risk is considered insignificant. Typically controls over low significance risks will not be tested. Ineffective controls are also typically not tested. Even though we are not testing ineffective controls, we will want to ensure we have all relevant information regarding the process to provide meaningful client service recommendations. Therefore, additional conversations may need to occur with the client to ensure all mitigating controls have been identified and that our understanding of the control procedures is appropriate. If we are performing an integrated audit, external audit requirements will also impact which controls we need to test. During Stage 1- Co-Develop Expectations, and throughout the engagement, we should communicate with the external audit team regarding their control identification, evaluation and testing needs. Nature of the Tests

Determine the most efficient and effective technique to apply in our testing. Inquiry is usually not a sufficient test of a control and must be accompanied by an additional type of testing.

3-43


The following matrix briefly describes the types of tests we perform: Type of Testing

Explanation

Advantages

Disadvantages

Re-p Re-per erfo form rman ance ce

Re-p Re-per erfo form rmin ingg the the actu actual al con contr trol ol procedure to compare our results with the client results obtained and actions taken by management.

Precision

Time-consuming and unless errors are discovered which were not detected by management, does not necessarily produce high quality evidence.

Verification

Tracing ititems to to so source documentation for evidence of control operation.

Can be focused onto potential problem areas

May be difficult to obtain independent and reliable evidence.

Observation

Observing the operation of of a control. This is particularly important where there is no permanent record of activities.

Direct evidence of the operation of control procedures is obtained

Based on a single point in time and may not be representative as the control may be applied more rigorously for the auditors benefit.

Inquiry

Discussing through corroborative inquiry how the control is performed, who performs the control, and what procedures are in place to ensure the control operates effectively.

Tests the understanding of the individuals who perform the control

Little supporting evidence produced.

Analytic Procedures

Data interrogation techniques can be used very effectively for large volumes of transactions or data.

Often more efficient than re-performance and verification.

May be difficult to obtain correct data and time consuming to create necessary analysis.

Can cover entire population.

The audit program should be reviewed by the engagement manager prior to commencement of the testing. 4.5. 4.5.2 2 Exec Execut utee Tes Tests ts

Our tests should be executed in accordance with the defined Audit Program. The objective of each test is to determine that the control operates as understood. It is crucial when testing the control to continually challenge - “could the risk arise, with this control operating as the test indicates?” When performing each test, ensure that sufficient and reliable evidence is obtained that the controls have operated efficiently and effectively.

3-44

Control Exception or Failures:

Situations may arise in the testing that indicate the control being tested did not operate as intended. There are 3 steps to deal with control exceptions: Step 1 1 - Understand the Nature of the Control Exception

Discussing the control failing with the person who performed the control or management of the process to understand the nature of the failure: •

Is the failure factually accurate?

•

Is it isolated or recurring?

•

Does it apply to the entire population or a particular subset?

•

Does it apply to a particular period of time?

•

Is the failure one of performance or documentation?

Step 2 2 - Extend Testing

Typically the control sample should not be extended, other than to verify the explanation provided when following up the failures with the client. There may also be value in extending the control sample to determine the impact of the failure. Step 3 3 - Consider any Compensating Controls to Address the Risks

Revisit each risk that the control operates over and identify if other controls will compensate for the control failure. If there are compensating controls that provide coverage of the risk, consider performing some control testing of these controls. 4.5. 4.5.3 3 Eval Evalua uate te Resu Result ltss

Having completed the control testing, conclude as to whether the control operates effectively in respect of each risk that the control mitigates. 4.5. 4.5.4 4 Comm Commun unic icat atee Issu Issues es

We previously co-developed expectations with the client and outlined the communication protocols. One of the topics which should have been determined is the process of communicating any issues found. We need to ensure we properly document and present issues to management based upon their expectations. Issue Summary

Where controls are tested and exceptions or testing failures were found, an Issue Summary should be developed and discussed with appropriate client personnel. The discussions are critical to ensure confirmation of factual accuracy of the issues. This also ensures that the client communicated all mitigating controls for each risk. See an example Issues Summary in Appendix E-5. Present Issues to Management

Issues identified should be presented to management, for example through a meeting. Where there is a disagreement regarding factual accuracy, the conversation should center around the risk and whether there are any other controls in place over the risks, that may have been missed. As part of our final deliverable, we will develop the issues into recommendations for management to consider.

3-45


We also need to consider communicating issues to the integrated audit team, specifically the external audit team when issues may impact our evaluation of risk and controls related to the financial audit. However, client management should be consulted prior to any communication of issues to the financial or external audit team. Activity 4.6

Conclude and Report

4.6.1 4.6.1 Perform Perform fina finall worki working ng pape paperr review review

The final working paper review is critical to the preparation of a quality audit report. The review is used to determine if the working papers were prepared in accordance with ISAAS Policies and Procedures and AICPA Consulting Standards, and if they support the scope of the audit, the work performed, and the conclusions of the audit. Although working papers are reviewed throughout the project, a final working paper review should be performed. The workpaper review must be performed by, at a minimum, the Manager on the engagement. (See further discussion of working paper review standards in the ISAAS Policies and Procedures Workbench in Lotus Notes.) The purpose of the final working paper review is to determine that: •

the work performed was in accordance with the scope as defined in the Letter of Understanding and detailed in the audit program;

•

the scope of our internal audit a udit work is sufficient to support the audit report;

•

the internal audit work has been performed in accordance with professional and firm standards;

•

the significant judgments and conclusions for the audit were appropriate; the work performed, the results, and conclusions are adequately documented; the work performed, the results, and conclusions support the findings and recommendations included in the audit report.

Evidence of this review is documented on the Review and Approval Summary for Consulting Engagements. This form and discussion on working paper review Procedures Workbench requirements can be obtained in the ISAAS Policies and Procedures 4.6.2 Draft report report of findings findings and recommenda recommendations tions

Based on the results of procedures performed and as documented in the Issues Summary, we draft an appropriate report of our findings and recommendations. Our findings and recommendations report typically includes the following: •

Finding(s)

•

Background information as to the finding (optional)

•

Impact or risk of the finding(s)

•

Recommendation(s), including proposed corrective action or improvement agenda

•

Issues for implementing the recommendation (optional)

•

Benefits to be derived from implementing the recommendation

•

Management response (optional)

The format of the report should follow the expectations co-developed with the client prior to the engagement. Sample reports can be found in the ISAAS Knowledge Network.

3-46

4.6.3 4.6.3 Conduc Conductt closing closing meet meeting ing with with the the client client

We meet with the client to discuss the results of the audit project as well as the draft report. This closing meeting provides us with an opportunity to demonstrate to the auditable unit’s management the value we provided while performing our audit. 4.6. 4.6.4 4 Issu Issuee fin final al repo report rt

We incorporate any mutually agreed changes to the report resulting from the closing meeting. We issue our final report to client management based upon the communication protocols established in Stage 1 - Co-Develop Client Expectations. For integrated audits, we make our final reports available to the external audit team for information and coordination purposes. 4.6.5 4.6.5 Ob Obtai tain n Client Client Satisf Satisfacti action on Feedb Feedback ack

We assess the client’s perception of the quality of our services by obtaining formal and informal feedback on our work. Obtaining immediate feedback regarding whether we met expectations is important in helping us assess areas where we have met or exceeded client expectations, as well as areas where we may need to improve. If we use a formal client satisfaction survey, it ordinarily should be short and easy to complete and be quantitative in nature so that we can consistently measure our overall performance. See an example feedback template at Appendix E-6. 4.6.6 4.6.6 Update Update the Risk Risk Asse Assessm ssment ent

Based on the results of the audit project, we update the risk assessment of the applicable auditable unit and/or process initially made in Stage 2 - Risk Assessment . In updating the risk assessment, we consider the results of the audit and their effect on subsequent risk assessments. We also consider what effects, if any, the results have on the external audit considerations. For integrated audits, appropriate documentation and reports should be distributed to the external audit engagement team. 4.6.7 4.6.7 Perfor Perform m Proje Project ct Admi Adminis nistrat tration ion

At the end of each project, the project manager is responsible for completing certain project administration tasks. These include, but may not be limited to: •

Performing a budget to actual analysis for the individual project with an explanation of any overruns.

•

Ensuring that the workpapers are complete, and review comments have been removed and that workpapers are appropriately logged and filed.

•

Ensuring that any overall status reports or issue tracking mechanisms in place are appropriately updated.

•

Ensuring staff receive performance reviews.

3-47


Stage 5: Communicate Results Introduction

During Stage 1—Co-Develop Client Expectations , we agree on protocols for communicating our audit results to client management responsible for the IT internal audit function, executive management and the Audit Committee. On larger engagements, we may meet the Audit Committee periodically. At a minimum, executive management must formally approve the Risk Assessment (Stage 2) and Annual Audit Plan (Stage 3) prior to executing a substantial portion of the audit plan. Throughout the year, we communicate the status of executing the audit plan and a summary of the results of our audit projects, including significant findings. We use our value scorecard to communicate the value provided to the client in performing our audits.

Summary of Stage 5 Work Activities 5.1 Understand com munication protocols agreed with executive management and the audit committee during the co-develop client expectations meeting . 5.2 Prepare for executive management/audit committee meetings. 5.3 Communicate results to executive management/audit including the value we have delivered. 5.4 Complete the relevant quality control procedures to be performed at least annually (if any). 5.5 Complete billing procedures.


Understand Communication Protocols

The type and frequency of communication with executive management and the Audit Committee is developed during Stage 1—Co-Develop Client Expectations . The following is a list of considerations, along with suggested timing, for meeting with executive management and the Audit Committee: •

We typically meet with executive management and the Audit Committee periodically throughout the year, along with client management responsible for the internal audit function, to report on the status of our work and to communicate significant findings.

•

Client Service Charter (Stage 1)— We We discuss client expectations at least annually

at the FY Q1 meeting. •

Risk Assessment (Stage 2)— We We review the annual risk assessment of the

organization, which is the basis for establishing the annual audit plan (typically FY Q3 meeting for the following year’s audit plan).

3-48

•

Annual Audit Plan (Stage 3)— We We assist client management responsible for the

internal audit function in obtaining formal approval of the audit plan annually (typically FY Q4 meeting for the following year’s annual audit plan). On a quarterly basis, any significant changes to the annual audit plan are reviewed and approved by executive management and the Audit Committee. •

Status of Audit Plan— We We review the status/completion of the annual audit plan at

each meeting. •

Summary of Audit Results— We We provide executive management and the Audit

Committee a summary of our significant audit findings. We agree with the client the type of summary findings and recommendations they would like us to prepare, as well as any other desired special communications. •

Value Scorecard— We We present our value scorecard to communicate the value we

have provided to the client through our services. Possible categories of value include: idea generation, project assistance, revenue enhancements, cost savings, and time savings. A sample Value Scorecard template is included in Appendix B and is provided electronically in the IAS PowerPack. Activity 5.2

Prepare for Executive Management/Audit Committee Meetings

In order to increase the effectiveness of meetings with executive management and the Audit Committee, we need to be well prepared to meet our client’s expectations. Although the agenda for these meetings is agreed with the client, a sample Audit Committee calendar documenting various discussion topics for quarterly meetings is included in Appendix F . Due to the importance of these meetings, we should plan and budget for adequate preparation time. In some situations, we need to perform a significant number of activities prior to the meeting, such as sending meeting notifications, making meeting arrangements, gathering presentation handouts from other meeting participants, preparing our own materials and distributing these materials in advance of the meeting. Preparing for the Audit Committee requires direct participation of executives and coordination with client management responsible for the internal audit function. In addition, we ordinarily provide the appropriate client executive management with a copy of our presentation materials prior to distributing them to the Audit Committee. Activity 5.3

Communicate Results

We meet to present and discuss the material described in principal Activity 1 with executive management and the Audit Committee on a periodic basis. The executives attending the meetings with executive management and the Audit Committee should be familiar with our audit results and be prepared to answer questions regarding the scope of our work, our findings and recommendations. Ordinarily, we also discuss the value we have provided, as documented in our Value Scorecard. We should be responsive in following up on client requests coming out of the Audit Committee meeting and request them to provide suggestions for future meeting presentation topics.

3-49


Activity 5.4

Complete the Relevant Quality Control Procedures

We complete the applicable quality control procedures described by the Internal Audit Services—Policies and Procedures Manual and the ISAAS Policies and Procedures Workbench, if any. Activity 5.5

Complete Billing Procedures

During Stage 1 - Co-Develop Expectations, we discussed fee and billing arrangements with executive management. For example, for some faxed-fee arrangements, the client may request even billing throughout the year, while others may request billing on a percentage of completion basis. Regardless of the billing method, we should prepare and submit the bills on a timely basis to ensure that we are properly managing cash flow and our receivables balance.

3-50

Appendix Appendix A -1

IT Internal Audit Services Project Routemap s e g a t S

s e i t i v i t c A

* s e l b a r e v i l e D

Co-develop Expectations with Client

Conduct Risk Ass essmen t

• Understand Understand the client client’s ’s needs

• Plan the risk assessment

• Understand Understand the client' client's s business at a high level

• Understand Understand the client’ client’s s business goals, strategies, and critical success factors

• Determine Determine the the scope scope of the engagement and risk assessment methodology

• Develop Develop understa understanding nding of the mega and major business processes

• Determine Determine delive deliverables rables and obtain agreement from the client

• Develop Develop understa understanding nding of IT resources and related IT processes

• Develop Develop fee fee estimat estimation ion and define client billing procedures

• Valida Validate te our understanding of IT and risk

• Strategy Strategy Memoran Memorandum dum

• Fee estimati estimation on for risk assessment • Letter Letter of Understa Understanding nding • Client Client Assista Assistance nce Listing • Rela Relation tionship ship and communication protocols • Value Value Score Scorecar cardd

• Summary Summary of business goals, objectives and mega and major processes • Summary Summary of how IT supports the business • High-level IT Process documentation

Prepare Annual IT Audit Plan • Underst Understand and management’s audit coverage expectations • Pri Priori oritiz tize e aud audits its • Underst Understand and engagement economics • Agree Agree audit audit plan plan with client

Major Stages & Activities with Deliverables

Execute Audit Plan

Communicate Results

• Scope the IT audit audit project

• Unders Understan tand d communication protocols

• Understand Understand the IT audit areas

• Prepare Prepare for for meeting meeting with Executive Management or Audit Committee

• Identify Identify and assess risks • Identify Identify and and evaluat evaluate e controls

• Meet with Execut Executive ive Management or Audit Committee

• Design Design testi testing ng strategy and perform tests

• Comple Complete te relevant relevant quality control procedures

• Conclu Conclude de and and report

• Plan Plan of resources / sk skill ill sets needed

• Summa Summary ry of area areass to be audited • Prel Prelimi iminar naryy budget budget • Prelimina Preliminary ry timeline timeline

• Summa Summary ry report reportss to Executive Management Management or Audit Committee

• Scope document • Detailed Detailed project project plans • Detailed Detailed documentation documentation

• Detai Detailed led findings findings and and recommendations reports • Client Client satisfa satisfaction ction feedba feedback ck

• Risk Risk Assess Assessme ment nt * NOTE: Internal deliverables are in italics; all others are external.

Privileged and Confidential. No part of this may be reproduced or transmitted without permission of Ernst & Young LLP.

! @

#

$

e

A-1 A1

Appendix A-2 I T Risk Asse Assessment F r amework amework Overview

The purpose of this appendix is to explain the elements of Ernst & Young’s IT Risk Assessment Framework. This appendix should be used as a reference tool in executing the IT Internal Audit Services Methodology, particularly Stage 2 - Conduct the Risk Assessment. As noted in Stage 2 - Conduct Risk Assessment, risk management and risk assessments are based not only on the control objectives of a company, but also on the business objectives. Therefore, our IT Risk Assessment approach includes the following key elements: •

•

•

Understanding the business, the business process requirements and the business impact of IT (Stage 2, Activities 2&3) Understanding how and what IT resources have been implemented to support the business processes (Stage 2, Activity Activity 3) Understanding how the IT processes are implemented to manage the IT resources (Stage 2, Activity 4)

This approach can be summarized in the following diagram:

Our methodology combines the three elements of an IT risk assessment within the delivery concepts of CobIT. The risk assessment approach includes a business requirements assessment, to assess the overall business risk environment, along with an IT resource and IT process assessment. The IT resources and processes are then mapped to the business processes, so that the auditor can combine IT and business processes to a single view. Based on the results of the assessments and experienced auditor judgment, a risk assessment is completed. The risk assessment is then leveraged into Stage 3 Prepare the Annual I T Audit Plan .

! @

#

$

A-2 A -2.1 .1 1

A

ppendix A-2

What are Bu si ness ness Goals Goals & Objectives? Objectives?

Management establishes goals for a business or business unit(s) to satisfy its key stakeholders’ influences. Examples of goals include: • Earning high returns for its investors. • Increasing value for its shareholders. • Delivering quality and value to its customers. • Developing productive relationships with its suppliers. • Providing a secure and rewarding environment for employees and management. • Earning the respect of the community in which it operates.

Goals are multi-faceted and may not be easily quantifiable. To be effective, many clients translate their goals into a set of objectives that are specific, measurable, and attainable over a realistic period of time. The business’ objectives depend on the markets in which it operates and other environmental factors, in addition to stakeholders’ influences. GOALS ↓ Business Objectives: S pecific M easurable Attainable ealistic R ealistic Timely What Wh at ar e Bu si ness ness Strateg Strat egii es?

After defining goals and objectives' management generally develops and implements a strategic plan to achieve them. A successful strategic plan helps to realize significant opportunities for the business. Strategies are generally built around an understanding of the markets in which the client operates and its competitive position in those markets, as well as an understanding of the effect of the client’s key stakeholders on the business and other environmental factors. Strategies may not be the result of a formal process and may not be summarized in written plans or other documents. Even in the smallest companies, however, the management generally knows the results the client is trying to achieve (i.e., its objectives) and how it plans to achieve them (i.e., its strategy). There are a number of alternative strategies a client can adopt to achieve a given objective. For example, if the objective is to enter a new market within a specified time period, alternative strategies to achieve this objective include the acquisition of existing companies, the formation of joint ventures, or the establishment of new production facilities.

2 -2.2 A-2 A .2

! @

#

$

What ar e Crit Cr itii cal Succes Success F actors?

For each of the client’s important business strategies, we consider whether the client has identified the key results that must be achieved if the strategy is to be successfully implemented. We call these key results “critical success factors.” Gaining an understanding of the Critical Success Factors will enable us to later identify the client’s critical business processes (i.e., those business processes that have the greatest effect on the client’s business results or attaining the critical success factors). This will enable us to focus our work on the critical business processes and the IT that supports them. This helps us determine if IT is aligned with the business and form one of the inputs to confirming which IT sub processes are most important to the business. M arket and Envi ronmental Factors

The market and business environments in which the entity operates significantly affect business risk. By understanding how the client operates within its markets and how significant market forces and other environmental factors affect its business, we are better able to identify and respond to the business and a nd the associated IT risks. Market forces include competitors, customers, and suppliers. Other environmental factors consist of, among other things, capital markets, laws and regulatory requirements, accounting practices and reporting obligations, and social, economic, and political considerations. The purpose of understanding the market and environmental factors is to: • Identify and understand those market forces and other environmental factors that may have a significant effect on the client’s business and IT risks. • Consider how these market forces and other environmental factors affect the relative importance of the IT sub processes.

Our focus of attention and the extent of our efforts in gaining an understanding of the client’s market forces and other environmental factors differ depending on the client’s industry and size, and other factors (e.g., its position in the market). For example, for a client in the computer hardware manufacturing business, we may be more concerned with its competitors’ and suppliers’ technological advances, whereas for a financial institution, we may be more concerned with trends in the capital markets. What Wh at are ar e Bu siness Pr ocess ocesses es? ?

An entity will design and implement business processes to execute their strategies. Mega processes are defined as the highest level processes identified by an organization and usually consist of four to six processes that form the core operations of the business. Major business processes are defined as sub-divisions of a mega process that represent a collection of sub-processes. A collection of major processes take on the complete processing of the mega process.

! @

#

$

A-2 A -2.3 .3 3

A

ppendix A-2

Mega

Major

Sub

Major

Sub

Su b

Sub

Activity

Wh at ar e K ey B usiness usi ness Pr ocesse ocesses? s?

Key business processes are those major business processes that relate directly to the achievement of the client’s critical success factors (i.e., those business processes that have the greatest effect on the client’s business results). Our identification of the client’s key business processes is based on our understanding of the client’s business and our professional judgment, confirmed by discussions with the client’s key management. A process is key if its objectives and/or outputs are directly related to the achievement of a critical success factor. On the other hand, a process would not be classified as “a key business process” if the objectives of the process do not directly relate to the achievement of the critical success factors. Bu si ness ness I nf ormation orm ation Requir ements ments and and Potenti Potenti al Bu si ness ness I mpact of I T

As noted above, our IT risk assessment framework is business process focused. Therefore, in order to perform an effective IT risk assessment and design an IT audit plan which provides the most value to the business, we must understand the business requirements of IT. In general, business requirements can be classified into five categories: • Availability • Confidentiality • Integrity • Effectiveness • Efficiency

Each of the five business information requirement categories is an element in meeting or categorizing the business requirements. Management must asses the potential risks to these requirements to adequately develop a plan to mitigate or monitor the risk elements. The five information requirement categories within our model are defined as follows: •

4 -2.4 A-2 A .4

Availability

Information is available when required by the business process, now and in the future. It also relates the safeguarding of necessary resources and associated capabilities. Resource

! @

#

$

availability includes all IT resources as defined as people, data, applications, system software, hardware and facilities. •

Confidentiality

Sensitive information is protected from unauthorized disclosure. This includes security design, application access control design, internal and external access and influences, regulatory requirements and knowledge sharing.

