INTERNAL AUDIT POLICY MANUAL RISK ADVISORY SERVICES

Transcription

1 INTERNAL AUDIT POLICY MANUAL RISK ADVISORY SERVICES Version 1.0 January 21, 2016

2 A few words about confidentiality and use of the RSM Internal Audit Policy Manual You may not copy any part of the content from this manual or provide the manual, or content taken from the manual, to anyone outside of RSM without written permission from the National Office of Risk Management (NORM).

3 INTERNAL AUDIT POLICY MANUAL TABLE OF CONTENTS 1. Introduction Purpose and Use of the Internal Audit Manual Working as an RSM Professional Professional Ethics Professional Standards AICPA Standards Institute of Internal Auditors Standards The 2003 Interagency Policy Statement Service Offerings Outsourcing Co-Sourcing Discrete Project Staff Augmentation Sharing Work Product and Interacting With Others RSM Methodology Tools to Assist You Initiating Phase Managing Risk Conflicts of Interest and Independence Independence Considerations for Private Equity Clients Client Acceptance Procedures Conflict of Interest and Independence RSM s Independence and Conflict Checking System Staffing Leverage Model RSM Delivery Center Budget Development Staffing and Margin Forecasting Tool CS Margin Forecasting Tool MRAM Preparation Contracting With the Client Master Services Agreement... 15

4 INTERNAL AUDIT POLICY MANUAL Statements of Work Engagement Letter Standard (General) Terms and Conditions Engagement Charter Arrangements with RSM Network Firms MDC Arrangements Subcontracting Types of Agreements Establish Client within RSM Planning Phase Auditor Assistant and the Planning Phase Understanding Client Needs Client Needs Assessment Internal Audit Client Liaison Understanding the Client s Business Objectives Understanding Internal Audit s Objectives Co-Developing and Customizing Co-Developing the Communication Plan External Communication Plan Internal Communication Plan Co-Developing the Engagement Management Protocols and Milestones Co-Developing the Engagement Risk and Issues Log The Value Scorecard Agreed-Upon Common Terms and Reporting Formats Common Terms Project Reports and Audit Committee Reports Setting Up an Internal Audit Department Onboarding Internal Audit Charter Internal Audit Mission Statement Engagement-Level Risk Assessment and Internal Audit Plan Risk Assessment Requirements Outsourcing Engagement Co-Sourcing or Discrete Projects Risk Assessment Methodology... 33

5 INTERNAL AUDIT POLICY MANUAL Understand the Business and Define the Audit Universe (Phase I) Co-Develop Approach (Phase II) Identify and Measure Risk (Phase III) Prioritize Risks (Phase IV) Ratify Risk Assessment (Phase V) Developing an Internal Audit Plan Other Project-Level Planning Activities The Planning Checklist Refine Project Details and Obtain Consensus With the Client Internal Project Kick-Off Meeting Notice of Intent to Audit Evaluating Control Design Identifying Controls and Key Controls Project-Specific Workprogram Refine Project Budgets and Milestones Prepare and Send a Document Request List Executing Phase Auditor Assistant and the Executing Phase The Formal Opening Client Meeting Introductions Project Scope Project Approach Terminology Project Timing and Communication Plan Status of Items on the Document Request List Executing Internal Audit Fieldwork Evaluating Control Design Evaluating Control Effectiveness Internal Audit Evidence Testing Techniques Sampling Techniques Other Testing Activities Documentation Characteristics of High-Quality Documentation Workpaper Elements... 50

6 INTERNAL AUDIT POLICY MANUAL Documenting Individual Findings/Conclusions Root Cause Facilitation Quality Controls and Review Protocols Preparer s Self Review Level 1 and Level 2 Reviews Subject Matter Expert Reviews Engagement Leader Review Conducting the Fieldwork Exit Meeting Project Overview and Status Communicating the Issues Develop Target Dates for Next Steps Reporting Phase General Reporting Considerations General Guidance Prohibited Terminology Format Flexibility Internal Audit Findings Report Content Reporting Process Internal Firm Review Client Review Management Action Plan Transmittal and Closure Letters Final Report Tracking Executive-Level and Audit Committee Reporting Suspicion of Fraud Closing Phase Auditor Assistant and the Closing Phase Finalizing Work Files Evaluating Client Satisfaction Client Satisfaction Survey (Project-Level, Optional) Completing the Value Scorecard (Engagement-Level, Optional) Completing the Lessons Learned Summary (Required) Conducting Engagement-level Closeout Meeting... 64

7 INTERNAL AUDIT POLICY MANUAL 6.4 Engagement Closure Activities Final Billings and WIP Reconciliation Closure Letter Closing Projects and the Engagement in Auditor Assistant Performance Management... 68

8 1. INTRODUCTION 1. INTRODUCTION 1.1 Purpose and Use of the Internal Audit Manual This manual provides guidance regarding RSM s internal audit methodology, policies and procedures for professionals who deliver internal audit services. In addition, this manual describes requirements for auditor independence, objectivity and compliance with industry and professional standards, and sets forth the policies that drive the successful delivery of internal audit services within RSM. This manual is divided into chapters associated with each phase of the internal audit cycle: Chapter 1 Introduction (activities, responsibilities and key terms) Chapter 2 Initiating Phase Chapter 3 Planning Phase Chapter 4 Executing Phase Chapter 5 Reporting Phase Chapter 6 Closing Phase Compliance with the policies presented in this manual is mandatory for all internal audit engagements. Every internal auditor has the responsibility to understand and apply the methodology, policies, procedures and approaches described in this manual. In turn, partners/principals and directors have the responsibility for ensuring that their teams comply with the manual and that all personnel remain up-todate with current developments that may impact our services to clients. To be effective, auditors must perform adequate planning and understand the client s organization and internal audit s objective. The scope of the audit must allow the auditor to obtain sufficient information for the formation of our findings or the support for not reporting a finding. Our reporting standards require the clear indication of the work performed that supports our findings, as well as the auditor s responsibility for the ultimate retention of our documentation. This manual is the principal statement of policies related to the delivery of internal audit services. RSM professionals engaged in the delivery of internal audit services should also refer to the following internally authoritative sources for further guidance regarding the overarching firm policies, practices and procedures: RSM Policy Library RSM s Consulting Services Manual and the related National Consulting Services Policies Updates RAS Engagement Project Management policies RSM s policies set forth herein consider the proficiency of an internal auditor and require that internal auditors have received sufficient applicable training in auditing techniques. The standards also address auditor objectivity, in that the auditor is free of conflicts of interest within the context of the engagement. Our auditors must also exercise due professional care when performing internal audits and when preparing internal audit reports. It is important to note that throughout this manual, all references to audits, auditing, or an auditor are intended for internal audits, internal auditing and internal auditors; and should not be confused with being guided by external auditing standards. RSM consultants have the responsibility to read, understand and follow RSM policies. Defer to RSM policies in the event that unintended inconsistencies exist between this internal audit manual and those policies RSM US LLP. All Rights Reserved 1 P age

9 1. INTRODUCTION 1.2 Working as an RSM Professional When we speak about The Power of Being Understood, we describe our methods for creating value for our client and for working as a trusted advisor. We endeavor to understand not only the client s business and the market dynamics, but also their strategic goals and challenges. We achieve this understanding by building collaborative relationships and achieving a deep awareness about the long-term view of their business, all while maintaining objectivity throughout the performance of our work. Building a client-centric relationship depends on a consistent approach by our professionals and consistent communication between our clients and us. It also involves a commitment to working with the client to understand their needs and to co-develop solutions and approaches responsive to those needs. For example, while RSM has developed a number of tools and templates (i.e., enablers) for use in delivering our internal audit services, these are expected to be customized to each client through a codevelopment process. You may review the RSM Client Experience Briefing Document and the RSM Brand Charter by selecting the following URLs: RSM Client Experience Briefing Document Intranet RSM Brand Charter 1.3 Professional Ethics Every RSM internal auditor must demonstrate professional competence and due professional care in performing internal audits for our clients, following the AICPA s Statement on Standards for Consulting Services No. 1 (SSCS). Also following the SSCS, in delivering internal audit services to RSM clients, our professionals must adequately plan and supervise the performance of all internal audit services they perform, while also obtaining sufficient relevant data to afford a reasonable basis for conclusions or recommendations reached when performing an internal audit engagement. Further, since our clients rely on our integrity and objectivity, it is essential that our internal auditors remain unbiased when making judgments and must not be influenced by their own or others interests. Our firm s policies, referenced in Section 1.1, define each individual s responsibilities in this regard. Complying with these policies also includes having an awareness of and elevating to an appropriate level within the firm any potential conflicts of interest. When working with our clients, we are required to protect and keep confidential all client information and data. Client information is subject to confidentiality under AICPA standards, states board of accountancy standards, the contractual obligations of our engagement letters, and in many cases, separately executed nondisclosure agreements. We may also receive client information subject to the federal Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA) and other privacy laws. Finally, internal audit services for public clients will regularly provide us with sensitive, nonpublic information. Maintaining strict confidentiality and security over all such client information and data is part of the SSCS s professional competence and due professional care requirements with which we must comply. Our clients may require us to confirm adherence to their own confidentiality, IT security and privacy policies, especially in outsourcing, co-sourcing and staff augmentation engagements. As long as the client s policies are not in conflict with our own, and as long as our own internal technology is capable of compliance, we may agree to comply. As trusted advisors, we bear responsibility for securely maintaining our clients information during the internal audit process RSM US LLP. All Rights Reserved 2 P age