•

Integrity

Information is accurate and complete as well as valid in accordance with business values and expections. The integrity of information includes an assessment of the origination of information and the final management and use of the information as it relates to the financial, operational and regulatory compliance of an organization.

•

Effectiveness

Information is relevant and pertinent to the business process as well as delivered in a timely, correct, consistent and usable manner. The effectiveness of an IT process must include elements of the organizational role of the IT department with the entity, the management structure in the conduct of business, policies and procedural guidance, and a nd change management.

•

Efficiency

Information is proved through the optimal use of resources, both IT and the organization as a whole. This includes how the organization leverages the business processes and how closely the IT strategic plan is aligned with the overall entities business plan.

I T Risks Risks

For each of the business information requirement categories, there are several factors which may affect the ability to meet the business needs, i.e., these are the “risks,” or potential “what can go wrong” factors for each business information requirement category. This next section will summarize the IT risk components for each business requirement category. It is not meant to be all encompassing, but rather a framework to work from in completing a risk assessment. Industry variables, changing technology and the use or implementation and integration of technology into an entity’s business processes can affect the classification of the IT risk components by category or extend the content of the components. IT risks are characterized as follows: Business Information Requirement

• Availability

! @

#

$

Potential IT Risk Component

Hardware Stability Operating System Stability Application Stability External Factors, i.e. Telecommunications, Environment Network Stability Stability Overall system uptime/downtime Throughput Capacity Accessibility

A-2 A -2.5 .5 5

A

ppendix A-2

Infrastructure Design Business Continuity Plan • Confidentiality

Security Design Regulatory Requirements Security/Penetration Firewalls Web Security Encryption VPN Application Security Controls – User Profiles Knowledge Sharing E-mail Provisions Security Policies & Procedures

• Integrity

Unauthorized Unauthorized access Employee empowerment Application functionality and controls Operational controls Segregation of Duties Inappropriate decision making tools

• Effectiveness

Successful in supporting business requirements (From Management View) Adequate capital structure Proper skillsets

• Efficiency

Timeliness Cost/Benefit Effective Optimal use of resources

We consider the IT Risk components in performing the IT Risk Assessment, prioritizing the Audit Plan and executing the Audit Plan. Defi ni tion of I T Res Resources

IT resources are all the data, applications, technology, facilities and people which have been implemented to meet the business requirements. requirem ents. The resources are managed by the IT processes (see later discussion of IT processes), and should be designed to actively reduce, monitor and mitigate the IT risks as they relate to the business. The IT resources are integrated into the IT processes and business processes. The five categories of IT resources are:

6 -2.6 A-2 A .6

• Data

Objects in their widest sense (i.e., external and internal), structured and non-structured, graphics, sound, etc.

• Application Systems

Application systems are the sum of manual and programmed procedures procedure s integrated into the business which enables business processes

• Technology

Technology includes hardware, operating systems, database management systems, networking, multimedia, etc.

! @

#

$

• Facilities

All resources to house and support information systems

• People

People include staff skills, awareness and productivity to plan, organize, acquire, deliver, training, support and monitor information systems and services

The dependency on the IT resources within the risk/control paradigm of meeting business requirements can also be illustrated as: Data Application Systems

EVENTS

INFORMATION

Business Objectives Business Opportunities External Requirements Regulations Risks

Effectiveness Efficiency Confidentiality Integrity Availability

TECHNOLOGY message input

FACILITIES

service output

PEOPLE

I T Pr ocess ocesses es

The five business information requirement categories are the general structure used to classify the IT related business risks identified in our understanding of an entity. We then gain an understanding of the processes that IT management has put in place to manage the IT resources and mitigate risk to the business requirements, e.g., what processes has management implemented to ensure data and application availability? To assist us in understanding the client’s IT processes and how they and implemented to support IT resources in meeting the business requirements, E&Y has developed the Information Technology Process Model—A Major Process View. This view supports the definition of how an IT department is organized and how it’s working structure is defined to meet the business demands of the entity. This is more simply illustrated as follows: n i o t a r m t s f o n I n m e t y i s r e l i i b e s u a n l i i e q a s A v B u R

s e s s e c o r P T I

s t y i l e s i a t y n t i r e g e n i v t t e i d f e c I n n f f E C o

y n c i e c i f f E

Planning the Developing and Operating the IT Environment Delivering IT IT Environment Objective: To Solutions provide and maintain Objective: To acquire, Objective: To develop, deliver, and the operation of the ensure that IT plans maintain newor IT environment are properly aligned while ensuing the enhancedbusiness with the business’ IT availability, solutionsinvolving goals, objectives, confidentiality, confidentiali ty, and architecture to enable and strategies. integrity of the organization to information systems meet its changing business requirements. to meet the business’ requirements.

Organizing and Monitoring IT Processes Objective: To manage these major IT processes above.

! @

#

$

S Y E I G T S O I L N L I C O I O A T N F A H A C C I E T L E L A P T P D P O A E P

e s r c u s o R e T I

A-2 A -2.7 .7 7

A

ppendix A-2

The major IT processes are: • Planning the IT Environment

The objective of this major IT process is to ensure that the entity’s IT plans are properly aligned with its goals, objectives, and strategies. A proper alignment directs the deployment of resources and the delivery of services to enable an organization to capitalize on the business advantages of IT.

• Developing and Delivering IT Solutions

The objective of this major IT process is to acquire, develop, deliver, and maintain new or enhanced business solutions involving the IT architecture (i.e., hardware, software, communications, and information) to enable the organization to meet its changing business requirements. This process typically includes such client activities as defining and analyzing the requirements for projects, determining the approach to meeting those requirements, and implementing the selected approach.

• Operating the IT Environment

The objective of this major IT process is to provide and maintain the operation of the IT environment while ensuring the availability, confidentiality, and integrity of information systems to meet the business’ requirements. In some cases, we may find that certain aspects of the IT environment are operated by individuals who are not part of the formal IT organization. For example, we may find that individuals in user departments have responsibility for a local area network that processes or controls access to applications. This process may have business risk implications, such as those involving the client’s backup and recovery procedures, systems documentation, and business continuity plans.

• Organizing and Monitoring IT Processes

The objective of this major IT process is to manage the three preceding major processes. This major ma jor IT process monitors the overall IT resources and priorities to ensure alignment with IT strategies and to optimize the entity’s return on its IT investment. This major IT process could have important business risk implications, such as those involving the processes the client uses to ensure IT personnel have adequate skills to respond to rapidly changing environments.

Each of the IT process categories contains many sub-processes that support or describe the major process. For purposes of this methodology, we are using the 34 IT Process areas defined by COBITTM as a framework, because it is the most widely accepted framework for IT processes. These 34 IT Processes are grouped under the four (4) major IT areas as defined in other E&Y methodologies. We do not intend this methodology to be a vehicle by which we sell COBITTM, or to recommend it’s use to the client over any other framework. Accordingly, other frameworks and guidance may also be appropriate for the particular IT Internal Audit Services engagement. Those frameworks, whether of another firm or of the organization for whom we are performing IT Process work, may be substituted for the references to and use of the

8 -2.8 A-2 A .8

! @

#

$

COBITTM framework. If that approach is adopted by the engagement team, one of the first steps in scoping the engagement should be to determine the IT process framework used by the client (if any) and determine the extent to which the client would rather we use that framework rather than C OBITTM . IT processes are characterized as follows: C at e g o r y

! @

#

Sub-component (Characteristics)

• Planning the IT Environment

IT Strategic Planning Information Architecture Technological Direction IT Organization & Relationships R elationships management of IT Investment Communication of the Strategy Management of Human Resources Compliance with external requirements Management of Projects Quality Management

• Developing and Delivering IT Solutions

Identifying appropriate technology solutions Acquiring & Maintaining Software Acquiring & maintaining Technology Architecture Developing and maintaining IT Procedures Install and accredit systems Manage changes


Define service levels Manage Third-party services Manage performance and capacity Ensure continuous Service Ensure Systems Security Identify and attribute costs Educate & train users Assist & Advise IT Customers Manage the configuration Manage Problems & incidents Manage Data Manage Facilities Manage Operations

• Organizing and Monitoring IT Processes

Monitor the three major processes Assess Internal Control Adequacy Obtain independent assurance Provide for an independent audit or quality assurance process


Define service levels Manage Third-party services Manage performance and capacity Ensure continuous Service Ensure Systems Security Identify and attribute costs Educate & train users

$

A-2 A -2.9 .9 9

A

ppendix A-2

Assist & Advise IT Customers Manage the configuration Manage Problems & incidents Manage Data Manage Facilities Manage Operations • Organizing and Monitoring IT Processes

Monitor the three major processes Assess Internal Control Adequacy Obtain independent assurance Provide for an independent audit or quality assurance process

We should then identify the process owner(s) of the major IT processes. The process owner(s) usually can be readily identified through inquiries of senior management, the senior IT executives, or the owners of business, or through observation of the functioning of the major IT processes. We obtain a high-level understanding of the client’s major IT processes through discussions with the IT process owners. As part of gaining our high-level understanding of these processes, we ordinarily gain some understanding of the controls related to the IT processes. We discuss with the process owners how they manage the processes and how they identify risks relative to the achievement of the business’ goals, objectives, and strategies (i.e., business risks). We also discuss how they ensure IT supports the major business processes’ financial reporting, operations, and compliance objectives. For entities in which these processes are not centralized, we determine which process owners to include in our discussions. We may identify significant business risks based upon our discussions with the IT process owners, and if we do, we consider these risks. For example, an entity’s IT strategies may be significantly out of alignment with its business strategies, resulting in a risk that the company’s IT infrastructure cannot support the future processing requirements resulting from the business’ planned growth.

10 A-2 A -2.1 .10 0

! @

#

$

Appendi Appendi x B-1 I ntegrate ntegrated d Au dit Conside Considerr ations

Many of our IT IAS and internal audit outsourcing engagements are part of an integrated audit. In an Integrated Audit, our IT IAS and internal audit procedures are an extension of our external audit arrangement. Therefore, portions of the IT internal audit work may be performed for, and relied on by, those performing the external audit. In these situations we, as well as our clients, derive benefits from our coordinating our internal and external audit efforts. When we are performing integrated audits, we discuss internal audit and external audit integration requirements with the coordinating partner and other engagement team members, as appropriate, in Stage 1 - Co-Develop Expections . We also refer to applicable portions of the Ernst & Young LLP Audit Process (Audit Process) for additional guidance. Those portions of the Audit Process most likely applicable in these situations include: —In many situations, we will want to coordinate our co-development Audit planning of client expectations and audit planning efforts, as well as agree on team goals and objectives, with the external auditors. As part of their planning procedures, the external audit team ordinarily receives materials from the Assurance Support Center that would assist us in learning about the client’s business and industry. We also might want to review these documents. These materials typically include a Business Intelligence Memorandum, industry-segment value chain and mega/major process models. (See Activities 1, 2 and 3 of the Audit Process.) —In addition a ddition to the I nternal contr ol at the enti enti ty leve level and cons conside iderr the ri sk of fr aud understanding we need for internal audit purposes, we are often involved in obtaining or updating our understanding of the client’s internal control at the entity level and the risk of material misstatement due to fraud to assist the external auditors. The components of internal control, which we evaluate at the entity level, include the control environment (manual and IT controls), risk assessment, information and communication, control activities, and monitoring. The risk of fraud from an external audit perspective includes material misstatements to the financial statements due to fraudulent financial reporting and misappropriation of assets. (See Activity 4 of the Audit Process.) U nderstand, nder stand, eval evaluat uate e and test test rout r outii ne data processe processes s and pr oces ocesses ses of the t he fi nan cial —We often ofte n coordinate with the external auditors our work related to statement close accounting processes (both manual and automated), which are referred to in the Audit Process as routine data processes, non-routine data processes, estimation processes and the process of closing the books. While these procedures might be encompassed within the scope of our IT business process focused work and application reviews, additional procedures may be required to meet the needs of the external auditors. (See Activities 9 and 10 of the Audit Process.)

—In most Un der der stand, eval eval uate and test test the i nf ormation orm ation techn technology ology pr oces ocesses situations we will want to coordinate performing the work steps in the Audit Process related to how information technology (IT) supports the business and other processes in achieving their financial reporting, operating and compliance objectives. In moderately to highly complex IT environments, ISAAS professional ordinarily assumes the role of the IT specialist in the audit process. Accordingly, the

! @

#

$

1 B-1.1

A

ppendix B-1

same individual(s) might be used for both internal and external audit purposes. (See Activity 8 of the Audit Process.) —The —The combined risk assessment for purposes of the Combi ned r i sk asses assessme sment nt external audit is focused on assessing the combined inherent and control risk for significant financial statement accounts. It is used by the external auditors to determine the nature, timing and extent of substantive audit procedures necessary to hold their audit risk to an acceptable level. The risk assessment described in this document is directed toward the company’s IT processes and how IT supports the business processes, with the objective of determining the risk areas to focus on for IT internal audit purposes. While the objectives of these two risk assessments differ, the work performed by IT internal auditors is an input into the external auditors’ combined risk assessment. Therefore, we ordinarily coordinate how information gathered and assessments made by IT internal auditors about inherent and control risk are communicated to the external auditors for purposes of their combined risk assessment. (See Activities 3 and 11 of the Audit Process.) —The scope of our internal audit work might include Analytical procedures analytical procedures, especially data analysis procedures. The work steps included in the Audit Process to plan, execute and evaluate analytical procedures ordinarily are also applicable to analytical procedures performed during internal audit work. (See Activity 13 of the Audit Process.) —The scope of our internal audit work might include tests of key Tests Tests of detai details ls items, representative samples, other tests of underlying data or a combination of the preceding types of tests of details. For example, we might confirm certain balances or transactions to test for existence. (See Activity 14 of the Audit Process.) —As further described in this document we Addi ti onal business business proces process analysis might also want to determine the root cause of errors that we identify in order to assist the client in fixing a problem or improving a process. This is often performed as a separate engagement. (See Activity 15 of the Audit Process.)

2B-1.2

! @

#

$

Appendix Appendix B-2

cli ent name

Clii en t Se Cl Ser vi ce

Charter

e

! @

A

#

$

1 B-2.1

ppendix B-2

client name

E s t ab a b l i s h R el e l a ti ti o n s h i p P r o t o c o l s

Our Team

Risk Focus

Value Scorecard

A

ppendix B-2

client name

E s t ab a b l i s h R el e l a ti ti o n s h i p P r o t o c o l s

Our Team

Risk Focus

Value Scorecard


Special Projects

e

! @

2B-2.2

cli ent name

E s t ab ab l i s h R el e l at at i o n s h i p P r o t o c o l s Risk Focus Our Team Subject Matter Expertise • • • •


Value Scorecard Components • • Other IA Measures • • Frequency of Communications

Processes • • Geographic Areas • • Functional Units • •

#

$

cli ent name

E s t ab ab l i s h R el e l at at i o n s h i p P r o t o c o l s Risk Focus Our Team Subject Matter Expertise • • • •

Communication Protocols Executive Management/ Audit Committee • • • Reporting • • •

Processes • • Geographic Areas • • Functional Units •

Value Scorecard Components • • Other IA Measures • • Frequency of Communications • •

•

Special Projects • • • • •

e

! @

A

#

$

3 B-2.3

ppendix B-2

client name

U n d e r s t a n d i n g Y o u r B u s i n e s s G o a l s a n d O b j e c t i v es es Current State • •

Future State


• • • •

• • •

Critical Success Factors

• • •

A

ppendix B-2

client name

U n d e r s t a n d i n g Y o u r B u s i n e s s G o a l s a n d O b j e c t i v es es Current State •

Future State


• •

• • •

•

Critical Success Factors

•

• •

•

•

•

•

Business Risks

•

•

e

! @

4B-2.4

client name

U n d e r s t an a n d i n g Y o u r B u s i n e s s S t r at a t e g i es es a n d R i s k s Critical Success Factors


Business Risks

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

#

$

client name

U n d e r s t an a n d i n g Y o u r B u s i n e s s S t r at a t e g i es es a n d R i s k s Critical Success Factors


Business Risks

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

e

! @

#

$

5 B-2.5

                       Objective 1. Identify client client needs based on discussions discussions with with FBS management related to business risks, objectives, strategies and critical success factors. 2. Understand Mega and Major business business processes processes and business process controls. 3. Identify audit audit team based upon required competencies competencies and and team roles. Orient the team to client needs, client business and team goals. 4. Complete appropriate planning documentation. documentation. Deliverables Deliverables 1. Prepare Prepareplanning planningdocumentati documentation onincluding: including: a. Identification Identification of Mega and and Major processes and and identification identification of important business controls b. Overview of business business risks, objectives, strategies and critical critical success factors c. Summaryof meeting meeting with with FBShigh level level management management d. Summary Summary of internal internal planni planning ng meetings meetings e. Key Key date date schedu schedule le f. Client Client assis assistan tance ce letter letter g. Audi Auditt prog progra ram m h. Audit Audit strate strategies gies document i. Organiza Organization tional al chart chart (obtain (obtain from from client) client) j. Prepare time time budgetusing FBS Time Tracker Tracker Success Definition/Measurement 1. Client and and E&Y objectives are are met anddeliverables prepared according to key date schedule. 2. Audit strategy strategy incorporates incorporates FBS FBS senior management’s concerns. Partner approval prior to starting fieldwork. 3. Team meeting prior prior to fieldwork fieldwork to discuss discuss team expectations and areas of audit focus.

Objective 1. Execute the the plan (within (within budget) budget) coming coming out of planning phase withincalendarparameters. 2. Summarize Summarize findings findings andcommunicate communicate timely timely.. 3. Provide Provide positive positive education educational al experience experience to staff. staff.

Objective 1. Analyze individual individual or groups of audit audit results (data) and synthesize into audit findings (information). 2. Escalate Needs Needs Improvement Improvement or or worse issues as soon as they become a possibility.

Deliverables Deliverables 1. Audit Audit Progra Program m compl completio etion. n. 2. Audit Audit results/F results/Findi indings ngs summary summary. 3. Writte Written n staff staff feedback feedback..

Deliverables Deliverables 1. Prioritized outline of audit findings validated validated by client for factual accuracy and completeness. completeness. 2. Senior management management meetings for Needs Improvement type issues. issues.

Success Definition/Measurement Definition/Measurement 1 . M et et C SF SF. 2. Met or exceeded exceeded budget. budget. Budget versus actual per Time Time Tracker. Tracker. 3. People People - Client Client feedback feedback questionn questionnaire aire.. 4. Client Client satis satisfacti faction on survey survey.. 5. Increase staff interest in in FBS. Relationship Relationship management management meetings meetings quarterly with senior management and monthly Parrin meeting.

Success Definition/Measurement 1. Audit Audit findings findings are in proper proper business business context. context. 2. Audit findings findings are in proper priority (i.e., (i.e., significant significant or other). 3. Evaluation/analysis Evaluation/analysis phase phase of audit audit completed completed at or under budget. 4. Partner/Pr Partner/Princi incipal pal input input obtained obtained in this phase. phase.

Critical Success Factors 1. Timely escalation of Needs Improvement or Unsatisfactory Unsatisfactory issues. issues. 2. Escalate Escalate client client work work requests requests that are are out of scope. scope. 3. Coordina Coordinate te with ISAAS ISAAS and other other discipline disciplines. s. 4. Tracking Tracking of of time and expense. expense. 5. Monitor performance in in field and communicate communicate performance real time. Best Practices Practices 1. More senior senior managemen managementt involveme involvement nt in field. field. 2. Client Client update update meeti meetings. ngs. 3. Standardi Standardized zed time time system for for all FBS projects. projects. 4. Partner through through manager manager (i.e.,experienced) involvement involvement in audit summarization debrief.

Critical Success Factors 1. Spend more time thinking thinking and strategizing and less time time writing writing [90 - 10 Rule]. 2. Client leadership leadership (e.g., g., auditee auditee and supervisor) supervisor) involved involved throughout throughout the audit and during the evaluation phase. 3. Timely escalation of issues at FBS client and and E&Y. Best Practices Practices 1. Spend more time time thinking thinking and less time writing writing [90 - 10 Rule]. 2. Think at 1 to 2 levels higher higher than the the client/auditee. client/auditee. 3. Facilitat Facilitated, ed, focused focused debrief debrief sessions. sessions. 4. Achieve the the proper balance balance between between client client satisfaction, satisfaction, people people and profitability. 5. Complete the heavy lifting before before reporting - the report report should be 90% complete before reporting phase begins.

Objective 1. Efficient and effective effective audit report delivery process. 2. Reports Reports perceived perceived to to have value value by client. client. Deliverables Deliverables 1. Concise report which is responsive to the key issues issues noted during during the audit. 2. Internall Internally y focused assessme assessment nt (KPIs (KPIs - see below). below). Success Definition/Measurement Definition/Measurement 1. Fifteen-d Fifteen-day ay report report issuanc issuancee rule. rule. 2. Adherence Adherence to the the ten-pag ten-pagee rule. rule. 3. Efficiency ratio — # of drafts drafts (dependent (dependent upon engagement hours, rating,etc.). 4. Client Client report report card. card. Critical Success Factors 1. Timely Timely executi executive ve involve involvement ment.. 2. Effectiv Effectivee client client closing closing meeting meeting.. 3. Successful handoff handoff from evaluation segment to reporting reporting phase. phase. Best Practices Practices 1. Adherence Adherence to proces processs model model.. 2. Define Define all all team team role roles. s. 3. Don’t give give away away value value - limit limit report to to audit issues, issues, not consulting.