10 1. INTRODUCTION 1.4 Professional Standards In addition to the policies contained within the internal audit manual, RSM internal audit professionals should become familiar with the various other professional standards that influence our services. These standards include, but are not limited to, those discussed below. Appendix 1 crossreferences our internal audit methodology to these professional standards, such as the Institute of Internal Auditors International Professional Practices Framework (IPPF) AICPA Standards The AICPA s Management Consulting Services Committee issued the SSCS No. 1 in 1992, and the standards are still in effect today. These standards apply to and are binding on all member CPA firms who perform any of the consulting services defined in the standards. The services defined in the standards include the types of internal audit services covered within this internal audit policy manual. The SSCS gives recognition to the types of consulting services being performed by CPA firms. It also recognizes the difference between attest services and consulting services and the different standards applicable to consulting engagements. These standards recognize the nature of consulting services determined solely by the agreement between the practitioner and the client, and the work is generally performed only for the use and benefit of the client. See RSM s Consulting Services Manual for a full discussion. Engagement letters, statements of work and reports should NOT make reference to the 2003 Interagency Policy Statement. Typically, our internal audit and Sarbanes- Oxley (SOX) services, as outlined in our engagement contracts, are to be performed in accordance with the AICPA s Statement on Standards for Consulting Services (SSCSs) Institute of Internal Auditors Standards The Institute of Internal Auditors (IIA) has issued the International Professional Practices Framework (IPPF) and related Implementation Guidance and Supplemental Guidance. The IPPF provides a framework and the basic requirements for the professional practice of internal auditing. While our internal audit methodology was developed to align with IPPF guidance, you should understand that, as mentioned in the previous section, we deliver the majority of our internal audit services in accordance with the AICPA s SSCS not the IIA s IPPF. On occasion, a client frequently a financial institution may request us to deliver internal audit services in accordance with the IIA s IPPF. You should attempt to dissuade the client from this position due to the fact that the IPPF has requirements some of which are outside of our direct influence beyond those of the AICPA s SSCS and thus may present incremental risk to the firm. If the client insists, you can perform the engagement in accordance with the IIA s IPPF, though you will need to: Engagements performed in accordance with the IIA s IPPF are discouraged, though are permitted. Familiarize yourself with the IIA s IPPF and also see Appendix 1 for a cross-reference of our methodology to the IIA s IPPF. Define, in conjunction with the internal audit client liaison, who possesses responsibility for each specific standard within the IPPF (e.g., management, RSM, joint). Execute an engagement letter or statement of work that incorporates a reference to the IIA s IPPF and documents, in an appendix to the EL/SOW, the aforementioned responsibilities RSM US LLP. All Rights Reserved 3 P age

11 1. INTRODUCTION The 2003 Interagency Policy Statement Financial intuitions that are insured by the Federal Deposit Insurance Corporation (FDIC) must comply with The 2003 Interagency Policy Statement on the Internal Audit Function and its Outsourcing, and the 2013 Supplement to the Policy Statement. These regulations establish the regulatory expectations of a financial institution and its internal audit services vendor, whether engaged in an outsourcing, co-sourcing or discrete project arrangement. The agencies revised the policy statement to reflect recent events and current directions within the financial, audit and regulatory industries. Chief among these is the passage of the Sarbanes-Oxley Act of 2002 (Sarbanes-Oxley or SOX). That act, signed into law on July 30, 2002, establishes numerous independence parameters for audit firms that provide external audit, outsourced internal audit and other non-audit services for financial institutions. Consistent with Sarbanes-Oxley, the policy statement prohibits publicly held national banks, publicly held national bank holding companies and national banks subject to 12 CFR 363 from using the same accounting firm to perform both external audit and outsourced internal audit work. Other national banks required to have a financial statement audit by an independent public accountant, or that are not subject to 12 CFR 363, are encouraged to follow the auditor independence guidance contained in the interagency statement, consistent with their size and complexity. The guidance reflects the broad principles that audit firms that perform a bank s internal and external audit should not audit their own work, perform management functions for the same bank, or act as an advocate for the same bank. The revised policy statement also contains additional discussion and guidance pertaining to: Board and Audit Committee responsibilities Internal audit function reporting lines within the bank s organizational structure Internal audit s role as a consultant to the bank s board or management Independent reviews of significant internal controls for small banks that do not have a formal internal audit manager or staff U.S. operations of foreign banking organizations Oversight of outsourced internal audit activities, including expanded provisions for engagement letters Examiner guidance For a more detailed discussion, please refer to bulletin html. 1.5 Service Offerings RSM provides a variety of internal audit-related services including outsourcing, co-sourcing, discrete projects and staff augmentation (i.e., loaned staff) that focus on evaluating risks and controls, adding value, reducing costs and/or improving efficiency Outsourcing In an outsourced arrangement, RSM professionals perform all the activities necessary to support the client s internal audit function under the supervision of a client-designated internal audit liaison. The internal audit liaison is typically someone who works directly with RSM s Engagement Team and provides coordination and facilitates logistics, communications and other day-to-day matters. During the outsourcing arrangement, the RSM team has direct access to the client s Audit Committee, conducts risk assessments, develops the internal audit plan and determines the scope of each individual internal audit. Outsourced resources leverage competencies and skillsets from across different functions. Typically, an outsourcing relationship spans multiple years and thus the contract for an outsourced 2016 RSM US LLP. All Rights Reserved 4 P age

12 1. INTRODUCTION arrangement normally occurs through a master services agreement (MSA) and utilizes statements of work (SOWs) Co-Sourcing A co-sourcing arrangement occurs when RSM contracts with a client to team with the in-house internal audit function to handle specific responsibilities or to complete specific projects. Generally, the client will determine the objectives and scope of the audit. The client will designate an employee or employees within their internal audit leadership team who will make or obtain all management decisions with respect to the engagement. Co-sourced engagements occur through a regular presence at the client s location on a recurring, longterm basis. The contract for a co-sourced engagement typically occurs through an MSA and utilizes SOWs. The primary difference between outsourcing and co-sourcing is that in an outsourcing engagement, we perform all internal audit-related duties; whereas in a co-sourcing engagement, we perform components of the internal audit plan while other components are performed by either the client s own internal audit staff or possibly staff from other professional services firms. Note that co-sourcing engagements can include performing a risk assessment, but it is not required. Additionally, in most instances, co-sourcing engagements can be delivered to clients, either private or public sector, where we anticipate providing attest services, and when we have been requested to provide Sarbanes-Oxley services. Our standard engagement letter templates contain wording to address each of these situations Discrete Project In a discrete engagement, a client defines the scope and objectives for RSM to execute. A discrete engagement occurs as a stand-alone project, typically as part of the client s overarching annual internal audit plan. The contract for a discrete engagement normally occurs through an engagement letter Staff Augmentation Within a staff augmentation (i.e., loaned staff) engagement, RSM staff work under the direct supervision of the client. With this approach, the client has exclusive control over the scope of the work and full responsibility for directing and reviewing the work of all RSM staff, as an RSM quality control review is not included within the scope of a staff augmentation engagement. Finally, no specific work products, reports or similar deliverables are to be provided to the client that will be associated with RSM. 1.6 Sharing Work Product and Interacting With Others As part of any internal audit engagement that RSM enters into, we should expect the client to share our deliverables (e.g., internal audit reports, internal audit plan, risk assessment summary) with external parties. In such cases, the ownership of such deliverables is transferred to the client upon delivery. Our standard transmittal or closure letter certifies our completion of the mutually agreed-upon scope of work and confirms that we are not responsible for further matters that may arise after delivery. Throughout the course of an internal audit engagement, we create working papers that document the procedures performed in order to enable the completion of the audit report, internal audit plan or risk assessment summary. Audit programs, testing lead sheets, formally documented minutes from client meetings, status reports and other such documents are considered as working papers. We or the client may be asked to provide these documents to a third party, and in those circumstances, the following guidance applies: Sharing Workpapers With the Client Ownership of our working papers remains with RSM. In the event that the client requests copies of, or access to, our working papers, such In all instances described, when sharing our working 2016 RSM US LLP. All Rights Reserved 5 P age

13 1. INTRODUCTION copies can be provided upon approval of the engagement leader. The Engagement Team should ensure that all working paper content indicative of RSM s review comments, report drafts or sensitive commentary surrounding internal audit engagement economics is removed prior to the copies being provided to the client. papers and/or work product, Engagement Teams are encouraged to provide either a paper copy or a secured PDF electronic copy. Sharing Workpapers With External Auditors The client s external auditor often requests access to our work product and/or to discuss such items as risk assessments, audit scopes, significant changes in the design and operating effectiveness of internal controls, and internal audit findings. Such requests can be granted after engagement leader approval AND consultation with our client, and only with client approval. Sharing Workpapers With Regulators and Other Governing Organizations The client s regulators occasionally request access to our internal audit work product and/or to have discussions with us regarding the work performed on behalf of the client. Similar to the previous point, such requests can be granted after engagement leader approval AND consultation with our client, and only with client approval. Engagement Teams may encounter situations in which we or our client would prefer to limit our sharing of working papers and work product, i.e., in situations involving investors, business partners, potential acquirers or when we express concerns about third-party reliance. It should be noted that our work is intended for the sole use and benefit of our client; as such, our client can decide to what extent that work is shared with others. When third-party reliance is needed and approved by our client, an Acknowledgement and Release Letter is executed. An example of our Acknowledgement and Release Letter is provided in our standard engagement letter template. 1.7 RSM Methodology RSM s methodology establishes a framework for delivering high-quality professional internal audit services and for effectively working with our clients. Within this framework, we provide guidelines for the involvement of team members, guidelines for documentation and guidelines for the retention of documents within repositories. RSM s methodology is built around the engagement management process and the internal audit cycle. The methodology remains consistent with established RAS project management methodology, adheres to the AICPA s SSCS and aligns with the IPPF. The engagement management process can be separated into smaller components that involve additional processes, actions and deliverables. The process groups initiating, planning, executing, reporting and closing are embodied in the internal audit cycle. Figure 1.7a shows the relationships that exist between the individual phases of the internal audit cycle. The figure also describes the major steps and activities associated with each phase. For example, the initiating phase includes one step that covers client acceptance and risk management activities. In contrast, the planning phase includes steps and activities that include client needs assessment, a risk assessment and a project planning checklist RSM US LLP. All Rights Reserved 6 P age

14 1. INTRODUCTION Figure 1.7a RSM Internal Audit Cycle Tools to Assist You Auditor Assistant Auditor Assistant (AA) is a proprietary, Web-enabled audit management software tool, designed to incorporate both our internal audit methodology, as well as RSM s RAS engagement project management protocols. AA improves internal audit efficiency for any size client and facilitates document retention in compliance with firmwide requirements. Unless a client specifically requests otherwise, the use of AA is required for all internal audit engagements. Additionally, our internal audit teams and individual auditors have access to a suite of tools/enablers that support each phase of our methodology. Those tools include audit enablers, such as an interactive risk assessment model, process-specific risk and control matrices, audit programs and various other templates, all of which are to be customized to address your specific client s needs RSM US LLP. All Rights Reserved 7 P age

15 1. INTRODUCTION Figure Auditor Assistant Client Management Module Figure Auditor Assistant Client Engagement Management Module Figure shows the client management portal for AA. Navigation tools found within AA allow auditors to capture information through user-friendly forms and allow access to shared information. Along with providing a centralized management portal for all internal audits within a client engagement, the automation platform provides functionality to support unlimited identification of risks and the testing of controls for mitigating risks RSM US LLP. All Rights Reserved 8 P age

16 2. INITIATING PHASE 2. INITIATING PHASE The initiating phase embodies the risk management process followed by RSM and must be performed prior to the issuance of proposals, and acceptance of any client and any engagement with that client. It also extends to the proper formation of contracts with the client and others, including RSM International s members or subcontractors. All facets of the initiating phase are required to be completed regardless of the nature of the internal audit engagement (e.g., outsourced, co-sourced, discrete projects and staff augmentation). Complete Litigation and/or Business Conflict of Interest Checks Complete Staffing and Margin Forecast Analysis Complete MRAM Execute Client Contract Execute Other Contracts Establish Client Within RSM 2.1 Managing Risk Engagement Teams work with the National Office of Risk Management (NORM) in assessing the risks involved with establishing or continuing a client relationship. RSM documents the decision process around accepting a new client or new engagement or continuing an existing client relationship in a timely and appropriate manner in the RSM Risk Assessment Model (MRAM). See Section 2.3 for more information on the MRAM tool. The risk management protocol questions within MRAM will exist for each unique engagement and most projects within the client relationship. A client is any person or organization that requests an internal audit engagement. An engagement is an arrangement with a client to provide a specific service offering (e.g., internal audit outsourcing) in which an engagement folder has been set up in one of the predefined product offerings within Integrated Practice Management (IPM). More than one discipline (e.g., internal audit, IT audit, regulatory compliance) or the execution of multiple projects may be needed to fulfill the scope/objective of a single engagement. A project is a self-contained set of interrelated tasks that has a defined objective, scope, beginning and end. A project or series of stand-alone projects (i.e., discrete projects) may be treated as individual engagements or, depending upon the contractual arrangement with the client, a subset of an engagement. A contract is the vehicle by which RSM is authorized to perform services in an engagement for the client. Policies found within the Consulting Services Manual and related National Consulting Services Policies Updates guide the acceptance of a new client and new engagement. 2.2 Conflicts of Interest and Independence Many regulations and policies cover conflicts of interest and the requirements of external auditors (see Section 1.4) to remain independent of their attestation clients. As such, where RSM serves as a client s external auditor, your work as an internal auditor with the client should not: Create a mutual or conflicting interest between RSM and the attestation client RSM US LLP. All Rights Reserved 9 P age

17 2. INITIATING PHASE Place the external auditor in the position of auditing their own work. Result in the external auditor acting as management or an employee of the attestation client. Place the external auditor in a position of being an advocate for the attestation client. Where RSM serves as a client s external auditor, you cannot prepare or provide non-audit services such as: Creating financial statements or tax provisions and/or providing valuation or tax provision templates Designing and implementing financial information systems Providing appraisal or valuation services, fairness opinions or contribution-in-kind reports Providing actuarial services Providing internal audit outsourcing services (applies to public companies, FDICIA banks and some other restricted entities) Making investment decisions on behalf of audit clients or otherwise have discretionary authority over an audit client s investments Executing a transaction to buy or sell an audit client s investment Having custody of assets of the audit client such as taking temporary possession of securities purchased by the audit client Our responsibility is to disclose any identified conflicts of interest. It is the client s responsibility to decide whether they will accept or waive the conflict and proceed with the engagement. Despite these restrictions, there are a significant number of services that can be performed for the client. These are available at Consulting Services Allowed for Attest Clients. For more specific information regarding the firm s independence rules, including restricted services, please refer to f#search=independence Independence Considerations for Private Equity Clients Providing internal audit services to a portfolio company of a Private Equity Group (PEG) can put us at serious independence risk if we do not completely understand the ownership structure and affiliations. As such, prior to issuance of a proposal or engagement letter, it is critical that the Engagement Team understands the ownership structure of the portfolio company and documents that structure in MRAM for consideration in the risk assessment process. It is recommended that NORM be consulted in both the assurance and consulting service lines when being engaged by PEG portfolio companies. 2.3 Client Acceptance Procedures Initiating: Perform Client/Engagement Acceptance Procedures and Risk Management Activities Activity Required Level of Review Required Objective Activity Outsourcing Cosourcing Discrete Project Preparer Level 1 Level 2 Engagement Leader Evidence the Engagement Team s assessment of risk and related approvals in the client/ Complete MRAM survey RSM US LLP. All Rights Reserved 10 P age

18 2. INITIATING PHASE Initiating: Perform Client/Engagement Acceptance Procedures and Risk Management Activities Activity Required Level of Review Required Objective Activity Outsourcing Cosourcing Discrete Project Preparer Level 1 Level 2 Engagement Leader engagement acceptance process. Determine whether the interest of one client or potential client are or may be adverse to the interest of another client and/or interests of the firm. Complete conflict of interest and independence checks. Determine key financial considerations for the engagement, including staffing, pricing, expenses and overall profitability. The overall financial metrics will drive the economic approval process within the MRAM survey. Complete staffing and margin forecasting tool. Document the agreed-upon general business terms and conditions that apply to the consulting services that RSM will provide to the client. Execute a master services agreement (if appropriate). Align the engagement scope/objectives of the engagement, our approach, deliverables, staffing, client responsibilities, applicable fees/expenses and general business terms (for those clients where Master Service Execute engagement letter or statement(s) of work (as appropriate) RSM US LLP. All Rights Reserved 11 P age