Critical Success Factors 1. Timely partner involvement involvement and approval of audit plan. 2. Execute planning planning and entire audit audit according to key date schedule. schedule. 3. Client assistance assistance delivered delivered to client client one month month prior to fieldwork. fieldwork. 4. Communication Communication of expectations expectations and significant audit information to all team members. 5. Honor Honor other other peoples’ peoples’ schedules schedules.. 6. Timely Timely ISAAS ISAAS involvem involvement. ent. BestPractices ces 1. Develop template template for letter letter addressed to FBS senior senior management management to confirm timing and initiate meeting. 2. Meetings with with senior management and and middlemanagementshould identify key business issues. 3. Team internal meetings meetings should should be used to transfer knowledge knowledge obtained through planning process prior to fieldwork. 4. Utilize the EY databases and external resources resources to enhance our understanding of the current environment, risks and potential opportunities opportunities within the business being audited. 5. Utilize administrative administrative staff to transcribe transcribe meeting meeting notes. notes. 6. Consider how we can better better utilize utilize technologies technologies in our audits (i.e., ACL).







       



Appendix Appendix B- 4 Str ategy ategy M emorandum

To:

ABC Company IT IAS Audit Files

F r om :

John Smith

Subject:

ABC Company IT IAS Strategy Memorandum 5/15/99

The purpose of this memorandum is to document our understanding of the scope and approach of the ISAAS work to be performed at ABC Company for the IT Internal Audit Services. Background

ABC Company and its predecessors have been in business since 1877. A mutual company with headquarters in Metropolitan, South Dakota, ABC is licensed to sell in 48 states and the District of Columbia. The company offers life insurance and annuities, group life and disability insurance, pension products and reinsurance reinsuran ce services. Scope of Assignment

ABC Company has contracted with us to perform IT Internal Audit Services and performance of a risk based audit approach. We will perform an initial risk assessment which will include the corporate operations as well as operations of all third party administrators. The objective of the risk assessment process is to actively identify the Company’s critical information systems resources and business processes and apply certain risk factors to each. These risks are then individually analyzed and ranked to allow for prioritization and proper allocation of information systems corporate audit resources based upon the determination of relative risk. Risk assessment is accomplished by using a uniform process and criteria for consistently defining and measuring risk across all areas. Fully identifying all auditable areas requires regular and on-going communication with operating company management. The scope of the discussions with management focus on understanding the business and its operations. A thorough understanding of the business will require meetings mee tings with functional heads of Accounting, Actuarial, Marketing, Human Resources, Finance, Operations (Claims, Policy Service, and Underwriting) and all Information Systems functions. The process identified above is utilized for assessing all areas of the Company utilizing information systems. During the risk assessment process, each major operating area’s system development plans and priorities are obtained. This information will be incorporated into and considered considere d in the rating of the “Control Risk” factors since significant application and system changes may have a significant impact on the internal control environment. We will utilize a standard format for documenting our understanding and subsequent risk assessment and IT audit plan. Key Deliverables

We will develop a written report detailing our risk assessment. In addition, we will deliver an oral presentation to the Executive Committee of our risk assessment. Timetable

The draft risk assessment will be delivered to client management by 6/10/99. The oral presentation will be given by 6/20/99. The audit plan for the remainder of the year will be agreed upon by 6/30/99.

! @

#

$

B-4.1

A

ppendix B-4

Staffing and Budget

The risk assessment will be performed by ISAAS Manager and ISAAS Senior and will be managed by ISAAS Partner. The overall budget for the initial risk assessment will be 80 hours. Responsibilities

The ISAAS personnel noted above will be responsible for the overall quality and delivery of the ISAAS services. Billing of the ISAAS time and expenses will be performed by the Audit Billing Executive of this client. Prepared by: Senior Reviewed by: Manager Reviewed by: Partner

2B-4.2

! @

#

$

Appendi Appendi x B-5

ABC Company IT Risk Assessment Sample Client Assistance Listing

1. Current Company organization chart including all divisions/locations divisions/locations within scope. 2. Listing of significant technology in place (hardware, software, and major applications). 3. Strategic Business Plan and IS Strategic Strategic Plan 4. Policies and procedures for: a) Application development/program changes b) Requesting and granting user access to systems c) Dial-up access to facility d) Monitoring and follow-up of security violations e) Internet use f)

Software licensing

5. Disaster recovery plan/Business continuity plan 6. Network and Communication Diagrams

! @

#

$

B-5

Appendix Appendix B-6 E r n s t & Y o u n g L .L .P .

Pr o j ec t M an ag em en t W o r k s h eet

ISAAS ABC Inc. CLIENT NAME: IT Internal Audit Services ENGAGEMENT DESCRIPTION: LISTING TYPE: John Megabucks AUDIT PARTNER: ENGAGEMENT RELATIONSHIP MANAGER: Bob Dole ENGAGEMENT MANAGER:

- Risk Assessment

F IXE D COST QUOTED:

RE SO URC E AS S IGNE D: RA TE P E R HO UR:

21% Planning 8% Documentation Documentation Review 35% Interviews Interviews 8% Post Interview Interview Meetings 3% Interview Interview Summary Write te Up 4% Review Internal Audit Review Plan 4% Follow Up 6% Report Writing ting & Review - Draft 3% Report Writing ting & Review - Final 5% Presentation Presentation Development Development - Draft 3% Presentation Presentation Development Development - Final 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0%

ADMINIST RATIVE SURCHARGE:

P art ner

S r. Ma n ag e r

Ma nager

Senior

S t a ff # 1

B U DG E TE D

4 75

358

2 81

182

133

10

10

10

10

10

2

2

8

8

2

2

20

40

20

10

10

2

4

4

2

4

2

4

8

2

2

4

2

4 2

2

10.0%

HO U RS

50 20 84 20 8 10 10 14 6 12 6 0 0 0 0 0 0 0 0 0 0 0 0 0

4 4

8

2

FEES AT 100 % OF STANDARD: TOTAL BUDGETED HOURS TOTAL BUDGETED FEES PERCENTAGE OF HOURS ADMIN RECOVERY TOTAL L OADED FEES

Not e: Ra te i ncl ude a 5% busy se ason charge.

2B-6

18 $8 ,550 8% $855 $9 ,405

22 $7,876 9% $788 $8,664

56 $15 ,736 23% $1,574 $17 ,310

96 $17, 472 40% $1,747 $19, 219

48 $6 ,384 20% $638 $7 ,02 2

VALUATI ON PERCENTGE 90% 85 % 80 % 70 % 60 % 50 %

0 $0 0% $0 $0

0 $0 0% $0 $0

VA LU ED

AV G R A TE

FEES

PER H OU R

$50 ,416 $47 ,615 $44 ,814 $39 ,213 $33 ,611 $28 ,009

$210 $198 $187 $163 $140 $117

0 $0 0% $0 $0

C O N TI N G EN C Y

0 $0 0% $0 $0

AD M I N

$5 ,042 $4 ,762 $4 ,481 $3 ,921 $3 ,361 $2 ,801

240 $56,018 100% $5,602 $61,620

TOTAL FEES & ADM $55 ,458 $52 ,377 $49 ,296 $43 ,134 $36 ,972 $30 ,810

! @

#

$

Appendi Appendi x C-1 En gage gagement ment Team Organi zation and Requi Requi r ements ments Engagement Partner or Leader: The engagement partner or leader is responsible for the overall effectiveness of the engagement. Responsibilities include:

• Managing relationships with key client personnel • Leading or taking a primary role for project scoping and pricing • Ensuring development of an effective workplan • Involvement in the analysis of the results of each stage of the project • Leading or taking a primary role in developing the recommendations and the deliverables • Lead involvement in presenting deliverables. Engagement Manager: The engagement manager is responsible for the day to day onsite activities of the engagement. Responsibilities Responsibilities include:

• Managing day-to-day relationships with key client personnel • Developing the project scope and workplan • Identifying and scheduling engagement project team members • Leading engagement activities such as interviews, information gathering, and information analysis • Involvement in key interviews and ensuring interview and information gathering activities are properly conducted and recorded • Developing project analysis, recommendations and deliverables • Presenting deliverables to client • Monitoring and managing costing and billing activities and matters. Engagement Team (Staff): The engagement project team is selected based on skill requirements for the engagement scope. The project team should be comprised of an appropriate mix of senior and staff consultants. Responsibilities include:

• Understanding the engagement scope and workplan • Developing interview schedules and information request lists • Participating in key interviews with the engagement manager • Leading certain interviews • Collecting and compiling data and information for analysis • Assisting in analysis of data and information • Assisting with the preparation of the deliverables • Assisting as necessary with presenting deliverables to the client.

! @

#

$

1 C-1.1

A

ppendix C-1

Project Quality Advisor/Pre-Issuance Reviewer: An engagement project quality advisor should be selected to provide guidance which will ensure highest quality service delivery. The quality advisor ideally should have experience in delivering IT internal audit services. The quality advisor may be the engagement leader or manager, or may serve in an advisory only role, depending on the needs for the particular engagement and project team. Responsibilities include:

• Understanding the engagement scope • Understanding client issues • Providing guidance regarding workplan development • Assisting with the data and information analysis and consulting with the project team to guide compilation of results • Providing guidance for the process of developing deliverables, or reviewing the deliverables after development

2C-1.2

! @

#

$

Appendi Appendi x C-2

Ac ti vi ti es and a nd Wor ks te teps ps

B u d g et

D u e Da t e

Wo r k e r

St at u s

1. Plan the Risk Assessment Identify and orient the project team Identify key personnel to be involved/interviewed Develop risk assessment workplan Determine timeframe and budget for risk assessment Busin ess Goals, Goals, Strategies, 2. Understand the Business Objectives and Critical Success Success Factors

Identify relevant information held b E&Y Confirm and build our understanding 3. Understand Understand the Entity’ Entity’ s Mega Mega and Major Major Business Processes and Related IT Requirements

Identify the mega and major major business processes (list specific processes) Identify the key major business processes (list specific processes) Document how IT how IT supports the mega and major business processes 4. Understand Understand the IT Resources Resources and Relate Related d IT Processes

Identify and Document the IT resources Identify and Document the IT processes 5. Document Risk Risk Assessment and Validate Validate with Management

Document risk assessment conclusions Prioritize risk areas Validate with management Total Hours for Project

! @

#

$

1 C-2

Appendix C- 3 Sample Bu siness siness Process Process and Cri ti cal Success Success F actor Docu mentati on

Draft for Discus Discusssion Purp oses oses

The Hosp ital for Sick Sick Childr Childr en

Busin ess Process Risk Risk Revi eview ew

! @ ! @

#

#

$

C-3.1

A ppendix C-3 The Hospital for Sick Children

Business & Corporate Development Direct and g uide the organization Direct Provide governance Perform organizational planning and and design Manage quality, risk and performance Perform and manage operational planning Develop and maintain the market Market the organization Manage contracts Manage relationships Manage Education Education Man age Research Research Deliver health care services Provide Patient Care Provide diagn ostic services Provide and manage pharm aceuticals Provide food and and nutrition services services Manage health care delivery Develop and maint ain system system policies policies Manage strategic partnerships

Information and Diagnostic Services

Academic and Clinical Development

! @

Child Health Services

#

Human Resources

Research

A ppendix C-3 ! @

The Hospital for Sick Children

Business & Corporate Development

Information and Diagnostic Services

Academic and Clinical Development

High

Moderate

Low

Child Health Services

#

Human Resources

Research

Direct and g uide the organization Direct Provide governance Perform organizational planning and and design Manage quality, risk and performance Perform and manage operational planning Develop and maintain the market Market the organization Manage contracts Manage relationships Manage Education Education Man age Research Research Deliver health care services Provide Patient Care Provide diagn ostic services Provide and manage pharm aceuticals Provide food and and nutrition services services Manage health care delivery Develop and maint ain system system policies policies Manage strategic partnerships Manage clinical resources resources Support the organization Manage regulatory and legal matt ers Manage financial operations Manage hum an resources resources Manage environm environm ental services services and plant plant operations Manage informat ion systems, systems, technology and know ledge Maintain health records

! @

2C-3.2


! @

#

#

M e g a Pr o ce ss

D e scr i p t i o n

Di re re ct an an d g ui ui d e t he he or or ga gan izizat io io n

Set t he he stst ra rat eg eg icic d irir ec ect ioio n, n, p olol ici es es a n d g uiui de de l i ne nes f or or th th e o rg rg an an izizat io io n as a wh w h ol ol e .

De ve ve lo p a nd nd m aiai nt nt ai ai n t h e m a rk rk et et

Bu ilil d n ew ew a nd nd re rep ea ea t b us usi ne ne ss ss w i th th co co m m un un itit y r elel atat io io ns ns, i nc ncl ud ud in in g a ctct iviv itit ie ie s su ch ch as as m a rk rk etet in in g, g, r es ese ar ar ch ch an an d ed ed u ca ca titi on on .

De l i v e r h ea l t h ca r e ser v i ce s

D el i v er p a t i e n t car e .

M an a g e h e a l t h ca r e d e l i v e r y

M a n a g e t h e d el i v e r y o f p at i e n t car e.

Su p p o r t t h e o r g an i zat io n

A d m iinn i st er er , p h ys ysi cal , f i n a n ci a l a n d h um um an an r e so u r ce s f o r t he he or o r g an iza t io n as a w ho ho l e.

$


! @

#

M e g a Pr o ce ss

D e scr i p t i o n

Di re re ct an an d g ui ui d e t he he or or ga gan izizat io io n

Set t he he stst ra rat eg eg icic d irir ec ect ioio n, n, p olol ici es es a n d g uiui de de l i ne nes f or or th th e o rg rg an an izizat io io n as a wh w h ol ol e .

De ve ve lo p a nd nd m aiai nt nt ai ai n t h e m a rk rk et et

Bu ilil d n ew ew a nd nd re rep ea ea t b us usi ne ne ss ss w i th th co co m m un un itit y r elel atat io io ns ns, i nc ncl ud ud in in g a ctct iviv itit ie ie s su ch ch as as m a rk rk etet in in g, g, r es ese ar ar ch ch an an d ed ed u ca ca titi on on .

De l i v e r h ea l t h ca r e ser v i ce s

D el i v er p a t i e n t car e .

M an a g e h e a l t h ca r e d e l i v e r y

M a n a g e t h e d el i v e r y o f p at i e n t car e.

Su p p o r t t h e o r g an i zat io n

A d m iinn i st er er , p h ys ysi cal , f i n a n ci a l a n d h um um an an r e so u r ce s f o r t he he or o r g an iza t io n as a w ho ho l e.

! @

#

$

C-3.3 3

A ppendix C-3 M aj o r Pr o ce ss

Pu r p o se

The Hospital for Sick Children Ob j ect i v e

! @

#

Directt and guid e the organization Direc Provide governance

•

Define the organization's purpose, direction and structure.

•

Perform organizational planning

•

•

Manage Quality, Risk and Performance

•

Perform and manage operational planning

•

Formulate and obtain governing approval for strategic plans including viable services. services. Manage the ent ire organization and each of its functions and or processes. Manage t he volum e of service delivery delivery and support services services for the organization for each of its functions and processes. Maintain or enhance presentation presentation of organization to it s current and p otential customers and external constituents. Negotiate contracts with insuring entities.

•

Communicate wit h custom custom ers, business business and researc researchh organizations. Maintain and enhance educational program for professional staff, inpatients and outpatients. Maintain and enhance research research programs to ensure development of new interventions and treatments.

•

Provide inpatient and outpatient care.

•

• •

Inspire public trust and m eet social social accountabilit accountabilit y and fiduciary obligations by ensuring t hat quality of care standards standards and standards of conduct m eet acceptable acceptable levels. Implem ent strategies and plans that address address stakeholder stakeholder needs. Establish stablish and monit or critical indicators considering considering managem ent and governing body's internal control philosophy. Establish stablish and m onitor th e volume of service service delivery delivery and support services services performed performed by t he organization.

Develop De velop and m aintain the m arke arkett Market the organization

•

Manage contracts

•

Manage relationships

•

Manage education

•

Manage research

•

•

• •

Identify customer n eeds and develop effective message message that differentiates provider and stim ulates demand for services. services. Execute financially b eneficial patient service service cont racts, racts, evaluate financial benefit and effect on comp etitors. Retain Retain customer b usiness usiness and / or m aintain a p ositive business business relationship. Identify, obtain and provide edu cational resources resources required required by professional professional care givers givers / employees and inpatients and out patients. To excel excel in basic and clinical researc researchh t hat leads to imp roved understanding, prevention, treatment and cure of children's disease diseases. s.

Deliver health care services services Provide patient care

•

Manage patient outcome, provide treatment in most time and resource resource effective m anner.


Pu r p o se


! @

#


•

Define the organization's purpose, direction and structure.

•

Perform organizational planning

•

•

Manage Quality, Risk and Performance

•


•

Formulate and obtain governing approval for strategic plans including viable services. services. Manage the ent ire organization and each of its functions and or processes. Manage t he volum e of service delivery delivery and support services services for the organization for each of its functions and processes. Maintain or enhance presentation presentation of organization to it s current and p otential customers and external constituents. Negotiate contracts with insuring entities.

•

Communicate wit h custom custom ers, business business and researc researchh organizations. Maintain and enhance educational program for professional staff, inpatients and outpatients. Maintain and enhance research research programs to ensure development of new interventions and treatments.

•

• •

Inspire public trust and m eet social social accountabilit accountabilit y and fiduciary obligations by ensuring t hat quality of care standards standards and standards of conduct m eet acceptable acceptable levels. Implem ent strategies and plans that address address stakeholder stakeholder needs. Establish stablish and monit or critical indicators considering considering managem ent and governing body's internal control philosophy. Establish stablish and m onitor th e volume of service service delivery delivery and support services services performed performed by t he organization.


•

Manage contracts

•


•

Manage education

•

Manage research

•

•

• •

Identify customer n eeds and develop effective message message that differentiates provider and stim ulates demand for services. services. Execute financially b eneficial patient service service cont racts, racts, evaluate financial benefit and effect on comp etitors. Retain Retain customer b usiness usiness and / or m aintain a p ositive business business relationship. Identify, obtain and provide edu cational resources resources required required by professional professional care givers givers / employees and inpatients and out patients. To excel excel in basic and clinical researc researchh t hat leads to imp roved understanding, prevention, treatment and cure of children's disease diseases. s.


•

Provide inpatient and outpatient care.

•

Provide diagnostic services

•

•

Provide and manage pharmaceuticals

•

Provide diagnostic and laboratory services services for inpatient and outpatient care. care. Provide pharmaceutical distribution distribution in inpatient care. care.

Provide food and n utrition services services

•

Provide nutritional services services for inpatient and outpatient care. care.

•

•

Manage patient outcome, provide treatment in most time and resource resource effective m anner. Manage diagnostic services, services, to ensure m ost tim e and resource resource effective use use is made of equipmen t in delivering pat ient care. Manage pharm aceutical aceutical distribution in relation to patient care to ensure appropriate appropriate treatment . Manage nutritional services services,, to provide treatm treatm ent in most tim e and resource resource effective m anner.

! @

4C-3.4

M aj o r Pr o ce ss

Pu r p o se


! @

#

$

#

Manage health care delivery Develop and maint ain system system policies

§

Develop a plan for d elivering medical services services to patients.

§

Manage strategic partn ership ership

§

Establish, Establish, maintain and enhance the system system of providers.

§

Manage clinical resources

§

Align m edical resources resources with system strategic plan.

§

Manage regulatory and legal matters

§

§

Manage financial operations

§

Manage hum an resources resources Manage environm ental services services and plant operations Manage inform ation systems, systems, technology, and knowledge Maintain health records

§

Address day-to-d day-to-d ay legal matt ers, ers, obtain regulatory approval as required, and resolve malpractice issues. Address day-to-day financial issues issues including investm ent, financial reporting, general d isbursements. isbursements. Acquire, train, evaluate and comp ensate employees. Process Process to m anage and m aintain facilities, equipm ent and supplies. Develop and maintain t echnology and systems. systems. Process Process to m anage and maint ain health record information for inpatient and outpatients.

§

Achieve quality outcomes, promote cost effective use of resources, improve the health status of individuals and the community. Use strategi c alliances to provi de viable services services m ore effectively than competitors. Manage utilization thereby containing health care costs costs while remaining dedicated to being on t he leading edge of patient care. care.

Support the organization

§ § §

§ § § §

Operate Operate consistent consistent with legal standards, standards, protect p rovider from litigation. Maximize p rofitability, ensure accountability, protect assets, assets, maximize collections. Maintain qu alified personnel personnel needed to m eet objectives. objectives. Procure Procure needed resources resources to operate and maintain facilities, facilities, and equipment. Provide and and support inform ation technology infrastructure infrastructure with tools and systems to meet information and knowledge management. To ensure that adequate health records are maintain to effectively document , diagnose, and provide patient care, care, as well as allow regulatory reporting.

M aj o r Pr o ce ss


Pu r p o se

! @

#


§

Develop a plan for d elivering medical services services to patients.

§

Manage strategic partn ership ership

§

Establish, Establish, maintain and enhance the system system of providers.