19 2. INITIATING PHASE Initiating: Perform Client/Engagement Acceptance Procedures and Risk Management Activities Activity Required Level of Review Required Objective Activity Outsourcing Cosourcing Discrete Project Preparer Level 1 Level 2 Engagement Leader Agreements have not been executed) with the client. Formally engage all third-party providers involved in serving the client, including International RSM firms, MDC and subcontractors. Execute appropriate contracts with all third-party providers. The initiating phase involves working within the RSM Risk Assessment Model (MRAM) to establish an internal risk profile for each new project. RSM requires the use of the MRAM tool for documentation and approval of the acceptance of a new client, engagement and some projects. While the MRAM tool assists in managing engagement risks, all consultants also consider whether the engagement fits the strategic direction of the firm. Policies found within the RAS policy manual provide the foundation for the functions found within MRAM. Additionally, RSM has prepared the MRAM Consulting Quick Reference Guide for your use when working with MRAM. The Quick Reference Guide describes all the processes associated with the MRAM. You may access the Guide by selecting MRAM Consulting Quick Reference Guide. Required approvals vary depending on the type of activity and deliverable. All activities are prepared and reviewed in detail as outlined in the methodology. Preparer: Associate and above Level 1 : Senior associate and above Level 2 : Manager and above Engagement Leader Review: Director or partner/principal Conflict of Interest and Independence A conflict of interest introduces reputational risk for RSM and for our clients, and as such, must be considered before accepting an engagement. A conflict of interest creates a scenario in which the interests of one client or potential client are, or may be, adverse to the interests of another client and/or the interests of our firm RSM s Independence and Conflict Checking System Following the guidance provided in MRAM, a manager or above performs the business conflict checks for all internal audit engagements while the engagement leader (director or partner/principal) has the ultimate responsibility for the independence check. Depending on the nature of the internal audit engagement, a Litigation and/or Business Conflict of Interest Check may also be required. Typically, these additional checks are required where: 2016 RSM US LLP. All Rights Reserved 12 P age

20 2. INITIATING PHASE Litigation Conflict Checks: An internal audit engagement is performed in conjunction with litigation support services. Business Conflict Checks: The potential client has requested that the firm perform a conflict check, our work will be performed in connection with a transaction or business arrangement among multiple parties, and/or the firm has been asked to perform services for a financial institution that is participating in the US Treasury s Troubled Asset Relief Program (TARP). The engagement leader has responsibility for determining the possibility of a perceived or actual conflict of interest. If required, the necessary check(s) should be completed by using the conflict checking system. The manager or above documents the results of these checks within the MRAM file while the engagement leader (director or partner/principal) has the ultimate responsibility for the disposition/resolution of any conflict and execution of the arrangement following established approval thresholds. 2.4 Staffing A number of considerations go into staffing each internal audit engagement, not the least of which is making sure that the Engagement Team has the appropriate complement of skills necessary to effectively and efficiently scope and complete the engagement s work plan. Oftentimes, this necessitates the use of subject matter experts (SMEs) from other service lines to augment the core internal audit team. SMEs can be located through the firm s Our People website. A subject matter expert (SME) has in-depth knowledge of the subject and exhibits a level of expertise in performing a specialized job, task or skill within the organization. An SME may bring expertise in cybersecurity, forensic investigations, regulatory matters, etc. in short, anyone with in-depth knowledge of the subject area the Engagement Team is addressing Leverage Model Each engagement has unique characteristics and no one staffing model can be prescribed. However, in aggregate, our business model for internal audit services contemplates the following leverage model: The engagement leader has the ultimate responsibilities for determining the appropriate staffing and leverage model to be used RSM Delivery Center The RSM Delivery Center (MDC) is our firm s offshore center that provides services that support engagements as needed. When utilizing the MDC, the engagement leader has the ultimate responsibility to see that the MDC Work Instruction Form is completed and forwarded to the domestic MDC liaison. There are specific contractual considerations when using the MDC (refer to section 2.7.7) RSM US LLP. All Rights Reserved 13 P age

21 2. INITIATING PHASE 2.5 Budget Development An engagement budget captures: Key phases and/or processes A proposed staffing model and standard costs A proposed pricing structure Proposed engagement expenses An estimate of engagement profitability Estimated realization rates consider the percentage of standard billing rates actually collected and reflect agreed-upon discounts (e.g., from standard rates, fee reductions and writeoffs). Additionally, the engagement budget creates the framework for the development of a staffing plan and facilitates the economic approval process, including the establishment of the estimated realization rates to be entered into the firm s IPM system. One of two templates either the Staffing and Margin Forecasting Tool (preferred) or the CS Margin Forecasting Tool must be completed and documented (i.e., attached) within the MRAM file Staffing and Margin Forecasting Tool Internal audit engagements may utilize the Staffing and Margin Forecasting Tool when estimating an engagement s contribution margin. In addition to populating the CS Margin Forecasting Tool, this Excelbased workbook also: Serves as the staffing request form to be submitted to Resource Management Provides targeted benchmarks for staff leverage and engagement timing Identifies the additional engagement approvals in the event that certain pre-determined RAS economic metrics (e.g., contribution margin, realization and/or rate per hour) are not met CS Margin Forecasting Tool In lieu of the Staffing and Margin Forecasting Tool, internal audit engagements may utilize the CS Margin Forecasting Tool as a means of estimating an engagement s contribution margin. 2.6 MRAM Preparation The decision process around accepting a new client or continuing client relationship must be documented in MRAM in a timely and complete manner. Additionally, we document new engagements in MRAM in a timely and complete manner. Referring to the Quick Reference Guide, you will find that the MRAM workflow features surveys separated by the five phases illustrated in figure 2.3a RSM US LLP. All Rights Reserved 14 P age

22 2. INITIATING PHASE Figure 2.3a MRAM Workflow The setup phase selects the appropriate survey for the type of engagement. The prepare phase prompts you to define the opportunity in detail. At this point, the type of opportunity dictates the subsequent workflow within MRAM. If you have begun a competitive opportunity, select the prepare phase and complete the MRAM. It is during this phase that the following documents are attached to the MRAM file: Independence check; Litigation check, if required; Business conflict check, if required; One of the two margin forecasting tools; and Draft of the client contract (see below). If you know that the firm has won the opportunity, you will need to complete all phases of the MRAM. While the follow-up phase asks additional questions, the review phase provides an opportunity for the engagement leader and approvers to review and approve the survey. The complete phase leads to the creation of an end document that resides in the MRAM. After completing the MRAM document, extract the document from the MRAM system and attach it within AA. 2.7 Contracting With the Client Depending on the client arrangement, relationship and requirements, client contracts occur through: A MSA with corresponding SOWs A customized Engagement Letter that contains RSM s standard terms and conditions as an appendix. The contracts define the client management responsibilities, general terms and conditions, and deliverables. The client contract process requires the drafting of new agreements with the standard RSM template and the approval of all required parties prior to the issuance of an executable MSA, Engagement Letter or SOW. If the client is requesting modifications to the previously accepted terms and conditions, these modifications (unless related to scope, pricing, timing and billing) should be reviewed by NORM. Otherwise, it is acceptable to roll forward previously accepted business terms Master Services Agreement We encourage the use of the master services agreement (or MSA) when an engagement leader anticipates that the client relationship will involve multiple engagements and/or projects that will occur over an extended period of time within a common set of business terms. As a legal agreement between RSM and the client, the MSA describes general business terms that define RSM s relationship with the 2016 RSM US LLP. All Rights Reserved 15 P age