§


§

Align m edical resources resources with system strategic plan.

§

Manage regulatory and legal matters

§

§


§

Manage hum an resources resources Manage environm ental services services and plant operations Manage inform ation systems, systems, technology, and knowledge Maintain health records

§

Address day-to-d day-to-d ay legal matt ers, ers, obtain regulatory approval as required, and resolve malpractice issues. Address day-to-day financial issues issues including investm ent, financial reporting, general d isbursements. isbursements. Acquire, train, evaluate and comp ensate employees. Process Process to m anage and m aintain facilities, equipm ent and supplies. Develop and maintain t echnology and systems. systems. Process Process to m anage and maint ain health record information for inpatient and outpatients.

§

Achieve quality outcomes, promote cost effective use of resources, improve the health status of individuals and the community. Use strategi c alliances to provi de viable services services m ore effectively than competitors. Manage utilization thereby containing health care costs costs while remaining dedicated to being on t he leading edge of patient care. care.


! @

#

§ § §

§ § § §

Operate Operate consistent consistent with legal standards, standards, protect p rovider from litigation. Maximize p rofitability, ensure accountability, protect assets, assets, maximize collections. Maintain qu alified personnel personnel needed to m eet objectives. objectives. Procure Procure needed resources resources to operate and maintain facilities, facilities, and equipment. Provide and and support inform ation technology infrastructure infrastructure with tools and systems to meet information and knowledge management. To ensure that adequate health records are maintain to effectively document , diagnose, and provide patient care, care, as well as allow regulatory reporting.

$

C-3.5 5


! @

Direct Direct and guide th e Develop and maintain the Deliver health care Manage health organization market services care delivery

g ) n L i / k M n / a H R (

Majo r Process Process

#


n g g i s n s i n e o e i d e n s n s t g l s c a e a d n l a i r r d c s i e n a p c e i e l t t a l t e l p w u o a c a m g r n i p o o e n f m n c v o i i o r m s n k l s p a e n r t i a l a n e h s t n e a s m d p r g a p e e r n s s l o s r s e t i c a n e & a e l p i o y p n h t i c c s e l y s l d v a n d r o n r i r p r t a o a a e t r i i n r u n e u t g d s r e t o n l o o e n p s e u t e a a o a p s g a i o k g c t r i s n n p s y o e e o c z a h c i a n a i e r s a i e n r s n c r o l d i i c t a z r , n n t a r m c n i s n t i n h o h t a n a g l n y a a c h a a l a c n r i t o t c o a m t i r n o e i a i i m g r t r l e t m c l r n e n t a n u a m v t e g i d d a v a a d o n l a c a n , a t d g e r i e o n o g u u a u n r n e o e t l e i n s a i n S h o a c r d s c r f h e I G o q a h t e e e e r p d a f p e e e e e e e i e e m e e e e o g g g g g g g n m g e e i a r g r t d d e g i o i d i d i l a f a a g g d a a a a a a t o e a k n v f v v v v v n n n n n n n i r n r r n n n n o r e a e a a a a a o r o r o r o r e a a a a a a a a P P M P M M M M M P P P P D M M M M M M M M

1. Lead in the delivery and exemplary patient care and development of new interventions and treatments delivery meth ods and processes processes by working • Enhance care delivery wit h new p artners in care • Develop and implem ent m ore effective effective and efficient meth ods, modes and p rocesses rocesses of delivering p atient care • Identify and implement new and innovative therapies, treatment s and technologies to improve clinical clinical outcomes • Improve health care system system functionin g by collaborating

þ

þ þ

þ þ þ

þ þ þ þ þ þ

þ þ

þ þ þ þ þ þ þ

þ þ


þ þ þ þ

þ


! @

#


g ) n L i / k M n / a H R (




1. Lead in the delivery and exemplary patient care and development of new interventions and treatments delivery meth ods and processes processes by working • Enhance care delivery wit h new p artners in care • Develop and implem ent m ore effective effective and efficient meth ods, modes and p rocesses rocesses of delivering p atient care • Identify and implement new and innovative therapies, treatment s and technologies to improve clinical clinical outcomes • Improve health care system system functionin g by collaborating wit h oth ers to effect effect system changes

þ

þ þ

þ þ þ

þ þ þ þ þ þ

þ þ


þ þ


þ þ þ þ

þ

2. Become Become the preemin ent research research enterprise for children's health health w orldw ide • Enhance the scientific quality of research at HSC

þ

þ

• Extend th e scope of research at HSC

þ

þ

research into the fabric of HSC HSC and apply to the • Integrate research ongoing care of children children • Strengthen the financial base for research

þ

þ

þ

þ

! @

6C-3.6


! @


g ) n L i / k M n / a H R (

þ


$

#


n g g i s n s i n e o e i d e n s n s t g l s a e a d c a l i r r d c e n n c p e s i l i e t a t l a l t e o p w u i a c a g m o o r n e p n f n m c v o i i r m s o n k l s p a e n r t i a l d a n e h n e a s t s m p r g r a p s s e s s r e l l o e & n e e t i c a n a p i o y p n e c h t i c s s l d v a n d r l o n r i r u r p r n t a y o a a e t g d i t r u n s r e t e i n e a o o o e o k g a o n l a p s u p e a i g s c t r c a n t p s y o e e o c s a i z s h i n i n c e r l r m n e a i r i n t s t r a n r a z , a n c n o h c s n d a i l t o a n h a a o t a n n t g a a i i y c h r i t c n o i a c r n o e i a i i r t r t l e t c l l m g r t n m a m t e n n u a a e a i g d d d a m v , e v g a d o n l a c e t n g a r i o r u n e o e u s a n o n t n u n S i i o a s l c r d e a c e r f h e I h G o q a h p d a f t e r n e m t e e e e e e e e e i e m e e e e p o g g g g g g g t g e e d a r g r e g l d d d d i o i i i i a a a g g a a a a a a a o e k n v f f v v v v n n n n n n n i r n n n n v r n r a o o o o o a a a a a a a a a a a a a r e e r r r r e P P M P M M M M M P P P P D M M M M M M M M

3. Build an outstanding education and knowledge dissemination capability • Attract the best students and trainees by providing outstanding academic training and experience • Ensure Ensure staff are current current and fully qualified to fulfill professional professional obligations Become a center of excellence in the provision of external • Become continuing education

#

þ

þ þ

þ þ

þ

þ

þ


! @

#


g ) n L i / k M n / a H R (



n g g i s n s i n e o e i d e n s n s t g l s a e a d c a l i r r d c e n n c p e s i l i e t a t l a l t e o p w u i a c a g m o o r n e p n f n m c v o i i r m s o n k l s p a e n r t i a l d a n e h n e a s t s m p r g r a p s s e s s r e l l o e & n e e t i c a n a p i o y p n e c h t i c s s l d v a n d r l o n r i r u r p r n t a y o a a e t g d i t r u n s r e t e i n e a o o o e o k g a o n l a p s u p e a i g s c t r c a n t p s y o e e o c s a i z s h i n i n c e r l r m n e a i r i n t s t r a n r a z , a n c n o h c s n d a i l t o a n h a a o t a n n t g a a i i y c h r i t c n o i a c r n o e i a i i r t r t l e t c l l m g r t n m a m t e n n u a a e a i g d d d a m v , e v g a d o n l a c e t n g a r i o r u n e o e u s a n o n t n u n S i i o a s l c r d e a c e r f h e I h G o q a h p d a f t e r n e m t e e e e e e e e e i e m e e e e p o g g g g g g g t g e e d a r g r e g l d d d d i o i i i i a a a g g a a a a a a a o e k n v f f v v v v n n n n n n n i r n n n n v r n r a o o o o o a a a a a a a a a a a a a r e e r r r r e P P M P M M M M M P P P P D M M M M M M M M

3. Build an outstanding education and knowledge dissemination capability • Attract the best students and trainees by providing outstanding academic training and experience • Ensure Ensure staff are current current and fully qualified to fulfill professional professional obligations Become a center of excellence in the provision of external • Become continuing education • Enhance impact of HSC HSC's family education and health promotion activities • Collaborate with others in the m easurement easurement and evaluation of education / training activities

þ

þ þ

þ þ

þ

þ

þ þ

þ þ

þ

þ

þ

4. Support Support , develop and retain staff and attract the best recruits • Foster Foster an environm ent th at values and supports staff staff in t heir effort s to achieve HSC goals • Develop support, support, m otivate and m aximize performance of all staff • Retain, attract and recruit the best people for HSC

! @

#

þ

þ

þ þ

þ

þ

$

C-3.7 7


! @



g ) n L i / k M n / a H R (

þ

5. Lead Lead and work cooperatively w ith visible responsive netw orks and and partn erships

•



• Increase Increase HSC HSC's ability to shape, implement and be resilient l ient t o þ þ change •

#

Enhance HSC's HSC's ability t o ident ify, evaluate and participate þ þ effectively in a range of internal and external netw orks and partnerships Lead and sustain selected selected netw orks and partnerships to þ effect change

þ

þ

þ

þ

þ

þ

A ppendix C-3 ! @


#



g ) n L i / k M n / a H R (



• Increase Increase HSC HSC's ability to shape, implement and be resilient l ient t o þ þ change

þ

þ

5. Lead Lead and work cooperatively w ith visible responsive netw orks and and partn erships • • •

Enhance HSC's HSC's ability t o ident ify, evaluate and participate þ þ effectively in a range of internal and external netw orks and partnerships Lead and sustain selected selected netw orks and partnerships to þ effect change Leverage Leverage the strength of netw orks and HSC's HSC's role within þ them to influence public policy on child health and research

þ

þ

þ

þ

þ

þ

þ

6. Contin Contin ue to im prove, measure and evaluate the value and effectiveness effectiveness of w hat w e do • •

Integrate measurement, evaluation evaluation and continuou s improvem ent into t he fabric of HSC HSC Develop and implement the system system and t ools required required to demonstrate the value of accountability accountability for w hat w e do

þ

þ

þ

þ

þ þ

þ

7. Enhance Enhance existing and d evelop new sustainable sustainable sources of fund ing •

þ

Enhance and diversify HSC's HSC's government funding base

þ

þ

! @

8C-3.8

! @



• • • •



þ

Build a portfolio of positive cash cash flow business business opportunities Partner with HSCF HSCF in building its endow ment Maximize opportun ities to reduce costs costs Become Become t he health care industry partner of choice

27 Goals

$

#


g ) n L i / k M n / a H R (

#

þ þ þ

þ

10 10

6

3

6

þ

þ þ

þ

3

þ þ

þ

3

10

þ

2

4

4


5

4

4

7

8

3

þ þ þ þ þ

1

4

11

1

13

2

! @


#




g ) n L i / k M n / a H R (

• • • •


þ

Build a portfolio of positive cash cash flow business business opportunities Partner with HSCF HSCF in building its endow ment Maximize opportun ities to reduce costs costs Become Become t he health care industry partner of choice

27 Goals

þ þ þ

þ

10 10

6

3

6

þ

þ þ

þ

3

þ þ

þ

3

10

þ

2

4

4


5

4

4

7

8

3

þ þ þ þ þ

1

4

11

1

13

2

þ Goal dependen t on m ajor process purpo se and and obj ective being satisfied.

! @

#

$

C-3.9 9


Ri sk

The Hospital for Sick Children Li k e l i h o o d


§ § § § §

Perform organizational planning and design

§ § § § §

Manage quality risk and perform ance

§ § § §

Litigation and or regulatory issues arise arise from failed g overnance Lack Lack of organization direction and missed missed opp ortunities Internal interpretation of m ission ission is inconsistent inconsistent Poor comm comm unication wit h comm unity can lead to loss of business business Punitive and financial risk assoc associated iated w ith failing to d etect, correct correct and prevent violations of health care fraud and abuse regulations regulations and other law s due to lack of corporate compliance Inability to develop sound tactical plan plan can lead to poor financial performance Inability to develop and monit or sound strategic plan can can lead to lack of organizational direction Di v er g e n t r e su l t s n ot ot i d en titi f i ed i n t im e f o r co r r ect iv e a ct ioio n I n so l v e n c y Lack Lack of effective strategic planning planning will result in t he organization failing to appropriately asses assesss their external environm ent, the competitive p osition and their core competencies to develop a strategy consistent consistent with the direction set by the organization's governing body Inability to define and p romot e a high standard of int ernal control policies can lead to loss of financial, operational, operational, and adm inistrative data integrity Em p l o y e es a r e n o t f o cu sed o n st r a t e g i c p l an In co n si st e n t i m p l e m e n t at i o n o f p l an Risk Risk th at key ind icators of quality, risk and perform ance are not established or are not measured, resulting resulting in lack of internal metrics by which to im plement

! @ I m p a ct

#


Ri sk


! @ I m p a ct

#


§ § § § §

Perform organizational planning and design

§ § § § §

Manage quality risk and perform ance

§ § § §


Litigation and or regulatory issues arise arise from failed g overnance Lack Lack of organization direction and missed missed opp ortunities Internal interpretation of m ission ission is inconsistent inconsistent Poor comm comm unication wit h comm unity can lead to loss of business business Punitive and financial risk assoc associated iated w ith failing to d etect, correct correct and prevent violations of health care fraud and abuse regulations regulations and other law s due to lack of corporate compliance Inability to develop sound tactical plan plan can lead to poor financial performance Inability to develop and monit or sound strategic plan can can lead to lack of organizational direction Di v er g e n t r e su l t s n ot ot i d en titi f i ed i n t im e f o r co r r ect iv e a ct ioio n I n so l v e n c y Lack Lack of effective strategic planning planning will result in t he organization failing to appropriately asses assesss their external environm ent, the competitive p osition and their core competencies to develop a strategy consistent consistent with the direction set by the organization's governing body Inability to define and p romot e a high standard of int ernal control policies can lead to loss of financial, operational, operational, and adm inistrative data integrity Em p l o y e es a r e n o t f o cu sed o n st r a t e g i c p l an In co n si st e n t i m p l e m e n t at i o n o f p l an Risk Risk th at key ind icators of quality, risk and perform ance are not established or are not measured, resulting resulting in lack of internal metrics by which to im plement corrective action or m easure success success

§


§ §

Manage contracts

§ § § §


§

M a r k e t s ch a n g e f ast e r t h a n m a r k e t i n g st r at e g y Fai l u r e t o m an an ag ag e can lele ad to to l o ss o f p atat ieie n ts ts an d m ar ar k e t sh sh ar ar e U n i n t en d e d assu m p t i o n o f r i sk s Lack o f l e v er ag e i n n e g o t i a t i o n s Inadeq Inadequate uate source ourcess of of informa information tion to analyz analyzee contr contrac acts ts / lines lines of busine businesss In a b i l i t y t o co n t r o l ce r t ai n u t i l i za t i o n / co st s Lo ss o f k ey p h y si ci an r el at i o n sh i p s t o co m p e t i t o r s

! @

10 C-3.10

M aj o r Pr o ce ss

Ri sk § §

Manage education Manage research

§ § § § §

§ § §

! @ The Hospital for Sick Children Li k e l i h o o d In a d eq u at e sp o n so r sh i p f o r co r p o r a t e i n i t i at i v e s Fai l u r e t o u n d e r st an d t h e st ak e h o l d er n e ed s Lo ss o f af f i l i at i o n w i t h e d u cat i o n al i n st i t u t i o n s Approval of research research prop osals that do not have significant significant scientific scientific m erit and have an unacceptable balance of benefit relative to risk Information provided to participants of trials does not adequately disclose disclose that benefits, risks risks and im positions assoc associated iated w ith participation Failure Failure of investigators to adhere t o th e rules and regulations of regulatory bodies during the implementation of trials Increasing Increasing dependence of academic health science centers centers on support from the private sector may induce their leaders to be unduly d eferential to private sponsors wh ich could influence the extent to w hich they support and defend imp ortant values such as academic academic freedom Rese Research arch contracts being entered into by professional professional staff w ithout the hospital being party to the contract or reviewing and approving the contract Not obtaining the maximum research funding Not p roducing t he best research research programs and providing succes successful sful research research projects.


§ § § §

Provide diagnostic services Provide and manage pharmaceuticals

§

M alal p r act i ce a ct io n s i f p r o v i d er i n co co r r e ct lyly d i ag n o ses p at ie n t Lo ss o f l i ce n su r e M al al pr pr ac act icice ac act io io ns ns as as pr pr ov ov idid er er p ur ur su su es es ef ef fifi cici en en t co co ur ur se se o f trtr ea eat m en en t In a b i l i t y t o co n t r o l ce r t ai n u t i l i zat i o n co st s

# I m p a ct

#

$

M aj o r Pr o ce ss

! @ The Hospital for Sick Children Li k e l i h o o d

Ri sk § §

Manage education Manage research

§ § § § §

§ § §

# I m p a ct

In a d eq u at e sp o n so r sh i p f o r co r p o r a t e i n i t i at i v e s Fai l u r e t o u n d e r st an d t h e st ak e h o l d er n e ed s Lo ss o f af f i l i at i o n w i t h e d u cat i o n al i n st i t u t i o n s Approval of research research prop osals that do not have significant significant scientific scientific m erit and have an unacceptable balance of benefit relative to risk Information provided to participants of trials does not adequately disclose disclose that benefits, risks risks and im positions assoc associated iated w ith participation Failure Failure of investigators to adhere t o th e rules and regulations of regulatory bodies during the implementation of trials Increasing Increasing dependence of academic health science centers centers on support from the private sector may induce their leaders to be unduly d eferential to private sponsors wh ich could influence the extent to w hich they support and defend imp ortant values such as academic academic freedom Rese Research arch contracts being entered into by professional professional staff w ithout the hospital being party to the contract or reviewing and approving the contract Not obtaining the maximum research funding Not p roducing t he best research research programs and providing succes successful sful research research projects.


§ § § §

Provide diagnostic services Provide and manage pharmaceuticals Provide food and n utrition services services

M alal p r act i ce a ct io n s i f p r o v i d er i n co co r r e ct lyly d i ag n o ses p at ie n t Lo ss o f l i ce n su r e M al al pr pr ac act icice ac act io io ns ns as as pr pr ov ov idid er er p ur ur su su es es ef ef fifi cici en en t co co ur ur se se o f trtr ea eat m en en t In a b i l i t y t o co n t r o l ce r t ai n u t i l i zat i o n co st s

§ § §


§ § § § § § §

! @

#

Perceived Perceived lack of quality / image/ reputation can cause cause custom custom er dissatisfaction and lo ss of bu siness Fai l u r e t o m e et sp eci f i c cu st o m er r e q u i r e m e n t s Lack o f l e v er ag e i n n e g o t i at i o n s d u e t o l i m i t e d si ze In ab i l i t y t o co n t r o l u t i l i zat i o n co st s In d u st r y co n so l i d at i o n Re si st an an ce ce o f cu st om om er er s, u n ioio n s,s, o t he he r t o al l o cat ioio n o f v o l u me me In ab i l i t y t o su b st i t u t e r eso u r ces ( e g . FTEs)

$

C-3.11 11


Ri sk

Manage strategic partnerships

§ § § §


§ § § § §

The Hospital for Sick Children Li k e l i h o o d In a b i l i t y t o co n t r o l u t i l i zat i o n an d co st s Cu st o m er d i ssat i sf act i o n I n ab i l i t y t o g en er at e acce p t a b l e r e t u r n Go v er n m e n t r e g u l a t i o n s In a b i l i t y t o co n t r o l u t i l i zat i o n an d co st s In a b i l i t y t o su b st i t u t e r eso u r ce s I n ab i l i t y t o g en er at e acce p t a b l e r e t u r n M e d i ca l m al p r a ct i ce r i sk Lo ss o f p r o v i d er r e l at i o n sh i p s t o co m p et i t o r s

Support the organization Manage regulatory and legal matters

§ § §


§ § § § § § §

L ac ac k o f t im im e lyly r es esp o ns nse m ay ay p er er p etet u at at e lele ga ga l i ss ssu es es or or l os oss of of b u sisi n es ess Non-legal Non-legal perso personnel nnel are are unaware that their their actions actions could could result result in legal iss issues ues Noncompliance wit h regulations can lead to fines penalties and or loss of license Ri sk sk o f i ns nsu ffff icici en en t r es eso ur ur ce ce s a va va ilil ab ab le le t o m e etet m atat ur ur inin g l iaia bibi lili titi es es Inability to provide accurate financial financial informat ion to m ake timely business decisions I na naccu ra rat e f inin an an cici alal re re po po rtrt in in g can lele ad ad to to re reg ul ul atat o ryry or or l eg eg alal issu es es Lo ss o f r ev en u e s Errors in billing Risk Risk th at th e billing and collections process process is not effective, resulting resulting in poor financial results and negative community image. Risk Risk that financial statem statem ents are materially misstated misstated due t o an inadequate control structure due to lack of financial and accounting accounting internal controls

! @ I m p a ct

#


Ri sk

Manage strategic partnerships

§ § § §


§ § § § §


! @ I m p a ct

#

In a b i l i t y t o co n t r o l u t i l i zat i o n an d co st s Cu st o m er d i ssat i sf act i o n I n ab i l i t y t o g en er at e acce p t a b l e r e t u r n Go v er n m e n t r e g u l a t i o n s In a b i l i t y t o co n t r o l u t i l i zat i o n an d co st s In a b i l i t y t o su b st i t u t e r eso u r ce s I n ab i l i t y t o g en er at e acce p t a b l e r e t u r n M e d i ca l m al p r a ct i ce r i sk Lo ss o f p r o v i d er r e l at i o n sh i p s t o co m p et i t o r s

Support the organization Manage regulatory and legal matters

§ § §


§ § § § § § §

Manage hum an resources resources

§ §

Manage environmental and plant operations

§

Manage inform ation systems, technology technology and knowledge

§ § § §

L ac ac k o f t im im e lyly r es esp o ns nse m ay ay p er er p etet u at at e lele ga ga l i ss ssu es es or or l os oss of of b u sisi n es ess Non-legal Non-legal perso personnel nnel are are unaware that their their actions actions could could result result in legal iss issues ues Noncompliance wit h regulations can lead to fines penalties and or loss of license Ri sk sk o f i ns nsu ffff icici en en t r es eso ur ur ce ce s a va va ilil ab ab le le t o m e etet m atat ur ur inin g l iaia bibi lili titi es es Inability to provide accurate financial financial informat ion to m ake timely business decisions I na naccu ra rat e f inin an an cici alal re re po po rtrt in in g can lele ad ad to to re reg ul ul atat o ryry or or l eg eg alal issu es es Lo ss o f r ev en u e s Errors in billing Risk Risk th at th e billing and collections process process is not effective, resulting resulting in poor financial results and negative community image. Risk Risk that financial statem statem ents are materially misstated misstated due t o an inadequate control structure due to lack of financial and accounting accounting internal controls Lack Lack of adequately trained personnel can cause cause deterioration in service and loss of business Lo ss o f k e y em p l o y e e s Poor facility facility m anagement can lead to over / un der capacity capacity relative to utilization needs Inadequate information and know ledge sharing system system can result result in perceived lack of quality service and loss of business Organizations resources can be inappropriately tied to projects that are not aligned with organization goals La ck o f d a t a co n f i d e n t i a l i t y Risk isk of loss loss,, altera alteration, tion, or or theft of critical t ical busines businesss information n formation due to lack lack of

! @

12 C-3.12

M aj o r Pr o ce ss

Ri sk

§

§

§

§

§

Maintain health records

§

! @ The Hospital for Sick Children Li k e l i h o o d authorization security security Risk Risk of a significant disruptive occurrence to an organization's operations, such as an interruption of critical functions, systems, resources, or loss of vital records due to lack of business continuity planning Information system system is not configured to m atch the actual business processe processess leading to unexpected financial and operational results due to lack of business process integrity External threat due to connectivity to the external environment. Dial-up solutions, Internet connectivity, network connections to business partners, etc. all provide a potential avenue for exploitation to penetrate into the internal netw ork. Hacking n g tools are more available today than ever and are quite simple for the novice user user to op erate. Due Due to lack of inform ation system system security Operating Operating systems systems are mis-configured resulting in vulnerable condition s and placed into production prior t o vulnerability testing. The ability to exploit these vulnerabilities poses poses a high risk to the infrastructure Lack Lack of asset asset m anagement resulting in m ultiple po ints of risk concern such such as unknow n software or unknown m odems attached to the network. A poor account of assets results in an effective risk assessment of what is to be protected and how m uch to spend to protect it.

# I m p a ct

#

$

M aj o r Pr o ce ss

§

§

§

§

§

#

# I m p a ct

authorization security security Risk Risk of a significant disruptive occurrence to an organization's operations, such as an interruption of critical functions, systems, resources, or loss of vital records due to lack of business continuity planning Information system system is not configured to m atch the actual business processe processess leading to unexpected financial and operational results due to lack of business process integrity External threat due to connectivity to the external environment. Dial-up solutions, Internet connectivity, network connections to business partners, etc. all provide a potential avenue for exploitation to penetrate into the internal netw ork. Hacking n g tools are more available today than ever and are quite simple for the novice user user to op erate. Due Due to lack of inform ation system system security Operating Operating systems systems are mis-configured resulting in vulnerable condition s and placed into production prior t o vulnerability testing. The ability to exploit these vulnerabilities poses poses a high risk to the infrastructure Lack Lack of asset asset m anagement resulting in m ultiple po ints of risk concern such such as unknow n software or unknown m odems attached to the network. A poor account of assets results in an effective risk assessment of what is to be protected and how m uch to spend to protect it.

§

Maintain health records

! @

! @ The Hospital for Sick Children Li k e l i h o o d

Ri sk

$

C-3.13 13


Ca t a st r o p h i c

5

T

H

VH

VH

VH

M aj o r M o d er at e M in or In si g n i f i can t

4 3 2 1

T L VL VL 1 Lo w

T L VL VL 2 Un l i k e l y

H T L VL 3 M o d er at e

VH H T L 4 Li k e l y

VH VH H T 5 Hi g h

Impact / Severity

! @

Very High = Urgent action to be taken that w ill reduce the level of risk to to lerable or less. High = Detailed action action plan required that w ill reduce the level level of risk to to lerable or less Tolerabl Tolerablee = Managed by keeping under review and through continued good practice Low= Managed through continued good practice. Very low= o w= No action action required

Likelihood h ood / Probability Im p a ct

Ra t i n g

5


De scr i p t i o n Lo ss o f a b i l i t y t o su st a i n o n - g o i n g o p e r a t i o n . A si t u a t i o n t h at w ou ou l d ca u se t h e o r g a n i z at i o n t o ce a se o p e r a t i n g . > 50% loss of service service capability or > 30% reduction reduction in funding 30-50% loss of service service capability or § § §

4

M aj o r

#



5

T

H

VH

VH

VH

M aj o r M o d er at e M in or In si g n i f i can t

4 3 2 1

T L VL VL 1 Lo w

T L VL VL 2 Un l i k e l y

H T L VL 3 M o d er at e

VH H T L 4 Li k e l y

VH VH H T 5 Hi g h

Impact / Severity

! @

#

Very High = Urgent action to be taken that w ill reduce the level of risk to to lerable or less. High = Detailed action action plan required that w ill reduce the level level of risk to to lerable or less Tolerabl Tolerablee = Managed by keeping under review and through continued good practice Low= Managed through continued good practice. Very low= o w= No action action required

Likelihood h ood / Probability Im p a ct

Ra t i n g

5


De scr i p t i o n Lo ss o f a b i l i t y t o su st a i n o n - g o i n g o p e r a t i o n . A si t u a t i o n t h at w ou ou l d ca u se t h e o r g a n i z at i o n t o ce a se o p e r a t i n g . > 50% loss of service service capability or > 30% reduction reduction in funding 30-50% loss of service service capability or § 20-30% reduction in funding § 10-30% loss of service service capability or § 10-20% reduction in funding § 5-10% loss of service service capability or § 5-10% reduction in funding § < 5% loss of service service capability or § < 5% reduction reduction in funding § § §

4

M aj o r

3

M o d erat e

2

M in o r

1

In si g n i f i can t

Pr o b ab i l i t y

Ra t i n g

De scr i p t i o n

5 4 3 2 1

Hig h Li k e l y M o d er a t e Un l i k el y Lo w

§ § § § §

> 80% probability of occurrence occurrence 60-80% probability 40-60% probability 20-40% probability < 20% probability probability

! @

14 C-3.14

#

Appendix C-4 Example Ex ample Business Business Proce Pr oces ss I mpact An alysis H ow I mportant mportant is Inf ormation Confi Confi dentiali dentiali ty? BUSINESS RISK of unintended or unauthorized disclosure of information (worst case).

C o m p e t i t i v e D i s a d v a n t ag e

BUSINESS IMPACT RATING 1: Business Threatened 2: Serious Damage 3: Significant Damage 4: Minor Impact 5: Negligible 1

2

3

4

5

1

2

3

4

5

How damaging would it be if information is disclosed to a competitor? Di r ec t L o s s o f B u s i n es s Could ould busine business ss be lost if inform informatio ation n is disclo disclosed sed? ?

A DDITIONA L COMMENTS

$

Appendix C-4 Example Ex ample Business Business Proce Pr oces ss I mpact An alysis H ow I mportant mportant is Inf ormation Confi Confi dentiali dentiali ty? BUSINESS RISK of unintended or unauthorized disclosure of information (worst case).

C o m p e t i t i v e D i s a d v a n t ag e

BUSINESS IMPACT RATING

A DDITIONA L COMMENTS

1: Business Threatened 2: Serious Damage 3: Significant Damage 4: Minor Impact 5: Negligible 1

2

3

4

5

1

2

3

4

5

1

2

3

4

5

1

2

3

4

5

1

2

3

4

5

1

2

3

4

5

1

2

3

4

5

4

5

How damaging would it be if information is disclosed to a competitor? Di r ec t L o s s o f B u s i n es s Could ould busine business ss be lost if inform informatio ation n is disclo disclosed sed? ? Pu b l i c Co n f i d en c e If information is disclosed what damage could there be to customer confidence; public image; or shareholder or supplier loyalty? Ad di ti on al Cos ts Could extra costs be incurred if information is disclosed? L eg al L i ab i l i t y Could disclosure of information result in a breach of legal, regulatory or contractual obligations? St af f Mo r al e If information is disclosed could there be a damaging effect on staff morale or motivation? Fr au d If information is disclosed, could goods or funds be improperly diverted? 1: Essential 2: Very Important 3: Important 4: Useful 5: “Nice to Have”

ASSESSMENT ASSESSMENT

TOTA L SCORE

1

2

3

In summary, taking into account the ratings noted above and any other consequences what is the importance of the information confidentiality to the business process?

! @

#

$

1 C-4.1

A

ppendix C-4

H ow I mportant mportant is I nfor mation mation I ntegrity? ntegrity? BUSINESS RISK

BUSINESS IMPACT RATING

of errors in information or deliberate manipulation of information to perpetrate or conceal fraud (worst case)

1: Business Threatened 2: Serious Damage 3: Significant Damage 4: Minor Impact 5: Negligible 1 2 3 4 5

Man a g em en t Dec i s i o n s Could incorrect business decisions be made as a result if errors in or unauthorised changes to information? D i r ec t L o s s o f B u s i n es s Could orders or contracts be lost as a result of errors in or unauthorized changes to information? F r au d Could fraudulent diversion of goods or funds arise from or be concealed by unauthorised changes to information? Pu b l i c Co n f i d en c e What damage could there be to public confidence, public image or reputation, shareholders or supplier loyalty as a result of errors in or unauthorized changes to information? Ad di ti on al Cos C os ts Could additional costs arise through unauthorised changes to, or errors in, information e.g. Through the need to investigate integrity problems, or to restore the integrity of lost or corrupted data? L eg al L i ab i l i t y Could legal, regulatory or contractual obligations be breached if there are errors in or unauthorized changes to information? St af f Mo r al e Could there be a damaging effect on staff motivation e.g. if staff cannot rely on information? B u s i n es s Di s r u p t i o n Could the business otherwise be disrupted as a result of errors in or unauthorised changes to information? ASSESSMENT ASSESSMENT

TOTAL SCORE In summary, taking into account the ratings noted above and any other consequences what is the importance of the information integrity to the business process?

2C-4.2

1

2

3

4

5

1

2

3

4

5

1

2

3

4

5

1

2

3

4

5

1

2

3

4

5

1

2

3

4

5

1

2

3

4

5

4

5

1: Essential 2: Very Important 3: Important 4: Useful 5: “Nice to Have” 1 2 3

ADDITIONA L COMMENTS

! @

#

$

H ow I mportant mportant is I nf ormation Availabili Availabili ty?

BUSINESS-RISK BU of data or systems being unavailable.

BUS BU SINESS IMPAC ACT T RAT ATIING

ADDITIONALCOMMENTS ADDITIONAL COMMENTS

1: Business Threatened 2: Serious Damage 3: Significant Damage 4: Minor Impact 5: Negligible Du r at i o n o f Ou t ag e

Management Manageme nt Decision s

1 Hour

1 Day

2-3 Days

1 Week

1 Month

Could Could decision decisi on making be adversely affected by an application being unavailable? Direct Loss of Busin ess Could loss of business result from information being unavailable? Public Confidence Could Could customer customer confidence, confidence, public image and reputation, or shareholder or supplier loyalty be damaged if an application is unavailable? Ad di ti on al Cos ts What additional costs could arise through an application being unavailable? Legal Liability Could legal, regulatory or contractual obligations be breached through a loss of the availability of an application? Recovery How costly would it be to recover from the backlog in processing if an application was unavailable? Staff Morale Could there be a damaging effect on staff morale or motivation if the availability of an application was disrupted? Fraud Could fraudulent diversion of goods or funds

! @

#

$

3 C-4.3

A

ppendix C-4

BUSINESS-RISK BU

BUS BU SINESS IMPAC ACT T RAT ATIING

ADDITIONALCOMMENTS

arise from or be concealed by an application being unavailable? Business Disruption Could the business be otherwise disrupted by an application being unavailable? ASSESSMENT ASSESSMENT

TOTAL SCORE

1: Essential 2: Very Important 3: Important 4: Useful 5: “Nice to Have” 1

2

3

4

5

In summary, taking into account the ratings noted above and any other consequences what is the importance of information availability to the business process?

4C-4.4

! @

#

$

H ow I mportant is I nf ormation Ef fectivenes fectiveness s? ASSESSMENT ASSESSM ENT OF EXPOS EXPOSURE URE DUE TO TO

BUSINESS IMPA CT RA TING

ADDITIONAL COMMENTS

1: Business Threatened 2: Serious Damage 3: Significant Damage 4: Minor Impact 5: Negligible Ti m el i n es s

1

2

3

4

5

1

2

3

4

5

1

2

3

4

5

1

2

3

4

5

1

2

3

4

5

1

2

3

4

5

4

5

If information is not available what would be the impact on your business within: 1 Hour 1 Day 2-3 Days 1 Week 1 Month Co r r e c t If incorrect information is produced what is the impact on your business ? Co n s i s t en t If information is not reported in a consistent manner what is the impact on your business? Us ab l e Is it is not possible to easily use the information obtained from the information systems what is the impact on your business Rel ev an t If the information produced is not relevant to your needs what is the impact on your business? Op p o r t u n i t i es If IT does not maximize the available business opportunities what is the impact to your business? ASSESSMENT ASSESSMENT

TOTAL SCORE

1: Essential 2: Very Important 3: Important 4: Useful 5: “Nice to Have” 1

2

3

In summary, taking into account the ratings noted above and any other consequences, what is the importance of the information technology effectiveness to the business process

! @

#

$

5 C-4.5

A

ppendix C-4

H ow I mportant mportant is I nfor mation Effi ciency ciency? ? ASSESSMENT ASSESSM ENT OF EXPOS EXPOSURE URE DUE DUE TO

B US USINESS IMPA CT CT RA TI TING

ADDITIONAL COMMENTS

1: Business Threatened 2: Serious Damage 3: Significant Damage 4: Minor Impact 5: Negligible Co s t s ?

1

2

3

4

5

1

2

3

4

5

1

2

3

4

5

1

2

3

4

5

4

5

If IT costs are exces excessive, sive, what what is the impact to your business? Mo s t p r o d u c t i v e If IT resources are not used productively what is the impact to your business? Mo s t ec o n o m i c al If IT resources are not used efficiently what is the impact to your business?? Ov er al l IF IT does not provide information through the most productive and economical use of resources what is the impact for your business? 1: Essential 2: Very Important 3: Important 4: Useful 5: “Nice to Have”

ASSESSMENT ASSESSMENT

TOTAL SCORE

1

2

3

In summary, taking into account the ratings noted above and any other consequences what is the importance of the information technology efficiency to the business process?

6C-4.6

! @

#

$

Appendix C-5 ABC Company Software to Hardware Map November 1998 System Name

Description

Accounts Payable (APPO) Check Printing (McCormick and Dodge) Accounts Receivable Receivable (COOP) (COOP)

General Ledger (Millenium) Invoicing (COOP) Manufacturing Quality Assurance (COOP). Gove Govern rnme ment nt con contr trac actt comp compli lian ance ce

Gentrax (EDI)

Payr Payroll oll /Human /Human resou resource rces s (SHR (SHRIS) IS) Labor Systems

Purchasing (SICS) Material Materials s Require Requirement ments s Plannin Planning g (SICS) (SICS) Capacity Requirements Planning (SICS) Master Production Schedule (SICS) Jo b Inst ru ructi on on Sh ee eet (JI S) S) Shop Floor Control Tool and Gauge Management System (TGMS) Advanced Advanced Quality System (AQS) (AQS) Elect Electron ronic ic Non-Co Non-Confo nformi rming ng Syste System m

! @

A

#

Voucher Voucher and vendor vendor information information Check Printing Tax information, information, credit issued, authorization authorization,, credit memos, customer account and payment history, customer information, aging, credit limits Debit/credit entries Pricing on shipment data Reviewing and reporting on product quality A grou group p of pro progr gram ams s that that are are uti utili lize zed d for for repo report rtin ing g and tracking product to comply with government contract requirements EDI is used between customers and most vendors. Electronic funds transfer transfer (EFT), purchase orders (PO), PO changes, invoices and shipping notices. ANSI x12 for domestic and Edifax for international. Bene Benefit fits s and and pay payrol roll admi adminis nistra tratio tion. n. Purch Purchase ased d from Computer Associates. Group of programs separated between pl plants and employee classification. Used for tracking time and expenses. These programs feed into the SHRIS application. Purchasing of raw materials and components, also for general purchasing. Keeps track of inventory. Projecti Projection on of raw mater materials ials requir requiremen ements ts for production. Tool for assessing production capacity. Production scheduling tool On -l-l in ine asse mb mbl y i ns ns trtruc titio ns ns f or or u se se b y production employees Routes products to appropriate point on the production line. Keeps track of tool and gauge usage, calibration, location and maintenance Quality control control tool used used for ensuring ensuring product product quality. Track Tracks s disp disposi ositio tion n of of nonnon-con confor formin ming g mate materia rials ls or product including required paperwork.

Locations

Source

Implement IBM Unix Unix UNIX Date Mainframe Digital Solaris SUN N/A X N/A X N/A X

Rockford Rockford Rockford

Custom Package Custom

Rockford Rockford Rockford Rockford

Package Custom Custom Custom

N/A

X X X X

Rockford

Package

2Q 99

X

Rockford

Package

N/A

X

Rockford

Custom

N/A

X

Rockford

Custom

N/A

X

Rockford

Custom

N/A

X


Custom Custom Package

N/A N/A N/A

X X X

Rockford

Custom

N/A

X

Rockford

Package

N/A

X

Rockford

Package

N/A

X

Rockford

Package

N/A

X

N/A N/A

Novell Win NT PC 4 4.11 St. Alone X

X

$

C-5.1

ppendix C-5

System Name Cost Accounting Management System (CAMS). Automated Manufacturing Manufacturing Systems Systems

Lotus Notes

Unigraphics Catia SCINET OPCA Scheduler Openview CICS IMS MVS OS390 NT 4 Novell 4.11 Unix HPUX Unix Sun Solaris Unix Sun OS Unix Digital ACF2 NDS Auto Secure Secure (Platinum) (Platinum) Network Dial in

Description General cost accounting for the manufacturing process. Applications Applications that are are specific to an automated automated machine and may reside on a stand alone machine. E-mail and database application that is used for product support and communication of service bulletins to customers CAD system for designing new products as well as manufacturing. CAD system for designing new products as well as manufacturing. Customer Support Mainframe Scheduler Change control tool used for controlling changes to the mainframe environment. Mainframe transaction processing Mainframe transaction processing Mainframe operating system NT Server operating System Novell network and server operating system HP Openview for system management Engineering Engineering Run Machines Mainframe Mainframe Security Security Novell Security UNIX Security Security US Robotics Net Server - Radius connection uses

Locations

Source

Implement IBM Unix Unix UNIX Date Mainframe Digital Solaris SUN N/A X

Rockford

Package

Rockford

Package

N/A

Rockford

Package

N/A

Rockford

Package

N/A

X

X

X

Rockford

Package

N/A

X

X

X


Package Package Package

N/A N/A N/A

X X X

Rockford Rockford Rockford Rockford Rockford Rockford Rockford Rockford Rockford Rockford Rockford Rockford Rockford

Package Package Package Package Package Package Package Package Package Package Pa Package Package Package

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

X X X

X

X

Novell Win NT PC 4 4.11 St. Alone

X

X

X

X X X

X X

X X

X X X X

X

X X

A

ppendix C-5

System Name

Description

Cost Accounting Management System (CAMS). Automated Manufacturing Manufacturing Systems Systems

Locations

General cost accounting for the manufacturing process. Applications Applications that are are specific to an automated automated machine and may reside on a stand alone machine. E-mail and database application that is used for product support and communication of service bulletins to customers CAD system for designing new products as well as manufacturing. CAD system for designing new products as well as manufacturing. Customer Support Mainframe Scheduler Change control tool used for controlling changes to the mainframe environment. Mainframe transaction processing Mainframe transaction processing Mainframe operating system NT Server operating System Novell network and server operating system HP Openview for system management Engineering Engineering Run Machines Mainframe Mainframe Security Security Novell Security UNIX Security Security US Robotics Net Server - Radius connection uses network authentication. Reachout is used for remote control of workstation. Advantis (IBM Global network uses passport software). Data base that contains management reports from various systems Management reporting tool for use with SQL database MFG. uses Both Antivirus Interlock Phone system (Rolm)

Lotus Notes

Unigraphics Catia SCINET OPCA Scheduler Openview CICS IMS MVS OS390 NT 4 Novell 4.11 Unix HPUX Unix Sun Solaris Unix Sun OS Unix Digital ACF2 NDS Auto Secure Secure (Platinum) (Platinum) Network Dial in

Mainframe Dial SQL Database TMC Databases DB2 and IMS Macafee Firewall PBX Communications

Source

Implement IBM Unix Unix UNIX Date Mainframe Digital Solaris SUN N/A X

Novell Win NT PC 4 4.11 St. Alone

Rockford

Package

Rockford

Package

N/A

Rockford

Package

N/A

Rockford

Package

N/A

X

X

X

Rockford

Package

N/A

X

X

X


Package Package Package

N/A N/A N/A

X X X

Rockford Rockford Rockford Rockford Rockford Rockford Rockford Rockford Rockford Rockford Rockford Rockford Rockford

Package Package Package Package Package Package Package Package Package Package Pa Package Package Package

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

X X X

Rockford

Package

N/A

X

Rockford

Package

N/A

X

Rockford

Package

N/A

X

Rockford Rockford Rockford Rockford

Package Pa Package Package Package

N/A N/A N/A N/A

X

X

X

X

X

X X X

X X

X X

X X X X

X

X X

X X

X

X

! @

2C-5.2 C-5.2

#

$

ABC Company Software Business Process Map November 1998 Me g a P r oc e s s Maj or Pr ocess

Pr oduct / Process Concept Determination

New P roduc t Product/ Process Development

Design Translation

Product Testing

Select Marketing Strategy

G a in Ne w Bus in e s s Communicate Sell Order Image and Product Processing Product

P roc ure m ent Procurement Purchasing asing Receivi ceiving ng Materia terial Planning Storage and Distribution

SystemName AccountsPayable(APPO) Check Printing Accounts Receivable (COOP)

1

Af ter S ales Support Product Collection i on Performance

Prod Product Service

Support Various Support Processes

1

E x e c u t iv e Various Executive Processes

1 1 1

General Ledger (Millenium) Invoicing (COOP) Manufacturing Quality Assuranc ance(COOP).