23 2. INITIATING PHASE client. Using the MSA simplifies the contracting process when frequent projects for one client occur. Modifying or amending the firm s standard MSA requires the approval of NORM. Whenever a client requests that their version of an MSA be used, it should be reviewed by NORM prior to execution Statements of Work Statements of work (or SOW) supplement and reference an executed MSA and can oftentimes serve as the engagement charter (see Section 2.7.5). An SOW describes in detail the following: Engagement objectives Scope of work Client acceptance of work Approach Staffing Client responsibilities Terms and conditions unique to the specific engagement or project Engagement Letter RSM uses the engagement letter as the basic contractual document for individual, annual or nonrecurring engagements. The business terms and conditions contained in the engagement letter are substantively the same as those associated with the MSA. Use of the engagement letter creates a legal obligation for RSM and for the client. The engagement letter has the same content as an SOW. However, instead of referencing one MSA to address the general business terms, each engagement letter issued must contain the firm s standard terms and conditions as an appendix Standard (General) Terms and Conditions General business terms govern the services provided by RSM. The terms constitute the entire understanding and agreement between the client and RSM with respect to the services described in the engagement letter and supersede all prior oral and written communications. Modifications requested by the client to modify the scope, schedule or billing related to the engagement may be approved by the consulting director, partner or principal. Other modifications amending the standard terms and conditions require the approval of NORM Engagement Charter An engagement charter can be used in the rare circumstance that the SOW or engagement letter does not capture expectations of a project in sufficient detail. Refer to the engagement charter template, which typically captures: Engagement description Objectives Scope Approach Key assumptions Deliverables 2016 RSM US LLP. All Rights Reserved 16 P age

24 2. INITIATING PHASE Engagement milestones, timing and effort Key Engagement Team members Key client participants Arrangements with RSM Network Firms In November 2015, the firm rolled out revised subcontracting terms and conditions across the RSM network. Please refer to the consulting risk management for further guidance MDC Arrangements The McGladrey Delivery Center (MDC) is our firm s shared service center located in India. It provides resourcing depth and flexibility by giving our Engagement Teams access to skilled professionals, many of whom are chartered accountants, MBAs and certified IT professionals (See Section for more information). Because unique protocols exist for contracting with the MDC, the firm has established a state-side MDC Ops Team to assist Engagement Teams in: Completing the client intake and work instruction forms Coordinating NORM s review of any legal/compliance agreements relevant to the engagement The MDC Ops Team can be reached at mdcops@rsmus.com Subcontracting Occasionally, the scope of an engagement will prompt RSM to engage outside contractors who possess specialized knowledge and skill not currently possessed by RSM. When engaging an outside firm to provide services for RSM s clients, we use RSM s standard subcontractor agreement. The national business line s, national employee relation s and the legal group s positions and policy on engaging independent contractors also allows the use of RSM s standard contractor agreements without modification. The independent contractor should have signed the standard independent contractor agreement prior to any meetings so that the contractor understands the firm s expectations. Standard contractor agreements are located at Consulting Quality and Risk Management (CQRM). Often, there are contractual obligations with the client that require the client s notification or approval in the event a subcontractor will be used. It is critical to review the terms around the use of subcontractors as established in the engagement letter or MSA. If you are unsure, contact your engagement leader or CQRM Types of Agreements When engaging an individual, sole proprietor or single-member limited liability company to provide services for RSM or RSM s clients, we use RSM s standard Independent Contractor Agreement. When engaging a firm with more than one employee or owner to provide services for RSM, we use the Vendor Services Agreement. Copies of these agreements should be included in MRAM and submitted to NORM for retention. 2.8 Establish Client within RSM Upon the receipt of a signed engagement letter or SOW, the Engagement Team establishes the client, engagement and/or project in: Integrated Practice Management (IPM) system. The IPM system is the firm s real-time system that fully integrates the time reporting, billing and accounts receivable functions. IPM provides the 2016 RSM US LLP. All Rights Reserved 17 P age

25 2. INITIATING PHASE Engagement Team with project reporting capabilities. IPM reports are generated through the intranet (by typing ipmreports in the Web browser URL). Modifications to folder/projects are completed in the IPM tool or via Client Central (below). To gain access to IPM, contact the IT Service Desk. Client Central. The Client Central system is interfaced with IPM and is used to input client billing information and project metrics. Each client, engagement and, in most cases, project, is to be established within Client Central before work is to commence. The Engagement Team should contact their local finance operations personnel to establish the client/engagement/project and corresponding financial information in Client Central. Auditor Assistant. Auditor Assistant (AA) is our proprietary software internal audit management tool that contains workflow and project management capabilities. AA also serves as the repository for work products generated by Engagement Teams. As such, each client, engagement and project should be created within AA during the initiating phase RSM US LLP. All Rights Reserved 18 P age

26 3. PLANNING PHASE 3. PLANNING PHASE The planning phase is a critical component of the engagement life cycle. During this phase, Engagement Teams set the foundation for successful achievement of the project s objectives, from both external and internal perspectives. The Engagement Team has the critical responsibility for thoughtfully completing the planning phase and considering relevant tools and enablers as part of the methodology. From an external perspective, RSM strives to consistently meet or exceed our clients expectations by achieving each objective of every project. Internally, we must properly forecast project economics with appropriate resourcing (including consideration of subject matter experts [SMEs] and the MDC), accurate time estimates, and realistic acommodations for expected challenges identified in the planning and initiating phases. Whether we have been engaged in an outsouring, co-sourcing or discrete project arrangement, each of these objectives must be considered to varying extents. This section will address each of the following planning areas and the tools and enablers available to help you effectively meet your objectives. Perform Client Needs Assessment Complete Initial Internal Audit Department Set- Up Activities Complete Engagement-Level Risk Assessment Activities Develop Internal Audit Plan Complete Project Planning Tasks Engagement Level vs. Project Level When reading this manual, consider the importance of understanding how RSM use the terms engagement and project when referring to certain sets and subsets of activities. Activities that occur at the engagement level help to manage the overarching risk and client relationship. The Client Needs Assessment addressed in the next section serves as an example of an engagement-level activity since it addresses the client s needs and expectations that transcend all of the work that we perform for the client. Project-level activities are associated with a single procedure, task, review, assessment or other special project that we perform either as part of an outsource or co-source engagement, or a distinct project. Some activities can occur at both the engagement and project levels. The most common examples of such activities include customizing the communication plan, providing periodic status reporting and preparing Audit Committee reports, which are addressed below. 3.1 Auditor Assistant and the Planning Phase Auditor Assistant (AA), a proprietary, web-enabled and comprehensive management software tool supports RSM s methodology throughout the internal audit cycle. It provides a platform for the following activities: Identification of risk areas through periodic risk assessments Documentation of information about auditable entities Project definitions Project objectives and scopes Milestone and status tracking Storing documentation of engagement work product Unless specifically requested by the client, the use of AA is required for all internal audit engagements. AA houses numerous tools/enablers to assist Engagement Teams throughout all phases of an engagement. Where applicable through the methodology, we will discuss AA and its integration into our process. A separate AA user manual is integrated within AA RSM US LLP. All Rights Reserved 19 P age

27 3. PLANNING PHASE 3.2 Understanding Client Needs Planning: Perform Client Needs Assessment Activities Activity Required Level of Review Required Objective Activity Outsourcing Cosourcing Discrete Project Preparer Level 1 Level 2 Engagement Leader Define communication protocols (audience, requirements, methods, escalation process, etc.) with the client as well as the Engagement Team. Create communication plan/protocols. Align engagement expectations (scope, objectives, approach, assumptions, deliverables, timing, effort, etc.) with the client. Create engagement charter and obtain client concurrence. Identify and monitor significant engagement risks and issues. Create and maintain Engagement Risk and Issue Log throughout duration of the engagement. Define key drivers and values for the engagement, which will be used to measure RSM s performance during the engagement. Co-develop with the client the format and metrics that will be used to measure RSM s performance during the engagement RSM US LLP. All Rights Reserved 20 P age

28 3. PLANNING PHASE Planning: Perform Client Needs Assessment Activities Activity Required Level of Review Required Objective Activity Outsourcing Cosourcing Discrete Project Preparer Level 1 Level 2 Engagement Leader Understand the client s business objectives and how the internal audit function is or can be positioned to support the achievement of those goals. Document our understanding of the client s business objectives and potential obstacles for internal audit. Summarize any findings, recommendations, and responses or action plans from management. Co-develop the preferred internal audit report format and rating definitions with the client. Identify, monitor and report progress against key engagement milestones and related activities. Customize engagement milestone timeline template. The first step in setting the priorities for the engagement involves completing the Client Needs Assessment (CNA). At RSM, we see the CNA as an opportunity to achieve a client-centric approach through understanding the client s expectations and then through the co-development and customization of our approach and tools to reflect those needs and expectations Client Needs Assessment At the outset of the CNA, we must understand the client s individual objectives, risks and constraints, and be careful to integrate those into the engagement. Specifically, during this phase we must: Gain a clear understanding of the client s business objectives. Collaborate with our client to develop the engagement objectives and methods for achieving performance measurement. Co-develop with the internal audit client liaison critical milestones and a communication plan. Agree upon terminology (e.g., risk thresholds, rating of findings) and customize work product templates (e.g., audit reports, risk assessment model). Co-develop Key Performance Indicators (KPIs) used to measure our performance and a value scorecard for reporting on our performance RSM US LLP. All Rights Reserved 21 P age