1 1

Labor Systems Purchasing (SICS) Materials Requirements (SICS) Capacity Requirements Planning (SICS) Master Production Schedule(SICS) Job Instruction Sheet (JIS) Shop Floor Control Tool and Gauge Management System (TGMS) AdvancedQuality itySystem (AQS) Electronic Non-Conforming System

1

1

1

1 1

1

1

1

1

1

1

1

1

1

1

1 1

1

1

1

1

1 1

1 1 1

1

1

1

1 1

8 1

1

1

2 4 2

1

4

1

4

1 1

4 4 1

1

1

1

1

1

1

3

1

1

2

1

5

1

1

1 1

1 1

1 1

3 1 2

3 1

1

1

Total Total Processes Systems Support

1 1 3

1

Government contract compliance Gentrax (EDI) Payroll /Human resources (SHRIS)

CostAccounting Management System (CAMS). Autom omated Manufacturing Systems Lotus Notes Unigraphics Catia SCINET

P roduction P rodu ct De live ry Production Convers nversion Distrib s tribut ution ion Invoicing Planning

1

1

1 1

1

3 3 2 2

ABC Company Software Business Process Map November 1998 Me g a P r oc e s s Maj or Pr ocess



Design Translation

Product Testing




SystemName AccountsPayable(APPO) Check Printing Accounts Receivable (COOP)

1




1

1 1 1

Labor Systems Purchasing (SICS) Materials Requirements (SICS) Capacity Requirements Planning (SICS) Master Production Schedule(SICS) Job Instruction Sheet (JIS) Shop Floor Control Tool and Gauge Management System (TGMS) AdvancedQuality itySystem (AQS) Electronic Non-Conforming System CostAccounting Management System (CAMS). Autom omated Manufacturing Systems Lotus Notes

1

1

1

1 1

1

1

1

1

1

1

1

1

1

1

1 1

1

1

1

1

1 1

1 1 1

1

1

1 1

8 1

1

1

2 4 2

1

4

1

4

1

4 4 1

1

1

1

1

3

1

1

2

1

5

1

1

1 1

Unigraphics Catia SCINET OPCA Scheduler

1 1

1 1

1

1

3

1 1

3 2 2 1

1 1 1

1 1 1

1 1 1 1 1 1 1 1 1 1 1 1

1 1 1 1 1 1 1 1 1 1 1 1

1 1

Openview CICS IMS MVS OS390 NT 4 Novell 4.11 Unix HPUX Unix Sun Solaris Unix Sun OS Unix Digital ACF2 NDS Auto Secure (Platinum) Network Dial in Mainframe Dial

A

1

1

1

1

3 1 2

3 1

1

1


1 1 3

1

Government contract compliance Gentrax (EDI) Payroll /Human resources (SHRIS)

#


1 1

General Ledger (Millenium) Invoicing (COOP) Manufacturing Quality Assuranc ance(COOP).

! @


$

C-5.3

ppendix C-5

Me g a P r oc e s s Maj or Pr ocess



Design Translation

Product Testing







SystemName SQL Database TMC Databases DB2 and IMS Macafee Firewall PBX Communications Total Systems Process Support

0

2

2

0

0

0

0

2

4

3

2

7

8

11

3

3

3

1

1




1 1 1 1 1 1

1 1

2 2 1 1 1 1

30

11

93

A

ppendix C-5

Me g a P r oc e s s Maj or Pr ocess



Design Translation

Product Testing








SystemName SQL Database TMC Databases DB2 and IMS Macafee Firewall PBX Communications Total Systems Process Support

0

2

2

0

0

0

0

2

4

3

2

7

8

11

3

3

3

1

1


1 1 1 1 1 1

1 1

2 2 1 1 1 1

30

11

93

! @

4C-5.4 C-5.4


#

$

Appendix C-6 Sample Ri sk Assess Assessment ment

MEGA PROCESSES

MAJ OR PROCESSES

Financial / Qualitative Market Analysis Gain Business/ Select Services (Acquire andmaintain patient ientvolum ume) Contract Management Prom romote ote Busine ness Acq Acquire re/ Alloc ocate ate Volum lume Manag anage e Clinici linician anResourc sources

Provide Service Excellence

Patient Admitting &Registration

(Deliver pa patient ca care)

Manage Utili l ization ProvidePatient Care (inpatient/outpatient)

DischargePatient ient

Collect Payment/Financial Payment/Financial (Managebilling andreceivables toincl includ ude medical icalreco records) rds)

Establish lish Paym Payment ent Metho Method Capture/CodePatient Charges Invo Invoice icePayor/ Patie atient Acc Accounts nts Receiva vable Management

Executive (Setthestrateg egicdire rectio ction, polic icies,andguidline nes for or theorganizat zation ionasa whole) e)

Manage Regulatory and Legal Matters Maint ntai ainExtern ternalRel Relatio ationships ps ManageInvestor orRelat atio ions Establish sh Policies es and Procedures

Risk Importance (H=high, M=med., L=low) Inabilityto retainmarket competitivepricing, lost reimbursement H Unintended riskassumption, lack of negotiation onleverage,lost contrac ract payments M Ineffe fectiv ive mar marketing, managed care lev everage, taxtax-stat atus restri rict ctio ions L Industry stryconsolid idatio ation/inab inability ity tosubstitu tuteresources andcontolutilization H Lossof keyphysici ysician ans, lowcli owclinic nician ian util utiliza ization, lac ack of o mgmt f expertise in non-acute M environments

1999/2000 Planned Project Descriptions

SOURCES OF RISK

Chargemaster reviewincludes reviewincl udes code assignment anmaintaince d of CM Managed care contracting includes compliance with contract procedures/payments Tax return compliance audit and consistency/standardization of returns Due diligence acquisition process review Home Health Service Process Assessment

Improper registration procedures or system, downstreamdata re-work, higher level of claimdenial Decreased qu quality t yof ca caredue to to aggressive co cost co containment,malpractice ris risk, excesssivecosts Loss of revenue, Medicare/Medicaid, JCAHO regs, dissatisfied patients, nonregs, compensated care

H

Process reviewof revenue cycle including: registration, registr ation, charge capture, and billing

H

Lab operational review

H

Medical necessity for PT/OT services

Additio itional costs sts for longerLOS, inad inadequatedocumentati tation onatdisc scharge, interorganizational transfer

H

FACIS - automated database screening for sanctioned sancti oned personnel Radiology and pharmacy documentation and billi ng process

Excess indigent patien patients/ bad bad debt, third-par -party ty reim reimbursem rsement/settlem lement Improper/frau frauduelentcoding(Medicare/Me Medicaid), lossof revenues Fraudulent lentbilllling, ing,errorsinbilllling, ing,ch chargeaccumulat ation ion systema stemade dequacy Liqu quidit idity y & cashmangement issues, collection collect ion agency performance, capitated contract lossess

H H H H

Insufficient risk management/self-insurance systems, healthcare fraud/abuse Jointventures/af affiililiat ations ions/consolida dation ons Change in useof tax tax-exemptbond proceeds je - opordize zeexemptio ption ofbonds Inefficient control struc ructure, inadequate policiesandprocedures, media focuson high profile issues Manage nage Network Synergy Breakdow kdown of netwo etwork relations, Inab Inability ty to to provide ide full contin ntinuu uumof care, re, uncontrolledcapitation Manage Corporate Compliance Programs Non-compliance and insufficient understanding of current regs, physicians without credentials, tax issues

Cost report reimbursement optimization study Medical records reviewtests reviewtest s for completeness, accuracy and confidentiality 72 hour rule includes test for non-compliance andreviewof review of policies/procedures Acc Accounts nts receivab ivablereviewin ewinclud udesestabl tablishm ishment ofreserves, aging, ing,collec ection oneffo efforts rts

H H H H

Revenue cycle including: registration, charge capture, and billing (physician practice) Unrelated business income for joint ventures tax assessment Qualified use of tax-exempt bond proceeds review Intermediate sanctions policy and procedures review

H

Physician practice tax reviewand physician exit strategies

H

Corporate compliance plan effectiveness

Appendix C-6 Sample Ri sk Assess Assessment ment

MEGA PROCESSES

MAJ OR PROCESSES

Financial / Qualitative Market Analysis Gain Business/ Select Services (Acquire andmaintain patient ientvolum ume) Contract Management Prom romote ote Busine ness Acq Acquire re/ Alloc ocate ate Volum lume Manag anage e Clinici linician anResourc sources

Provide Service Excellence

Patient Admitting &Registration

(Deliver pa patient ca care)

Manage Utili l ization ProvidePatient Care (inpatient/outpatient)

DischargePatient ient

Collect Payment/Financial Payment/Financial (Managebilling andreceivables toincl includ ude medical icalreco records) rds)

Establish lish Paym Payment ent Metho Method Capture/CodePatient Charges Invo Invoice icePayor/ Patie atient Acc Accounts nts Receiva vable Management

Executive (Setthestrateg egicdire rectio ction, polic icies,andguidline nes for or theorganizat zation ionasa whole) e)

Manage Regulatory and Legal Matters Maint ntai ainExtern ternalRel Relatio ationships ps ManageInvestor orRelat atio ions Establish sh Policies es and Procedures

Support the Organization

Information Systems (Information sy systems, se security t y, an and related softw ftwareand hardware)

! @

#

$

Risk Importance (H=high, M=med., L=low) Inabilityto retainmarket competitivepricing, lost reimbursement H Unintended riskassumption, lack of negotiation onleverage,lost contrac ract payments M Ineffe fectiv ive mar marketing, managed care lev everage, taxtax-stat atus restri rict ctio ions L Industry stryconsolid idatio ation/inab inability ity tosubstitu tuteresources andcontolutilization H Lossof keyphysici ysician ans, lowcli owclinic nician ian util utiliza ization, lac ack of o mgmt f expertise in non-acute M environments

1999/2000 Planned Project Descriptions

SOURCES OF RISK

Chargemaster reviewincludes reviewincl udes code assignment anmaintaince d of CM Managed care contracting includes compliance with contract procedures/payments Tax return compliance audit and consistency/standardization of returns Due diligence acquisition process review Home Health Service Process Assessment

Improper registration procedures or system, downstreamdata re-work, higher level of claimdenial Decreased qu quality t yof ca caredue to to aggressive co cost co containment,malpractice ris risk, excesssivecosts Loss of revenue, Medicare/Medicaid, JCAHO regs, dissatisfied patients, nonregs, compensated care

H

Process reviewof revenue cycle including: registration, registr ation, charge capture, and billing

H

Lab operational review

H

Medical necessity for PT/OT services

Additio itional costs sts for longerLOS, inad inadequatedocumentati tation onatdisc scharge, interorganizational transfer

H

FACIS - automated database screening for sanctioned sancti oned personnel Radiology and pharmacy documentation and billi ng process

Excess indigent patien patients/ bad bad debt, third-par -party ty reim reimbursem rsement/settlem lement Improper/frau frauduelentcoding(Medicare/Me Medicaid), lossof revenues Fraudulent lentbilllling, ing,errorsinbilllling, ing,ch chargeaccumulat ation ion systema stemade dequacy Liqu quidit idity y & cashmangement issues, collection collect ion agency performance, capitated contract lossess

H H H H

Insufficient risk management/self-insurance systems, healthcare fraud/abuse Jointventures/af affiililiat ations ions/consolida dation ons Change in useof tax tax-exemptbond proceeds je - opordize zeexemptio ption ofbonds Inefficient control struc ructure, inadequate policiesandprocedures, media focuson high profile issues Manage nage Network Synergy Breakdow kdown of netwo etwork relations, Inab Inability ty to to provide ide full contin ntinuu uumof care, re, uncontrolledcapitation Manage Corporate Compliance Programs Non-compliance and insufficient understanding of current regs, physicians without credentials, tax issues

Cost report reimbursement optimization study Medical records reviewtests reviewtest s for completeness, accuracy and confidentiality 72 hour rule includes test for non-compliance andreviewof review of policies/procedures Acc Accounts nts receivab ivablereviewin ewinclud udesestabl tablishm ishment ofreserves, aging, ing,collec ection oneffo efforts rts

H H H H

Revenue cycle including: registration, charge capture, and billing (physician practice) Unrelated business income for joint ventures tax assessment Qualified use of tax-exempt bond proceeds review Intermediate sanctions policy and procedures review

H

Physician practice tax reviewand physician exit strategies

H

Corporate compliance plan effectiveness

H

Private enurement exposure, includes reasonableness of physician physi cian compensation

HR (Physician and andEmp. Emp. Resources)/ Payroll Financial Reporting / Budgeting Purchasing Acc Accou ounts nts Payab ayable/D le/Disbu isbursem rsements

Physician recruitment/retention/physician organizations (private enurement), enurement), Stark (fraud and abuse) Non-compliance with GAAP, material misstate atements/inac inaccurate budgets Corporatenon-compliance, frfraud &abuse -purchasing &vendor re relationships Corpo orporate non-co n-complianc iance, frau fraud & abuse - A/P& Disbu isbursem rsements

M H M

Outsourced services contract and compliance review/tax implications Contracted lab performance review Acc Accounts Payableincl includ udescomplianc iance with ith policy cyand testfor duplicat icate e payment

SystemMai mMaint nten enance DataSecurity ty Contin ingencyPlanning Operatio ions Man Management App Applica cation System tems

Vendor sup support,internalsystems dev develop opmentlife fecycle Outside in intruders/ in internal err errors / mistakes Lack of plan orinadequate planning Physica cal security ty, IT operating ngprocedures User error rrors, s, poorcontro ntrols ls

H H H H H

Change Management controls review Data security review Business continuity plan review Operationsmanagementreview App Applica cation onrevi review ews - Radiology and Pharmacy

C-6

Appendix Appendix C-7 Summary of Key Fin ancial Au dit Considerati Considerati ons FBS Bank Summary of Key Financial Audit Considerations December 31, 1998 Acc ou nt C las sif ica tio n Commercial Loans (Commercial, Financial Institutions, Real Estate Mortgage, Real Estate Construction, Leases, Corporate Card, Purchasing Card, Asset-Based Lending) and Interest Receivable

Prin cip al A ud it St rat egy

Prim ary Aud it(s )

Final

Reconsider

Project

Sign-

Risks

Manager

off

• Review Credit Exam’s reports to determine compliance with loan underwriting standards and authorization procedures.

• Test a sample of new originations for presence of proper loan documentation (legal documents and approvals). • Test a sample of new originations for presence of proper lease documentation (legal documents and approvals). • As of an interim date, test the reconciliation process of the entire area. • As of an interim date, test the reconciliation of the total commercial loan portfolio on the general ledger to the ancillary systems. • Confirm loans and leases * as of an interim date, including any participati ons purchased. purchased. • Review loan suspense accounts at interim date for unusual items or stale reconciling items. • Test the calculation of interest income, the posting of interest income, the amortization of premiums/discounts and the proper set up and accretion of loan fees for all commercial loan categories.

Credit Retail (Commercial Loan Service Center cycled) Leasing Leasing Commercial Financial Statements Commercial Financial Statements Commercial Financial Statements Commercial Financial Statements

• Test the deferral of loan fees under FAS 91. • Review documentation of loans made to related parties and evaluate whether loans were made on the same terms as those made to unrelated parties (refer to proposed audit committee materials).

Corporate/Interim

• Review reasonableness of RPT disclosures at year-end. • Perform an analytical review on yields and average balances.

Credit Corporate/Quarterly Reviews

• Test the aging of account balances, reset dates and the interest income and accrual posting on the Total system (Corporate Cards) • Test the aging of delinquent account balances, reset dates and interest income and accrual posting on the lease accounting system • Test the aging of account balances, reset dates, and interest income and accrual posting on the AFS system (commercial, (commercial, financial financial institutions, real real estate, asset-based lending) • Review the residual value estimation process for l eased assets to determine whether any additional write-downs need to be made in accordance with FASB 13.

Credit

Payment System Leasing Retail (Commercial Loan Service Center audit cycled) Leasing

*Refer to separate analysis of confirmation procedures for additional details.

! @

A

#

$

C-7.1

ppendix C-7

FBS Bank Summary of Key Financial Audit Considerations December 31, 1998 Acc ou nt C las sif ica tio n Consumer Loans (Residential Mortgages, Home Equity Loans, Consumer Cards, Automobile Loans, Revolving Lines of Credit, Student Loans) and Interest Receivable


Prim ary Aud it(s )

Final

Reconsider

Project

Sign-

Risks

Manager

off

• Review changes to underwriting standards to determine implication to allowance for credit losses • Review the underwriting override approval process and volume of overrides. • Review credit examination reports to determine adherence to underwriting standards for consumer products • Test compliance with underwriting standards. • Test the aging of outstanding loan balances, reset dates and interest income and accrual posting on the Mtech and IMPAC systems (consumer cards and revolving lines of credit). • Test the aging of outstanding loan balances, reset dates and interest income and accrual posting on the Shaw (automobile, residential mortgage, home equity loans, student loans). • Test the aging of outstanding loan balances, reset dates and interest income and accrual posting on the LOC (overdraft protection line of credit). • Confirm sample of loans * as of an interim date and review sample of general ledger reconciliations. • As of an interim date, test the reconciliation of the consumer loan portfolio on the general ledger to the ancillary systems. • As of an interim date, test the reconciliations of residential mortgage, student loans, revolving credit and automobile loan and related accrued interest

ACAPs Audit ACAPs Audit Credit Consumer Loan Compliance Payment System and Mtech audits Installment Loan Accounting & Operations and Shaw Audit Retail Service Center Retail Asset Confirmations Retail Asset Confirmations

A

ppendix C-7

FBS Bank Summary of Key Financial Audit Considerations December 31, 1998 Acc ou nt C las sif ica tio n Consumer Loans (Residential Mortgages, Home Equity Loans, Consumer Cards, Automobile Loans, Revolving Lines of Credit, Student Loans) and Interest Receivable


Prim ary Aud it(s )

Final

Reconsider

Project

Sign-

Risks

Manager

off

• Review changes to underwriting standards to determine implication to allowance for credit losses • Review the underwriting override approval process and volume of overrides. • Review credit examination reports to determine adherence to underwriting standards for consumer products • Test compliance with underwriting standards. • Test the aging of outstanding loan balances, reset dates and interest income and accrual posting on the Mtech and IMPAC systems (consumer cards and revolving lines of credit). • Test the aging of outstanding loan balances, reset dates and interest income and accrual posting on the Shaw (automobile, residential mortgage, home equity loans, student loans). • Test the aging of outstanding loan balances, reset dates and interest income and accrual posting on the LOC (overdraft protection line of credit). • Confirm sample of loans * as of an interim date and review sample of general ledger reconciliations. • As of an interim date, test the reconciliation of the consumer loan portfolio on the general ledger to the ancillary systems. • As of an interim date, test the reconciliations of residential mortgage, student loans, revolving credit and automobile loan and related accrued interest accounts. • As of an interim date test the reconciliations of revolving credit and consumer credit cards and related accrued interest accounts. • As of an interim date test the reconciliations of indirect automobile loan and related accrued interest accounts. • Review loan activity from confirmation date to year-end and investigate unusual activity. • Perform an analytical review on the yields and investigate for any unusual trends. • Review the lower of cost or market valuation for residential mortgage loans held for sale and evaluate the need for any adjustments, if material.

ACAPs Audit ACAPs Audit Credit Consumer Loan Compliance Payment System and Mtech audits Installment Loan Accounting & Operations and Shaw Audit Retail Service Center Retail Asset Confirmations Retail Asset Confirmations

Retail Service Center Payment Systems Indirect Lending Retail Assets Confirmations Corporate/Quarterly Reviews Retail Mortgage


! @

2C-7.2 C-7.2

#

$

FBS Bank Summary of Key Financial Audit Considerations December 31, 1998 Acc ou nt C las sif ica tio n Other Significant Areas

Prin cip al A ud it St rat egy • Review the year-end trust fee accruals to determine the accuracy of the fee accrual and for proper cut-off. • Review off-balance sheet accounts for reasonableness and inquire regarding any unusual balances • Inquire of Bill Cox regarding the year-end reconciliation process of any issues or out of balance situations. • Completion of Year 2000 internal audit. • Completion of all documented Activity 8 audit procedures, as documented in the Activity 8 Scope & Approach Memo. • Inquire of significant items discussed during the general ledger close process as of year end. • Client Relationship Executive inquiry of senior management - - see separate matrix.

Prim ary Aud it(s ) Trust Corporate/Financial Statements Corporate/Financial Statements BTC BTC Corporate/Financial Statements

Final

Reconsider

Project

Sign-

Risks

Manager

off

FBS Bank Summary of Key Financial Audit Considerations December 31, 1998 Acc ou nt C las sif ica tio n Other Significant Areas

Prin cip al A ud it St rat egy • Review the year-end trust fee accruals to determine the accuracy of the fee accrual and for proper cut-off. • Review off-balance sheet accounts for reasonableness and inquire regarding any unusual balances • Inquire of Bill Cox regarding the year-end reconciliation process of any issues or out of balance situations. • Completion of Year 2000 internal audit. • Completion of all documented Activity 8 audit procedures, as documented in the Activity 8 Scope & Approach Memo. • Inquire of significant items discussed during the general ledger close process as of year end. • Client Relationship Executive inquiry of senior management - - see separate matrix.

Prim ary Aud it(s )

Final

Reconsider

Project

Sign-

Risks

Manager

off

Trust Corporate/Financial Statements Corporate/Financial Statements BTC BTC Corporate/Financial Statements


! @

#

$

C-7.3

Appendix Appendix D -1 Sample Sample Ann ual Au dit Plan Year 1 E&Y Notations

Tax/IAS ABS IAS Tax Tax Tax Tax ABS

IAS

IAS IAS ABS/IAS ABS/IAS IAS ABS IAS IAS IAS Tax IAS IAS IAS IAS/Tax

! @

Description of project Regional / Corporate

Due diligence acquisition process review Medical necessity for PT/OT services Corporate compliance plan effectiveness Qualified use of tax-exempt bond proceeds review Intermediate sanctions policy and procedures review Unrelated business income for joint ventures tax assessment Tax return compliance audit and consistency/standardization of returns FACIS - automated database screening for sanctioned personnel Special projects (as requested by management) Acute Care Facilities Process review of revenue cycle - Registration - Charge Capture - Billing Lab operational review Radiology and pharmacy documentation and billing process Chargemaster review includes code assignment and maintaince of CM 72 hour rule includes test for non-compliance and review of policies/procedures Cost report reimbursement optimization study Accounts Accounts recei receivabl vable review review includes includes establish establishment ment of reserves, reserves, aging, aging, collection IBNR Process review Accounts Accounts Payabl Payable includes includes complia compliance nce with with policy policy and test test for duplicate cate payment Private enurement exposure, includes reasonableness of physician compensation Medical records review tests for completeness, accuracy and confidentiality Payroll cycle review for accuracy, approvals and compliance with procedures Managed care contracting includes compliance with contract procedures/payments Outsourced services contract and compliance review/tax implications

#

A

Type of Project

Enity One

Estimated Cost Per Project

# of Projects

$10,000 $14,000 $15,000 $ 8,000 $30,000 $ 5,000 $20,000 $15,000 $70,000

1 2 2 1 1 1 0 1 1

$10,000 $28,000 $30,000 $8,000 $30,000 $5,000 $$15,000 $70,000

$$24,000 $24,000 $24,000 $24,000 $36,000 $29,000 $ 6,000

0 1 1 1 0 0 2 2

$$24,000 $24,000 $24,000 $$$58,000 $12,000

$55,000 $48,000

1 1

$55,000 $48,000

$30,000 $28,500

1 0

$30,000 $-

$ 5,000

1

$5,000

R,C

$30,000

0

$-

R

$28,000

0

$-

R,O

$34,500

0

$-

R

$23,000

0

$-

R,O R,C C R,C R R R,O C

Enity Enity Enity Corporate Two Three Four Enity

1 1 1

1 1 1 1 1 1 1

R,O 1 1 1 R,O C R,O C

1 1

O R,O

1 1

1 1 1

R,O R

1

Total Cost

$

D-1.1

ppendix D-1

IAS

IAS Tax IAS

ISAAS ISAAS ISAAS ISAAS ISAAS ISAAS ISAAS ISAAS

Contracted lab performance review

R,O

1

Physician Practices Revenue cycle including: registration, charge capture, and billing Physician practice tax review and physician exit strategies Home health service process assessment

R,O R R,C

1 1

1 1

1 1 1 1

1 1 1

Information Technology Information technology risk assessment General controls review (acute care) General controls reveiw (physician practice) Accounts Accounts payabl payable e application cation review review Application cation specific specific reviews reviews as determine determined d by the risk risk assess assess.. representative projects include - Accounts receivable - Laboratory - Radiology and pharmacy

$18,000

1

$18,000

$38,500 $ 5,000 $24,000

2 2 0

$77,000 $10,000 $-

R,O

$40,000 $51,200 $12,800 $16,000 $16,000 $16,000

1 1 2 1 0

$40,000 $51,200 $25,600 $16,000 $16,000 $-

R,O R,O R,O

$16,000 $16,000 $16,000

0 0 0

$$$-

31

$713,800

R R R

1 1

Totals E& Y Notations IAS ISAAS TAX ABS

Type of Project

Interal Audit Services Information Systems Assurance and Advisory Services Tax Services Health Care Advisory Business Services

R O C

Risk Operational Compliance

1 1

A

ppendix D-1

IAS

IAS Tax IAS


Contracted lab performance review

R,O

1


R,O R R,C

1 1

1 1

1 1 1 1

1 1 1

Information Technology Information technology risk assessment General controls review (acute care) General controls reveiw (physician practice) Accounts Accounts payabl payable e application cation review review Application cation specific specific reviews reviews as determine determined d by the risk risk assess assess.. representative projects include - Accounts receivable - Laboratory - Radiology and pharmacy

$18,000

1

$18,000

$38,500 $ 5,000 $24,000

2 2 0

$77,000 $10,000 $-

R,O

$40,000 $51,200 $12,800 $16,000 $16,000 $16,000

1 1 2 1 0

$40,000 $51,200 $25,600 $16,000 $16,000 $-

R,O R,O R,O

$16,000 $16,000 $16,000

0 0 0

$$$-

31

$713,800

R R R

1 1

1 1

Totals E& Y Notations IAS ISAAS TAX ABS

Type of Project



R O C

! @

2 D-1.2 D-1.2

#

Year 2 & 3 E&Y Notations

Description Description of project Regional / Corporate

Tax/IAS

Due diligence acquisition process review Medical necessity for PT/OT services Corporate compliance plan effectiveness Qualified use of tax-exempt bond proceeds review Intermediate sanctions policy and procedures review Unrelated business income for joint ventures tax assessment Tax return compliance audit and consistency/standardization of returns FACIS - automated database screening for sanctioned personnel Special projects (as requested by management)

ABS IAS Tax Tax Tax Tax ABS

IAS

IAS IAS ABS/IAS ABS/IAS IAS ABS IAS IAS

Acute Care Facilities Process review of revenue cycle - Registration - Charge Capture - Billing Lab operational review Radiology and pharmacy documentation and billing process Chargemaster review includes code assignment and maintaince of CM 72 hour rule includes test for non-compliance and review of policies/procedures Cost report reimbursement optimization study Accounts Accounts recei receivable vable review review includes includes establis establishment hment of of reserves reserves,, aging, aging, collection IBNR Process review

Type of Project


Enity One


2 2

2 2

R,O C R,O C

$20,000 $28,000

1 1 1 1 0

$30,000 $5,000 $20,000 $20,000 $-

2 2 2 2 2 3 2 2

$$24,000 $24,000 $24,000 $24,000 $36,000 $29,000 $ 6,000

2 2 2 2 1 2 1 1

$$48,000 $48,000 $48,000 $24,000 $ 72,000 $29,000 $6,000

3

$55,000 $48,000

2 1

$110,000 $48,000

$30,000

1

$30,000

3 3 2

O R,O

2

2 2 2

Total Cost

2 2

3

3 3 3 3

# of Projects

$10,000 $14,000 $15,000 $8,000 $30,000 $5,000 $20,000 $15,000 $70,000

2

R,O


2

$

Year 2 & 3 E&Y Notations

Description Description of project Regional / Corporate

Tax/IAS

Due diligence acquisition process review Medical necessity for PT/OT services Corporate compliance plan effectiveness Qualified use of tax-exempt bond proceeds review Intermediate sanctions policy and procedures review Unrelated business income for joint ventures tax assessment Tax return compliance audit and consistency/standardization of returns FACIS - automated database screening for sanctioned personnel Special projects (as requested by management)

ABS IAS Tax Tax Tax Tax ABS

IAS

IAS IAS ABS/IAS ABS/IAS IAS ABS IAS IAS IAS Tax IAS IAS IAS IAS/Tax IAS

! @

Acute Care Facilities Process review of revenue cycle - Registration - Charge Capture - Billing Lab operational review Radiology and pharmacy documentation and billing process Chargemaster review includes code assignment and maintaince of CM 72 hour rule includes test for non-compliance and review of policies/procedures Cost report reimbursement optimization study Accounts Accounts recei receivable vable review review includes includes establis establishment hment of of reserves reserves,, aging, aging, collection IBNR Process review Accounts Accounts Payabl Payable e includes includes compli compliance ance with th policy policy and test test for duplic duplicate ate payment Private enurement exposure, includes reasonableness of physician compensation Medical records review tests for completeness, accuracy and confidentiality Payroll cycle review for accuracy, approvals and compliance with procedures Managed care contracting includes compliance with contract procedures/payments Outsourced services contract and compliance review/tax implications Contracted lab performance review

#

A

Type of Project

Enity One



2 2

2 2

$20,000 $28,000

1 1 1 1 0

$30,000 $5,000 $20,000 $20,000 $-

2 2 2 2 2 3 2 2

$$24,000 $24,000 $24,000 $24,000 $36,000 $29,000 $ 6,000

2 2 2 2 1 2 1 1

$$48,000 $48,000 $48,000 $24,000 $ 72,000 $29,000 $6,000

3

$55,000 $48,000

2 1

$110,000 $48,000

3

$30,000 $28,500

1 2

$30,000 $10,000

2

$ 5,000

2

$60,000

$30,000

2

$60,000

$28,000

1

$28,000

$34,500

1

$34,500

$23,000 $18,000

1 0

$ 18,000 $-

3 2 2

R,O C R,O C

2

2

O R,O

2 2 2

R,O

3

R

2

R,C

2

3

3

R

3

R,O

2

R R,O

Total Cost

2 2

3

3 3 3 3

# of Projects

$10,000 $14,000 $15,000 $8,000 $30,000 $5,000 $20,000 $15,000 $70,000

3

R,O


2 3

$

D-1.3

ppendix D-1

IAS Tax IAS


Physician Practices Revenue cycle including: registration, charge capture, and billing Physician practice tax review and physician exit strategies Home health service process assessment Information Technology Information technology risk assessment General controls review (acute care) General controls reveiw (physician practice) Accounts Accounts payabl payable application cation review review Applicatio Application n specific specific review reviews s as determin determined ed by the risk risk assess assess.. representative projects include - Accounts receivable - Laboratory - Radiology and pharmacy

E& Y Notations IAS ISAAS TAX ABS

R,O R R,C

R R R

2

1

1 1

2

3

2

2

R,O R,O R,O

Type of Project


2

3

3

2 3

R,O

R O C


$38,500 $ 5,000 $24,000

0 0 1 1

$$$24,000 $24,000

$40,000 $51,200 $12,800 $16,000 $16,000 $16,000

2 1 0 4 0 2

32000 $51,200 $$64,000 $$32,000

1 2

$16,000 $32,000

31

$1,071,700

$16,000 $16,000 $16,000

A

ppendix D-1


IAS Tax IAS

Information Technology Information technology risk assessment General controls review (acute care) General controls reveiw (physician practice) Accounts Accounts payabl payable application cation review review Applicatio Application n specific specific review reviews s as determin determined ed by the risk risk assess assess.. representative projects include - Accounts receivable - Laboratory - Radiology and pharmacy


E& Y Notations IAS ISAAS TAX ABS

R,O R R,C

R R R

2

1

1 1

2

3

2

2

2

3

3

2 3

R,O R,O R,O R,O

$38,500 $ 5,000 $24,000

0 0 1 1

$$$24,000 $24,000

$40,000 $51,200 $12,800 $16,000 $16,000 $16,000

2 1 0 4 0 2

32000 $51,200 $$64,000 $$32,000

1 2

$16,000 $32,000

31

$1,071,700

$16,000 $16,000 $16,000

Type of Project


R O C


! @

4 D-1.4 D-1.4

#

Sample Ann ual A udit Plan

Proj ect D escri ptions Th e fol lowi ng descri descri ption s outl in e the scope scope and approach of th e proj ects ects in the thr ee year year pl an. A separate separate r eport eport , incl udi ng fi ndi ngs, r ecommendation ecommendation s and management management r esponse esponses s wi ll be issued issued at at the conclu sion of each pr oject. Regional/Corporate 

Due diligence acquisition process review Document the components of the acquisition or joint venture process. Review the effectiveness of key process components, specifically, evaluation, financial and qualitative analysis, and negotiation. Evaluate the controls over these processes. Test the accuracy of historical financial and qualitative projections versus actual results.



Medical necessity for PT/OT services Assess the adequacy of documentation related to the medical necessity of physical and occupational therapy services provided to Medicare residents of skilled nursing facilities (SNFs). Test for adherence to guidelines which require that therapy services be reasonable and necessary, and provide a specific and effective treatment

$

Sample Ann ual A udit Plan

Proj ect D escri ptions Th e fol lowi ng descri descri ption s outl in e the scope scope and approach of th e proj ects ects in the thr ee year year pl an. A separate separate r eport eport , incl udi ng fi ndi ngs, r ecommendation ecommendation s and management management r esponse esponses s wi ll be issued issued at at the conclu sion of each pr oject. Regional/Corporate 

Due diligence acquisition process review Document the components of the acquisition or joint venture process. Review the effectiveness of key process components, specifically, evaluation, financial and qualitative analysis, and negotiation. Evaluate the controls over these processes. Test the accuracy of historical financial and qualitative projections versus actual results.



Medical necessity for PT/OT services Assess the adequacy of documentation related to the medical necessity of physical and occupational therapy services provided to Medicare residents of skilled nursing facilities (SNFs). Test for adherence to guidelines which require that therapy services be reasonable and necessary, and provide a specific and effective treatment for the patient’s condition.



Corporate compliance plan effectiveness Perform a diagnostic review of existing corporate compliance program effectiveness. This typically involves sampling and auditing the knowledge and performance of personnel critical to the organization’s Corporate Compliance program; specifically, to determine the effectiveness of training programs and overall compliance with Office of Inspector General (OIG) standards. This review will be prepared in accordance with the OIG model program for Hospitals.



Qualified use of tax-exempt bond proceeds review Review policies and procedures in place to monitor the qualified use of tax-exempt bond financed facilities, given recent regulations issued by the U.S. Department of Treasury.



Intermediate sanctions policy and procedures review Review intermediate sanctions policy and procedures including a list of disqualified persons and the guidelines used to create the list. Review documentation confirming how a rebuttable presumption presumption of reasonableness reasonableness was established for applicable transactions and documentation identifying how the intermediate sanctions policies tie in to other corporate policies.



Unrelated business income for joint ventures tax assessment Review the structure of joint venture relationships to ensure tax exposure items associated with unrelated business income and private private enurement enurement are adequately adequately addressed addressed and supported supported by appropria appropriate te documentati documentation. on.



Tax return compliance process audit and consistency/standardization of returns Review the tax return compliance processes, including assessing the technical accuracy of the returns, reviewing the charity care and community benefit reporting of each health care entity and ensuring consistent disclosure and reporting among the entities in the WFSI system.



FACIS - automated database screening for sanctioned personnel Screen health professionals and contracted companies through over 200 governmental databases including records of sanctioned healthcare personnel and institutions. The databases include individuals and entities with disciplinary actions and sanctions at all levels of government, including federal, state, and other quality assurance entities.

! @

#

$

5 D-1.5

A



ppendix D-1

Special Projects (as requested by management) Special projects represents a percentage of the overall IA budget (typically 10%) which is available at management’s discretion for EY support on an as-needed basis to address timely issues; performing an audit in support of a corporate compliance hot line call is a typical project of this type.

Acute Care Facilities 

Process review of revenue cycle including registration, charge capture, and billing A review of policies and procedures for the registration, charge capture, and billing process. Evaluation of the internal control environment includes a review for complete and accurate patient information collection and proper dissemination dissemination of information. information. A review of select accounts will help to identify if all charges are captured, documented and billed correctly.



Lab operational review Evaluate the efficiency and effectiveness of laboratory operations and the laboratory results reporting system. Review for the existence of and compliance with internal controls surrounding the reliability and integrity of information produced by the lab system. Assess the controls over timeliness, completeness and accuracy of the capture and entry of patient charges.



Radiology and pharmacy documentation and billing process Review the charge process to verify that patient charging is consistent with policies and procedures. Tests of charges for accuracy, completeness and timeliness. Verify that all documentation is included and supports the charges. Review internal management reports for sufficient/timely information and the follow-up process, if applicable, for resolution of outstanding items.



Chargemaster review includes code assignment and maintenance of CM A process approach to review, assess and enhance revenue generation through the proper design and maintenance of the Chargemaster. Includes departmental coding review for improved billing/reimbursement and infrastructure development for Chargemaster Chargemaster support.



72-hour rule includes test for non-compliance and review of policies/procedures Evaluate compliance with Medicare’s 3-day rule using quadruped's 72 Hour diagnostic tool. Using both inpatient and outpatient billing data, this tool identifies claims for non-physician services performed within three days of admission. The effectiveness of the policies and procedures will be evaluated based upon the results of this analysis.



Cost report reimbursement optimization study Comprehensive review of the cost reporting process, designed to increase reimbursement. Includes ensuring appropriate reporting of pass-through items based upon the most recent interpretation of the regulations, identifying opportunities to update the cost reporting process to more accurately reflect appropriate allocations between inpatient/outpatient services and correcting the report to adhere to appropriate Regulations as they apply.



Accounts receivable review includes establishment establishment of reserves, aging and collection A review of policies and procedures for the accounts receivable process. Document and evaluate establishment of reserves. Verify that the collection process is effective and functioning as intended. Review the receivable reports and investigate significant changes in aging categories.



IBNR process review Document claims processing within the organization specific to Incurred But Not Reported (IBNR) claims. Evaluate the controls and policies/procedures in place to minimize the charges which have not yet entered the claims processing flow. This will include an analytic review of claims data in an effort to identify root causes, areas of high risk and associated cost.



Accounts payable includes compliance with policy and test for duplicate payment Evaluation of the system of internal controls including detailed tests of completed invoices, review for supporting documentation, proper authorization and tests for duplicate payments. Includes a review of

6D-1.6 D-1.6

! @

#

$

controls over check stock. Other tests include using computer assisted audit techniques to identify unusual payments for a more focused focused analysis. analysis. 

Private enurement exposure includes reasonableness of physician compensation Review contracts for compliance with regulations and hospital policy based upon a review of payments for non-clinical services, advances, services performed and referral incentives.



Medical records review tests for completeness, accuracy and confidentially Review medical records for accuracy, timeliness, and accessibility. Review for sufficient information to identify a patient, support diagnosis, justify treatment and document results accurately. Review the records to ensure they are confidential, secure, current, authenticated, legible and complete.



Payroll cycle review for accuracy, approvals and compliance with procedures Review payroll policies and procedures. Evaluate controls to help ensure payroll changes are accurate and properly authorized. Detailed tests will include using diagnostic tools to review pay rates, hours worked, employee address records and tax identification information. Other tests to include a review of controls over payroll check stock. stock.



Managed care contracting includes compliance with contract procedures/payments Review and evaluate the managed care contracting process including adherence to policies and procedures. Evaluate controls for identifying participant eligibility and coverage. Assess utilization review process including how payments and write-offs are monitored for timeliness and accuracy. Computer assisted audit tools and analytics will be employed to model expected payments relative to actual payments, highlighting areas of increased exposure and opportunity.



Outsourced services contract and compliance review/tax implications Review select contracted services to ensure the services are performed in accordance with agreed upon terms. Review for accurate and timely billing, as well as continued compliance monitoring procedures. Assess the tax implications of the agreement.



Contracted lab performance review Evaluate the laboratory’s compliance with the contract. Determine if policies and procedures are in place and operating effectively. A high level review of the laboratory operations and the billing system will be performed. performed.

Physician Practices 

Revenue cycle including registration, charge capture, and billing A review of policies and procedures for the registration, charge capture, and billing process. Evaluation of the internal control environment includes a review for complete and accurate patient information collection and proper dissemination dissemination of information. information. A review of select accounts will help to identify if all charges are captured, documented and billed correctly.



Physician practice tax review and physician exit strategies Review operational results of physician practices to ensure tax exposures related to deficits are minimized and exit strategies are documented and implemented.