29 3. PLANNING PHASE Internal Audit Client Liaison Any time RSM enters into an agreement to provide internal audit services for an outsourcing, co-sourcing or discrete project, we identify an internal audit client representative (aka IA liaison) that has client oversight responsibility for our services and serves as our point-person for all internal audit matters. In cosourcing and discrete project arrangements, the chief audit executive frequently serves in this role. For outsourcing arrangements, the CFO or controller often serves in this role, although we still maintain a direct line of communication to the Audit Committee. It is always the firm s preference in outsourcing arrangements that we report directly to the Audit Committee. Our communication plan should include escalation protocols for instances when we are not satisfied with a response from our IA liaison or other member of senior management who may hold influence on our engagement. Ultimately, our engagement letters and SOWs should identify the IA liaison. Several reasons exist for selecting an IA liaison. Selecting an IA liaison allows us to maintain a position of separation from our client. As a professional services firm providing internal audit services, we are prohibited from making decisions on behalf of management. Incorporating the IA liaison throughout the various phases of the internal audit cycle helps us to manage our overall engagement risk by providing our team someone who is appropriately connected into our client s organization. Selecting an IA liaison within our client service model allows this individual to provide invaluable insights into, and connectivity with, our client. If an Internal Audit Steering Committee does not exist for outsourcing engagements, RSM encourages but does not require the formation of the committee as an additional method of involving client management in the internal audit process and enhancing the process. An Internal Audit Steering Committee typically includes the IA liaison, members of the client s finance and accounting departments, such as the CFO and controller, a representative from the client s IT leadership, possibly a representative from the client s operations department, and a representative from the client s legal department. The actual composition of the Internal Audit Steering Committee can vary from client to client. Having such a committee in place also draws a clearer line between the firm and our client s management, and allows the firm to maintain an appropriate level of impartiality and separation. Example descriptions for both the IA liaison and the Internal Audit Steering Committee that can integrate within the internal audit charter and mission statement as part of the client s foundational internal audit policies are available with the standard tools/templates within AA Understanding the Client s Business Objectives The Power of Being Understood is a cornerstone of RSM s delivery approach and underscores our level of effort early during any engagement in understanding our clients business objectives. Obtaining an understanding of our clients can start most simplistically in the very early stages of planning by researching analyst reports covering the client, its competitors and its industry; externally produced industry periodicals, internal RSM industry thought leadership; and other sorts of relevant, publiclyavailable history and background. RSM has a number of tools to assist Engagement Teams in gathering an understanding of the client s business and their objectives. These tools include: Benchmarking The benchmarking process outlined in the Client Services Policy Manual provides a mechanism to compare a new or existing client across a spectrum of similar companies within its industry niche. The process is started by the Engagement Team completing the Benchmarking Intake Form using client data and submitting the form into the benchmarking process with the MDC. While auditors may find publicly available client data, they will often need to request data from the client. When fully executed, the benchmarking process produces the Industry Benchmarking Executive Summary and Report used during the opening meeting between the client and the RSM team. The Due Diligence Wheel The Due Diligence Wheel functions as a conversation facilitation tool that assists the Engagement Team as they begin the Planning Phase. The Due Diligence 2016 RSM US LLP. All Rights Reserved 22 P age

30 3. PLANNING PHASE Wheel serves as a discovery aid for guiding the Engagement Team through substantive, effective business conversations early on in the client relationship. During these conversations, the Engagement Team can gather valuable information about the client s business objectives and how internal audit can support the achievement of those objectives. In addition, the results of these conversations can assist the Engagement Team with identifying potential obstacles inherent within the organization that may prevent the internal audit function from operating at best practice levels. The design of the Due Diligence Wheel suggests that the conversation can begin at any point around the wheel and progress organically. The questions outside the circle represent external threats to the organization over which they may have little or no control. The questions within the wheel all relate to factors at play within the organization, each of which may point to a strength that we can leverage or an improvement opportunity that we can target in order to add value. Please note that the Due Diligence Wheel simply serves as a guide. As the conversation takes shape, the firm encourages the Engagement Team to explore additional areas that may have an impact on internal audit s potential success within the organization. As Engagement Teams move through this initial process to obtain an appropriate level of understanding about the client and its business, they should document conversations with multiple client leaders if they perceive that the various perspectives will add value to the process. At least one conversation should occur with the IA liaison. Other conversations with senior members of the Finance and Operations Teams can also benefit the Engagement Team, as can a conversation with the Audit Committee chairperson. The engagement leader and other members of the Engagement Team document the results of the conversations in a memorandum format, attach the memorandum within AA, and include the memorandum in the team s onboarding package. Additionally, the understanding gained from the totality of these processes can be leveraged for the project charter and throughout the duration of engagement setup. Engagement objectives should be: Specific Measurable Attainable Realistic Time-bound Understanding Internal Audit s Objectives Depending upon whether the arrangement is a full internal audit outsourcing or co-sourcing, the Engagement Team may use varying approaches to understand internal audit s objectives. At the beginning of the engagement planning process and when engaging in an outsourcing arrangement, members of the Engagement Team should meet with the chair of the Audit Committee to understand the expectations for the internal audit function, as well as the chairperson s perception of enterprise risk and management s capability and willingness to manage that risk. In co-sourcing arrangements, the team will generally meet with the chief audit executive or IA liaison to accomplish the same objectives. In either scenario, what the Engagement Team learns through the various conversations is documented, retained in AA, and considered as part of both the internal audit department setup activities and the development of the internal audit plan. When engaging in an outsourcing arrangement, the Engagement Team may find it helpful to meet with the client s external auditor to understand the entity s risk profile and appetite, from their perspective. During such meetings, the Engagement Team should also consider discussing with the client s external auditor where there may be areas of opportunity for them to rely on the work of internal audit, thereby allowing us to drive value for the client. However, while external audit can influence the internal audit scope, they do not direct the work of internal audit. The Engagement Team documents its understanding of the client s expectations through the engagement charter. The engagement charter may reference the engagement letter or SOW if they contain sufficient detail as required in the charter template. The team may also communicate information contained within 2016 RSM US LLP. All Rights Reserved 23 P age

31 3. PLANNING PHASE the agreement through a scoping memo, which can be shared with the client during opening/kick-off meetings, or easily circulated within the client via . Regardless of charter format (e.g., charter template, engagement letter, SOW or scoping memo), a detailed understanding of the engagement is documented, including: A description of the engagement Key objectives for the engagement The definition of the engagement scope A list of key assumptions surrounding the engagement A list of engagement deliverables An understanding of the engagement milestones, timing and effort Key stakeholders and client participants in the in-scope processes, function or locations The description of the engagement provides high-level, general information that defines the engagement, the approach employed during the engagement, the engagement objectives and the deliverables expected. Once we define the scope of the engagement, we identify engagement-specific details, including, but not limited to, location, entities, processes, time period and any relevant compliance-related guidance from regulators that may help identify areas subject to audit. These more refined details are captured in the project plan or workprogram (see link for examples of both). The project plan provides details around methods such as process mapping, client interviews and sampling that the team will use to execute the engagement. As we work through the engagement, we validate assumptions made during the planning phase and adjust the approach and workprogram if needed Co-Developing and Customizing Throughout the engagement, the Engagement Team should seek active collaboration with the clients. The Engagement Team works with the identified IA liaison to customize and tailor our approaches, tools and templates to best fit the client s culture and preferences. The Engagement Team may also work with or report to a steering committee. In these scenarios or in any differing context, the Engagement Team should actively seek to collaborate with our clients to maximize acceptance of our work throughout the client s enterprise. In collaboration with the client s IA liaison, the Engagement Team completes all required Engagement Project Management Tools (communication plan, Engagement Risk and Issue Log and the engagement management protocols and milestones). The communication plan provides a standard for agreeing with the client on stakeholders, roles and responsibilities, periodic status reporting frequency and protocols, escalation plans and any other relevant communication-related engagement needs. The Engagement Risk and Issue Log aids the Engagement Team with documenting potential challenges that may hinder the timely achievement of engagement objectives. During this phase, we also co-develop a common understanding and definition of critical terms to be used throughout the engagement life cycle. Among others, those terms include risk universe, risk thresholds, ratings of findings and overall report ratings, if used. Our common understanding should encompass the formats of client deliverables, such as the report format, risk assessment model and Audit Committee reports Co-Developing the Communication Plan RSM requires the completion of a communication plan through collaboration with the client s IA liaison at the beginning of each engagement. RSM encourages more communication with the client rather than less, and we generally tailor the communication protocols and frequency based on the client s preferences. The Engagement Team should document the mutually agreed-upon communication plan, 2016 RSM US LLP. All Rights Reserved 24 P age