Home Health Services Process Assessment Review home health care policies and procedures, evaluate internal controls with emphasis on segregation of duties, controls over cash and billing procedures. Also includes review for effectiveness of information systems.



! @

#

$

7 D-1.7

A

ppendix D-1

Information Technology 

Information Technology risk assessment Review of the IT inventory including hardware, operating systems, applications, network and telecommunications. Based upon the inventories, IT will have discussions with local and corporate management regarding risks and concerns related to these specific IT areas.



General Controls review Review of the controls that support the data center and related activities. Specifically, these reviews cover: physical security of the data center, logical security controls, operations management, management, IT administration administration and strategy, systems development and maintenance and business continuity planning.



General Controls review (physician practice) Similar to the general controls review noted above, IT would select a sample of physician billing offices and perform a general controls review and also determine the level and controls surrounding the interfaces to corporate or hospital based systems.



Accounts Payable application review This review will consist of evaluating system controls within the A/P application. Typical controls include: invoice input, reporting controls, application level security, change management and backup/recovery procedures.



Application specific reviews as determined by the risk assessment Representative projects may include accounts receivable, laboratory, radiology and pharmacy

8D-1.8 D-1.8

! @

#

$

Appendix Appendix D-2 Engagement Engagement Economics Template E r n s t & Y o u n g L .L . P .

P r o j ec t M an ag em en t W o r k s h eet

ISAAS ABC Inc. CLIENT NAME: IT Internal Audit Services ENGAGEMENT DESCRIPTION: LISTING TYPE: John Megabucks AUDIT PARTNER: ENGAGEMENT RELATIONSHIP MANA Bob Dole ENGAGEMENT MANAGER:

- Application Review

FIXED COST QUOTED: RES OURCE ASS IGNE D: RATE PE R HOUR:

10% 23% 20% 11% 6% 3% 3% 9% 4% 9% 3% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0%

Planning ng Application Security Interface Interface Testing Edit Check Testing Testing Reconciliation Review Physical Security Security of Forms Forms Output Distribution Report Writing & Review Review - Draft Report Writing & Review Review - Final Presentation Development Development - Draft Draft Presentation Development Development - Final

ADMINISTRATIVE SURCHARGE: P a rt n e r

Manager

S e ni or

9.5%

St af f #1

47 5

28 1

18 2

133

2

6

6

2

10

20

2

10

16

2

4

10

4

4

4

8

4 2

4

4

8

BU DG E TE D

H O UR S

FEES

14 32 28 16 8 4 4 12 6 12 4 0 0 0 0 0 0 0 0 0 0 0 0 0

4

2

B UDG E TE D

2

$3,728 $5,042 $4,510 $2,620 $1,260 $532 $532 $1,792 $1,290 $2,580 $1,512 $0 $0 $0 $0 $0 $0 $0 $0 $0 $0 $0 $0 $0

FEES AT 100 % OF STANDARD: TOTAL BUDGETED HOURS TOTAL BUDGETED FEES PERCENTAGE OF HOURS ADMIN RECOVERY RECOVERY TOTAL LOADED FEES

! @

#

$

4 $1,900 3% $181 $2,081

20 $5,620 14% $534 $6,154

50 $9,100 36 % $865 $9,965

66 $8,778 47% $834 $9,612

0 $0 0% $0 $0

VALUATION PERCENTG 90% 90 85% 80% 70% 60% 50%

0 $0 0% $0 $0

0 $0 0% $0 $0

V AL AL UE UE D

A V G R AT AT E

FEES

P E R HO HOU R

$22,858 $21,588 $20,318 $17,779 $15,239 $12,699

$163 $154 $145 $127 $109 $91

0 $0 0% $0 $0

C O NTI NG EN CY

0 $0 0% $0 $0

A D MI MI N

$2,172 $2,051 $1,930 $1,689 $1,448 $1,206

140 $25,398 100% $2,413

140.0 $2 5,398

$27,811

TOTAL F EE EE S & AD ADM $25,030 $23,639 $22,249 $19,468 $16,686 $13,905

E XP XPE NS NSES

9 D-2

Appendix E- 1 Sample Scope Scope

ABC Company Accounts Payable Application Review Proposed Audit Scope 4/29/99 I.

Objective

The primary purpose of this review will be to perform a post implementation review of the Accounts Payable application. The review will focus on testing specific agreed upon business controls and processes. II. Proposed Scope

1. Follow-up review of issues noted in the pre-implementation Accounts Payable review conducted in 1998: • • • •

Group Group secur security ity assi assignm gnment entss and sett setting ingss Passwor Password d admin administ istrati ration on for for defau default lt IDs IDs Procedur Procedures es for address addressing ing pendin pending g status status checks checks and invoices invoices Use of the the appl applicat ication ion audit audit trail trail utility utility

2. Identify and quantify all individuals individuals with authority, or the the potential, to create and approve their own checks. 3. Identify and quantify all individuals with with authority to perform payment cancellation procedures and related control weaknesses surrounding payment cancellations. Specifically inquire as to controls in place for generating replacement checks. 4. Review the implementation implementation plan for the application application upgrade (Year 2000 compliant compliant version), and SYBASE to Microsoft SQL Server conversion. 5. Review process for approving invoices. 6. Review all aspects of the check printing and distribution process. 7. Since timely timely reconciliation is is an integral part of the control environment, review the procedures for cash reconciliations. 8. Identify and review the controls in place over the approved vendor database. 9. Identify and research other application workflow issues as identified. III. Timing

The review will begin on Monday, May 12 with a draft report delivered by early June. We will provide a weekly update of time incurred and will communicate any issues as they arise. IV. Budget

We currently estimate the total hours of the engagement at 160. We will not exceed this time without first discussing any situations with you. The estimated rate and hour breakdown is as follows:

! @

#

$

1 E-1.1

A

ppendix E-1

Staff Level

Estimated Hours

Sr. Manager

2

249.00

498.00

Manager

20

195.00

3,900.00

Senior

78

126.00

9,828.00

Staff

60

93.00

5,580.00

160

2E-1.2

Hourly Rate

Estimated Fees

19,806.00

! @

#

$

Appendix E-2 En gagement gagement Agenda

THE THE ABC ABC COMPANY COMPANY IT IT Internal Internal Audit Audit Accounts Accounts Payable Payable Application Application Review Review Agenda 4/29/99 Agenda 4/29/99

A) A) Ernst Ernst & & Young Young LLP LLP Team Team John John Megabucks, Megabucks, ISAAS ISAAS Partner Partner Bob Bob Dole, Dole, ISAAS ISAAS Manager Manager Bo Bo Diddly, Diddly, eSS eSS Senior Senior Consultant Consultant B) B) Changes Changes in in Accounts Accounts Payable Payable Process Process or or IT IT Environment Environment C) C) Proposed Proposed Scope Scope of of Engagement Engagement (See (See Attachment) Attachment) D) D) Requirements Requirements of of ABC ABC Company Company E) E) Key Key Contacts Contacts F) F) Timing Timing G) G) Questions Questions or or Concerns Concerns

e

! @

#

$

12 E-2 E-

Appendix Appendix E -3 Proces Process F low Di agram

ABC Company Check Distribution Process Mailroom hand delivers the checks to the department contact.

Contact signs a log that lists the number of checks they received.

Contact delivers the checks to the requesting individuals in their department.

Not at their desk

At their desk

Contact leaves a voice mail for the requestor to come pick up their checks.

Requestor signs a log, maintained by the Contact, that lists the number of checks they received.

Requestor places the stuffed envelope in the out tray to be mailed.

Requestor lists the date and time they mail the checks on the log that the Contact maintains.

NOTE: If checks are not mailed on the same day they are received, the requestor is required to store the checks in a locked cabinet at their desk.

! @

#

$

E-3

Appendix Appendix E -4 Sample Nar r ative Notes

ABC COMPANY NARRATIVE NOTES MAILROOM CHECK DISTRIBUTION PROCESS

Obje Object ctiv ive: e:

Devel Develop op an an unde underst rstand andin ing g of the the mailr mailroo oom m check check dis distr trib ibut utio ion n proc proces esss for ABC ABC Company.

Methodol Methodology: ogy: Corroborative Corroborative inquiry inquiry and observati observation on with appropriat appropriatee ABC Company personnel personnel to to obtain an understanding of the process. Resu Result lts: s:

On Marc March h 4, 4, 199 1999, 9, we met met with with Cash Cashie ierr and and Syst System emss Ana Analy lysi siss to revi review ew the the che check ck printing and distribution process. This process consisted of the checks that were wer e processed the proceeding proce eding evening and the on-demand checks that were submitted in the same day. Mailroom Observation: We observed how checks are sent to the mailroom, how checks are stuffed into envelopes, and how the number of checks mailed are reconciled to the number of checks Cashier printed to be mailed directly. Checks are picked up from the tray in Cashier’s area on the mailroom’s second mail run which takes place at 10:00 a.m.. The individual picking up the checks for mailing, is not required to sign the check pickup sheet which lists the number of checks picked up and who picked them up. Once the checks have been picked up, they are ready to be stuffed into the envelope, sealed, and mailed. Checks are stuffed automatically on a machine in the mailroom. After the checks have been stuffed, the individual in the mailroom looks at the address window on each envelope to ensure there is an address. During our observation, there was one check that did not have an address. When all of the checks have been stuffed, the mailroom calls Cashier and tells her how many checks are going to be mailed and also any checks that need an address. Once Cashier receives this information she informs the mailroom individual that the amount of checks being mailed is correct. Any time a check needs an address, the mailroom walks the check up to Cashier immediately for corrections to be made. Next, the number of checks being mailed and the number of exceptions are written in a log in the mailroom. Finally, the envelopes are sealed and ready to be mailed. Reasons Checks Go Back to the Departments: We discussed with Client Support and New Business Account Representative the reasons behind them requesting to have their checks sent back to them once they have been printed.

! @

#

$

1 E-4.1

A

ppendix E-4

Client Support The primary reason Client Support requests to have some of her checks sent back to her is because she needs to enclose a remittance along with the check in the envelope. In addition, Client Support may have a check sent back to her because she has to Federal Express it overnight. Finally, Client Support explained that she has had minimal problems with checks consisting of the incorrect address after she changes it in the application system. Therefore, she requests to have the checks back for the ones that she has changed the address on to make sure they print correctly. This issue may be an interface problem, because the system is picking up a completely different address than the previous one or the one it was changed to. New Business Account Representative Representative New Business explained that she requests to have checks sent back to her on a regular basis, because she deals with the approval of applications. These approvals may lead to withdrawals, postpones, declines, and not takens, which require a letter to be sent along with the check so the individual receiving the refund check in the mail does not get the check back before they receive the letter. Check Storage Security: Checks are delivered to the requesting departments by the mailroom. These checks are placed in a tray that resides in the area of each department. During the day, the requesting individual picks up their own check from the tray or someone will pick up the check and place in a basket on the respective individuals desk. This process leads to checks being left in trays and on desks overnight, etc.

2E-4.2

! @

#

$

Appendi Appendi x E-5 I ssues Summary

ABC Company Issues Summary Example Workpaper Reference B1

#

CONCERN

Corporate Database

There are currently no formal documented procedures for submitting requests, maintaining test scripts and related documentation, and logging program changes for the Corporate Database.

MLC - See w/p A1-3

B1

Corporate Database

There is currently no formal change log made of all database changes, however, any major change is briefly documented at the beginning of the program’s program ’s code.

MLC - See w/p A1-3

B1

Corporate Database

It was noted that the current problem log does not have a field or area which documents problem resolution.

Verbally discussed with client - problem log does have a problem resolution field, however, it was not printed on the report we received.

D1

LAN Program Change

There are instances where the user departments do not go through the IS department (e.g. user departments purchasing their own software). IS has educated and encouraged users to ensure that the formal process should sh ould be followed. fo llowed.

Verbally discussed with client compensating compensating controls are in place.

D1

LAN Program Change

Before the new or changed code is moved into production, the previous code is not moved or copied. In other words, there are no formal procedures in place for version control or back-out of new or changed program code. c ode.

MLC - See w/p A1-3

D1

LAN Program Change

! @

#

$

It was noted during the review that the LAN Administrators currently have the capability to create LAN security groups without the Security Administrator’s knowledge. In addition, for the unauthorized groups that are created, supporting documentation is not consistently being prepared for each group (e.g. Security Request Form).

ISSUE RESOLUTION

MLC - See w/p A1-3

3 E-5

Appendix Appendix E -6 Cli ent Satisfaction Satisfaction Sur Sur vey vey E

Audit Pr Project: Date: Completed By:

CLIENT FEEDBACK Your input is essential to our improvement and success. Please mark the box which best describes the level at which we performed during the audit project. Please provide specific examples whenever possible possible in the space provided. Thank you! Not at all

During the audit process, did we:

1

2

Very much so

3

4

5

Suggestions/Comments

1. Clearly communicate the timing, objectives and scope of the audit 2. Facilitate an informative opening meeting with you 3. Jointly agree on the scope of the audit, including your specific concerns 4. Execute the the audit in an efficient manner with minimal disruption 5. Conduct ourselves in a professional manner 6. Keep you you informed of our observations and the status of the project 7. Show that we were knowledgeable of your processes, risks and controls 8. Facilitate an effective closing meeting with you that provided no surprises 9. Report observations that address your concerns 10. Make sensible recommendations which provide realistic and workable solutions 11. Write a report that was easy to read and understand, and appropriately prioritized our observations

! @

#

$

1 E-6.1

A

ppendix E-6

Not at all

During the audit process, did we:

1

2

Very much so

3

4

5

Suggestions/Comments

12. Clearly explain explain our assessment criteria and apply it fairly to the audit 13. Appropriately reflect your challenges, achievements and proactive actions in the report 14. Add value to your operation We would appreciate any additional feedback you can provide. Thank you!

2E-6.2

! @

#

$

Appendi Appendix x F Communi cate Res Resul ts Au dit Commi ttee Subject Subject Calendar Subjects

Meeting Dates J an

Mar

Aug

Nov

Audi t Committee Committee

Review and approve minutes from prior meeting Review Audit Committee Charter Private discussions with: •

Internal Auditor

•

Independent Public Accountant

•

Management (as necessary) Ex ecuti ecuti ve M anagement anagement

Review of year end financial results (including accounting, tax, and financial reporting matters) Review of regulatory filings (e.g., 10K) by: •

Management

•

Independent Public Accountant

•

External Legal Counsel

Approval of Independent Public Accountants Approval of Internal Audit Services provider General General Counsel Counsel

Review contingent litigation Review regulatory matters, as appropriate Other M anagement anagement Members Members

Review compliance with Code of Conduct Review risk management (insurance) coverage Review corporate contingency plan Review Treasury issues (e.g., risk management, foreign exchange, etc.), as appropriate Review information systems/technology issues, as appropriate I nternal nternal Audit Review Client Service Charter

Review Risk Assessment Review Annual Audit Plan Review status of Annual Audit Plan Review significant audit issues Review value ideas Review list of audit reports issued Review emerging business risks and risk management issues Review management’s follow-up and monitoring of findings and recommendations I ndependent ndependent Publi c Accountan ts Review of annual reports, including management letter Review of external audit plan

! @

#

$

11 F-1 F-

Appendi Appendi x G-1 SERVICE

OTHER PRACTICES

I T I ntern ntern al Audit Servi Servi ces ces

AABS -Internal Audit Services

LAUNCH DATE

May, 1999

SERVICE OVERVIEW Service Description: Through teaming with Internal Audit Services, or working directly with a client’s Director of Internal Audit, we can provide a variety of IT internal audit services, including: —supplementing ting the existi existing ng IT intern internal al audit audit resourc resources es with with depth depth in • IT Internal Audit Audit Services (Teaming) —supplemen specific specialty areas to perform risk assessments, complete specific projects, provide knowledge transfer or deploy resources in remote locations. • Outsourcing —providi —providing ng the the full IT IT Audit Audit function function from planni planning ng through through executio execution n and repor reporting ting.. BENEFITS Value Proposition: Our IT Internal Audit Services are designed to assist clients in better aligning their IT internal audit coverage with their key business risks. Through our investments in people, knowledge, technology and methodologies, we can assist our clients in accelerating to world-class expectations. Specifically, we can provide: • •

M ore business business insight f rom th e IT perspe perspective ctive —we leverage the knowledge knowledge and experience experience of thousands thousands of

global IT risk professionals to provide clients with strategic and operationally focused recommendations in the areas of IT risk management and technology enablement. enablement. We help accelerate a comprehensive improvement improvement agenda which cuts the time from assessment to solution dramatically. •

M ore comprehensive ri sk cove coverage rage —our business process oriented IT Risk Assessment focuses our

technology specialists on the areas most important to your business. We team with the client to develop a risk approach for the key IT areas and assign professionals with appropriate industry experience and deep technology skills to create an innovative assessment and testing solution. •

Operate Operate more effi ciently —using our people, people, state-of-the-art state-of-the-art tools, technology, technology, and knowledge knowledge resources your

IT risks are assessed, tested and communicated to management in a timely and comprehensive manner. Together with the client, we focus on the process of designing an efficient and effective world-class internal audit function, while meeting management’s growing expectations. • •

RED FLAGS

• •

Recent turnover among the CFO, Director of Internal Audit Implementation of new technologies such as Enterprise Resource Packages (ERP), electronic commerce, and enterprise systems management (ESM) packages Significant business changes present some companies with problems in risk coverage. (e.g., acquisitions, global expansion, new business segments, consolidations, etc.) Other possible common characteristics: Company with an existing internal audit function − Large corporation with minimal IT internal audit staff − Financial institution or hospital with or without an IS Audit function −

−

• • • •

! @

Multinational Operations SUCCESS STORIES Conglomerate - we provided specialized security and application control evaluations for several new systems implementations Pharmaceutical Company - we provided systems implementation reviews, one of which identified significant project project management management and and control control issues issues and resulted resulted in suspending suspending the the project project Multinational Multinational Insurance Company Company - recently outsourced the entire IT audit outsourcing function Apparel Manufacturer - we provided IT teaming which resulted in obtaining the IAS outsourcing contract

#

$

1 G-1.1

A

ppendix G-1

COMMON OBJECTIONS AND ANSWERS I ndependence ndependence - Independence is an issue for both internal and external auditors. In our teaming approach, management and the Director of Internal Audit remain responsible for approving the risk assessment, audit plan, and internal audit program. We help execute the risk assessment and audit plan. This separation ensures that independence is preserved. Trai nin g Ground for L eadership adership - To overcome this objection, do not push for “full-outsourcing” of IAS. Rather, we should stress two important client benefits of working with Ernst & Young: (1) Teaming opportunities (2) Knowledge Transfer You don’t kn ow our Company - In some pursuits, the client will be concerned that Ernst & Young does not have a sufficient detailed understanding of the business. We have several responses to this objection including: (1) ASC (2) Process Models Models (3) Relationship Manager (4) Stable Core Team (4) Co-Develop Expectations KEY FEATURES / QUALIFICATIONS People - Our service delivery team includes nearly 2000 dedicated global IT risk professionals in over 135 countries. Our professionals come from diverse backgrounds and include specialists in most platforms and software environments. Our learning culture is designed to maintain our leading edge. Methodology - Our IT risk assessment and delivery process is tailored in size and scope to meet your needs. We focus on your key business issues and develop an audit plan to provide the most comprehensive risk coverage. Knowledge - Ernst & Young is recognized by independent independent organizations for leadership in in knowledge management. Our investments in this area are impressive: The Center for Business Knowledge, Assurance Assurance Support Center, KnowledgeWeb KnowledgeWeb and internal training programs to name a few. This translates into leading-edge practices that provide provide competitive advantage to our clients. Technology & Tools - Our average technology technology investment per professional is over over $25,000 per year. Our proprietary risk risk assessment tools tools (e.g., Checkpoint, Checkpoint, PERMIT) are based based on industry business business process models. models. We have a comprehensive security workbench for industry benchmarking, assessment and implementation procedures. Our software investments investments include SafeSuite, Cybercop, Cyberco p, Axent, SAS, ACL and computer forensics tools. Finally, our eSolution Centers provide us with lab environments to create innovative solutions (e.g., ERP “sand boxes”) CLIENT LIST (Confidential) • Advo Inc. Inc.

•Owens - Illinois

• Bowater

• PNC Bank

• BP Oil - Europe

• Russell Russell Athletic Athletic

• Fruit of the Loom Loom

•Stanley Works

• Holiday Inns Worldwide Worldwide

•Time Warner

• IKON Office Solutions Solutions

•US Bancorp

• IMC Global

•Whirlpool

• Maytag

• Laidlaw (Canada)

• McCormick McCormick

• Rio Tinto (Australia) (Australia)

• McDonald’s

•Ciba Specialty Chemical (Switzerland) •Skandia Insurance (Sweden)

• McKessonHBOC

PRODUCT CHAMPIONS / WHO TO CONTACT ISAAS IAS Jerry DeVault, Sponsor (216) 861-2214 Sam Johnson, Service Delivery (216) 737-1680 • • Jamie Ross, Champion (216) 861-2297 Tom Sliwinski, Sales (216) 583-3865 • • Local IT IAS Champion Local IAS Leaders • •

2G-1.2 G-1.2

! @

#

$

E R N S T & YO U N G L L P

© 2000 Ernst & Young LLP. All Rights Reserved. Ernst & Young is a registered trademark.

www.ey.com

TSRS_IAS_Sales & Methodology Toolkit

Recommend Documents