32 3. PLANNING PHASE especially if the client chooses a less frequent protocol than what the engagement leader feels is appropriate. In such cases, the project-specific risk may be affected, and the Engagement Risk and Issue Log should be adjusted accordingly. Modifications to the communication plan occur as needed for the purpose of achieving consistent, open and honest communication with the client. The communication plan consists of two distinct segments: an external communication plan and an internal communication plan. Developing the external communication plan involves working with the client to achieve mutual agreements about key facets of the plan, such as lists of key stakeholders; type, frequency and format of periodic status reports; escalation plans; etc. We seek collaborative discussions when developing the communication plan and expect that the involved stakeholders will include not only our primary IA liaison, but also representatives from the client s upper management, legal department, compliance department and at least one member from the Audit Committee. Figure shows a portion of a sample communication plan. Most engagements consist of a broad range of stakeholders who may have differing interests and influence on the engagement. The Engagement Team owns the responsibility for determining the communication requirements of these stakeholders. In addition, the Engagement Teams should understand the stakeholders preferred method of communication. All communication preferences should be agreed upon with the client and documented in the communication plan, which should be maintained as a reference tool for the Engagement Team s project manager throughout the duration of our engagement with the client. As depicted in Figure below, it is important to document the following attributes: Communication purpose: Why is the communication being provided? Timing: How frequently and when will we provide communications (e.g., every Friday)? Owner: Who on the RSM team will be accountable for managing the communication? Audience: Who from the client will be included in the communication? Medium: What format will we use for the communication (e.g., vs. in-person)? 2016 RSM US LLP. All Rights Reserved 25 P age

33 3. PLANNING PHASE Figure Sample Communications Plan The communication plan should include both external and client-facing components, as well as internal, RSM team aspects. Alternatively, the communication plan can also be divided between external-facing and internal-facing plans RSM US LLP. All Rights Reserved 26 P age

34 3. PLANNING PHASE External Communication Plan The external communication plan captures stakeholder expectations about communication throughout the engagement. A fully-developed external communication plan should include: An Engagement Team and stakeholder directory Communication requirements Communication methods The communication escalation process Internal Communication Plan The internal communication plan provides clarity about critical communication expectations for the RSM Engagement Team. In addition to the components of the external communication plan listed above, the internal communication plan includes definitions of roles and responsibilities around: Workpaper and deliverable review Resource scheduling Billing Delivery of client status reporting Co-Developing the Engagement Management Protocols and Milestones After initiation of the engagement within AA, the Engagement Team selects and follows the appropriate milestone template for each individual project performed as part of the engagement. AA provides preloaded templates for projects of varying sizes and durations. By selecting the template that best matches the approximate duration of your project, AA provides the scalability that allows our Engagement Teams to customize our methodology for each client. These templates also include milestones that become embedded into the AA workflow after the template is selected; Engagement Teams should carefully review, and reconcile as needed, these milestones to ensure that they correspond to the timelines expected by the client Co-Developing the Engagement Risk and Issues Log The Engagement Risk and Issue Log documents potential challenges that may impede the timely achievement of engagement objectives. Although similar identified challenges or engagement risks may recur across multiple clients and engagements, we recognize challenges or risks specific to the facts and circumstances at-hand within the context of the engagement. Completion of the Engagement Risk and Issue Log will help Engagement Teams thoughtfully consider potential hurdles that should be discussed with the client and those that may require proactive planning by the team in order to overcome. Figure shows the Engagement Risk and Issue Log template RSM US LLP. All Rights Reserved 27 P age

35 3. PLANNING PHASE Figure Sample Engagement Risk and Issue Log Template The Value Scorecard The value scorecard allows the client and Engagement Team to define key drivers and values for the engagement and to then measure the performance of the RSM Engagement Team during the engagement. We use the value scorecard as a method of allowing the client to monitor our performance and as an internal method for self-monitoring. Key performance indicators (KPIs) within the value scorecard outline the values and methods for measuring the values. For example, KPIs may address timely reporting, ongoing communication or the application of new ideas during the engagement. We may measure the values in terms of time, quantity, efficiencies or other terms (see the engagement page for a list of potential KPIs). Through the value scorecard, we establish a common language between RSM and the client about activities and strategy. The value scorecard is a performance measurement framework that aligns business activities with organizational strategy. A KPI is a measurable value that demonstrates how effectively the Engagement Team is achieving key internal audit objectives. RSM and the client should agree on the number and type of KPIs accumulated and monitored throughout the engagement. Since the client owns the ultimate approval of the metrics and our ratings, the IA liaison must agree before the release of the final value scorecard. The comparison of performance with KPIs also assists RSM with illustrating the value delivered by the firm to the client during the engagement, and should be reported upon during the closing phase. Also during the closing phase, the Engagement Team can facilitate an auditee survey process to measure client-side perception of our performance in each project executed as part of outsourcing, co-sourcing or discrete project arrangements (see the engagement page for further discussion) RSM US LLP. All Rights Reserved 28 P age

36 3. PLANNING PHASE Agreed-Upon Common Terms and Reporting Formats All engagement and project reporting protocols should be co-developed with the client and include agreed-upon terms and reporting formats formally approved by both the IA liaison and the engagement leader Common Terms To maintain reporting consistency throughout the engagement life cycle, or the time frame from initiating through closure of an engagement, we define commonly used terms and agree upon the use of those terms with the client during the planning phase. Below is a list of commonly used terms for the risk assessment and reporting processes. Though general definitions exist for each term, they should be refined on a client-by-client basis. Examples of areas in which engagement life cycle commonly used terms are found include: Risk assessment terms Audit report terms Risk universe Observation ratings Risk tolerance/thresholds Overall report ratings Risk rating scale Project Reports and Audit Committee Reports Prior to the beginning of any internal audit, RSM and the client agree about their preferences for the format of the internal audit report template, as well as any Audit Committee reporting. For clients in certain highly regulated industries (e.g., financial institutions), if pre-existing reporting formats exist that comply with both client and regulator preferences, we recommend the team leverage that format. Provided through AA, our standard reporting template includes an executive summary and areas for detail supporting findings around both internal control weaknesses and process improvement opportunities. The template also provides ratings for both specific findings and the overall report (example definitions for both categories are also included in the template). Since RSM prefers limited use of overall report ratings, most commonly in highly regulated industries, such as financial institutions and financial services, the internal audit report template is flexible so that the Engagement Team can include report ratings based on the client s preference. RSM requires that Engagement Teams do not provide positive assurance in our internal audit reports. RSM also requires that Engagement Teams do not make claims that we perform work in accordance IIA Professional Practice standards. Although the Engagement Team has the option of using report templates that can automatically populate through AA, teams may instead use client formats or other co-developed alternatives. In consideration of the reader and to remove unnecessary administrative time from our reporting process, the Engagement Team should emphasize a concise approach to the report, regardless of format chosen. After the Engagement Team and the client have mutually agreed upon the report format, the engagement leader needs to sign-off on the format within AA. An annotated example of our report template is integrated into the AA functionality and accessible via the AA client management module RSM US LLP. All Rights Reserved 29 P age

37 3. PLANNING PHASE 3.3 Setting Up an Internal Audit Department Planning: Perform Initial Internal Audit Department Set-Up Activities Activity Required Level of Review Required Objective Activity Outsourcing Cosourcing Discrete Project Preparer Level 1 Level 2 Engagement Leader Orient the RSM team to the client and the engagement. Communicate client- and engagementspecific information (e.g., logistical considerations, key contacts, etc.) to the Engagement Team. Define the purpose, authority and responsibility of the internal audit function. Obtain or create, if needed, client s internal audit charter and mission statement. Some engagements require that RSM establish an internal audit department when one does not exist, such as in certain outsourcing engagements. When this is the case, in conjunction with understanding the client s needs as described in the previous section, we also create additional deliverables related to starting up a new internal audit function. In these cases, we also identify an IA liaison through whom we work to accomplish the required activities (as described in Section above) Onboarding Onboarding orients the RSM Engagement Team to the client and the engagement. To enhance efficiency, we should consider preparing a welcome or onboarding package for internal use by RSM team members upon joining an ongoing outsourcing or co-sourcing engagement. Onboarding identifies logistical considerations such as client and industry background, headquarters and remote or satellite locations, the communications plan, client and RSM service team organizational charts, the client s travel policy, our team s travel expense policy and any other information that the team leadership feels relevant and helpful for new team members as they join the engagement. Additionally, the onboarding package should include results from the Client Needs Assessment (CNA), including output from the benchmarking exercise, any Due Diligence Wheel conversations and other steps from which we gain holistic understanding of the client. Engagement Teams should create an onboarding package in all outsourcing and co-sourcing arrangements, not just when setting up an internal audit function for the first time Internal Audit Charter When RSM provides an outsourced arrangement, we can but are not required to provide an internal audit charter if one does not already exist. The charter typically identifies: Internal audit objectives and responsibilities The expectations for the internal audit activity 2016 RSM US LLP. All Rights Reserved 30 P age

38 3. PLANNING PHASE The chief audit executive s (CAE s) functional and administrative reporting lines The level of authority (including access to records, physical property and personnel) required to for internal audit to perform engagements and fulfill its agreed objectives and responsibilities Additionally, our client s chief audit executive, the Audit Committee chair (representing the direct reporting line) and the chief financial officer (representing the administrative reporting line) should authorize the internal audit charter. The document library within the AA client management module includes customizable samples designed to meet your client s needs. Although Engagement Teams are encouraged to assist with the development of an internal audit charter when needed and examples are provided, our IA liaison ultimately takes ownership and publishes the charter Internal Audit Mission Statement In outsourced arrangements, a mission statement can but is not required to accompany the internal audit charter. An internal audit mission statement explicitly states the core purpose of the function within the organization, and what the function was established to achieve. The document library within AA includes examples of potential mission statements, as well as guidelines for creating and effective mission statement. Although Engagement Teams are encouraged to assist with the development of a mission statement, the IA liaison ultimately takes ownership and publishes the mission statement. 3.4 Engagement-Level Risk Assessment and Internal Audit Plan Planning: Perform Engagement-Level Risk Assessment Activities Activity Required Level of Review Required Objective Activity Outsourcing Cosourcing Discrete Project Preparer Level 1 Level 2 Engagement Leader Identify and measure the client s risks (internal and external) to achieving its objectives. Perform internal audit risk assessment(s) Evaluate a client s business in relation to their industry and peer group. Initiate, monitor, and report on industry benchmarking. Collect risk information about the client and their operations, leveraging relevant SMEs as needed. Consider performing relevant accelerated assessments (e.g., IT, segregation of duties, third party and fraud) RSM US LLP. All Rights Reserved 31 P age

39 3. PLANNING PHASE Planning: Perform Engagement-Level Risk Assessment Activities Activity Required Level of Review Required Objective Activity Outsourcing Cosourcing Discrete Project Preparer Level 1 Level 2 Engagement Leader Summarize the identified risks, related analysis and recommended internal audit activities. Create risk assessment report and related internal audit plan. Risk can be viewed as the possibility that an event that could impact an organization s achievement of its strategic objectives will occur. Risk can exist both internally within an organization and external to an organization, and can take on many forms, including, but not limited to: Strategic risk Financial risk Operational risk Reputational risk Regulatory risk IT risk Personnel risk More detailed risk assessment guidance can be found in the RSM guide titled: Internal Audit Risk Assessment and Audit Plan Process Overview. Value exists as a function of risk and reward. Business decisions increase, preserve or erode value. Consequently, organizations do not attempt to completely eliminate or prevent risks. Instead, they seek to manage their risk exposure across all parts of their business so that at any given time they take on an acceptable level of risk while in pursuit of their strategic objectives. COSO states that risk assessment involves a dynamic and iterative process for identifying and assessing risks to the achievement of objectives (COSO Internal Control Integrated Framework 2013). Using this definition as a guide, an organization evaluates the significance of each risk and the impact on the achievement of its overall goals. The Engagement Team should perform the risk assessment process in a structured and disciplined fashion. The risk assessment should appropriately scale to the enterprise s size, complexity and geographic reach. In many instances, a company performs a variety of risk assessment activities as part of their corporate governance (e.g., enterprise risk management, IT security assessment, regulatory compliance) and/or as a component of their internal audit functions. When feasible, RSM advocates performing a risk assessment in an integrated manner, and thus providing a holistic view of an organization s risk universe. An integrated approach entails: 1) combining the various disparate risk assessments such as enterprise risk management (ERM), SOX, internal audit, IT security and to the extent feasible, any assessments performed by the external auditors; and 2) utilizing a multidisciplinary team of professionals to perform the assessment Risk Assessment Requirements Within an internal audit context, a client may request that the firm perform or utilize a pre-existing risk assessment as part of an outsourcing, co-sourcing or discrete project engagement. Depending on whether the client relationship requires outsourcing, co-sourcing or a discrete project, the Engagement Team s role may change with respect to the risk assessment. Our methodology provides a formal, systematic approach to performing a risk assessment. However, an Engagement Team can customize that approach based on specific client needs RSM US LLP. All Rights Reserved 32 P age

40 3. PLANNING PHASE Outsourcing Engagement If RSM is engaged to provide internal audit outsourcing services, the Engagement Team will generally be tasked with performing the risk assessment that will serve as the primary basis for any proposed internal audit plan. Generally, when we are engaged to provide internal audit services in the form of co-sourcing arrangements or discrete projects, a risk assessment will already have been performed by the client. Additionally, if the internal audit plan serving as the basis for the work is not based on a risk assessment, the firm will automatically scope the engagement as either a co-sourcing or a discrete project and will execute internal audit procedures as scoped by the client. RSM will not perform internal audit services in an outsourcing capacity without a risk assessment being performed. Because RSM s clients range from noncomplex to highly complex, the nature, timing and extent of the risk assessment can vary. When RSM assumes responsibility as the internal audit outsourcing provider, existing risk assessments may serve as a viable alternative to performing our own risk assessment. In some cases, a viable risk assessment is already in place based upon work performed by the client s previous internal audit provider. In others, a risk assessment may have occurred through another client-internal function, such as the client s ERM operation. Ultimately, the engagement leader has responsibility for determining the appropriateness of the risk assessment model and method to employ. When encountering previous risk assessments, the RSM Engagement Team should work with their IA liaison to determine the requirement for any additional risk assessment activities. If the Engagement Team and the IA liaison agree to rely on a previous risk assessment, a careful review of the standing assessment inputs, development approach and outputs should occur before its use as a foundation of the firm s internal audit plan. Additionally, the engagement leader should document our reliance on the non-rsm risk assessment in a memorandum attached within AA (an example of one approach is discussed in further detail below in Section 3.4.3) Co-Sourcing or Discrete Projects Engagement Teams may perform co-sourcing or other discrete projects in a context whereby a risk assessment has already been performed or we are performing client-proscribed procedures. As such, the co-sourcing or discrete projects that do not require performing a separate risk assessment. However, the nature of such a discrete project may result in a unique, and potentially higher, risk profile. The engagement leader should consider performing an assessment using appropriate SMEs and focusing specifically upon the in-scope process, function or location in such instances Risk Assessment Methodology As previously discussed, a risk assessment can take on many forms. The engagement leader has the responsibility for approving the risk assessment model tailored for his/her specific client situation. Thus, Engagement Teams should consider the following methodology and accompanying enablers as RSM s preferred approach. RSM uses a scalable Risk Assessment Model (RAM) that draws from both the 2013 COSO Framework and COBIT 5, and is supported by a set of enablers (e.g., templates, surveys, business models), all of which are available within AA. The Engagement Team can utilize the RSM RAM to facilitate the capture and evaluation of the client s risk environment. Key components documented within the RAM include, but are not limited to: Identified risks Evaluation of impact and likelihood Risk response Inclusion/exclusion of risk coverage in the internal audit plan 2016 RSM US LLP. All Rights Reserved 33 P age

41 3. PLANNING PHASE In the subsections that follow, the manual elaborates on the various methods that the firm uses to implement this collaborative approach and describes the tools and enablers available to drive robustness into the risk assessment preparation. The five-phase process described below provides the framework of our risk assessment process. Phase I Understand Business and Define Audit Universe Phase II Co-develop Approach Phase III Identify and Measure Risk Phase IV Prioritize Risks Phase V Ratify Risk Assessment Understand the Business and Define the Audit Universe (Phase I) Phase 1 has the objective of establishing the audit universe by appropriately defining auditable units (e.g., business units, geographic locations or processes). The Engagement Team must define the auditable units in sufficient granularity to identify unique risks and controls that correlate to the client s strategic objectives. The results of the activities performed in the Client Needs Assessment (CNA) phase most notably the benchmarking results (see Section above) should provide valuable input into understanding the business and identifying the audit universe Co-Develop Approach (Phase II) The Engagement Team should collaborate with the client to assess the client s environment and to determine the desired approaches for gathering information, involving participants, utilizing common definitions and communicating the risk universe to stakeholders for proper assessment. Information Gathering Our clients range from low complexity to highly complex. Also, each organization presents a unique culture. As such, an Engagement Team may employ a variety of information gathering approaches when defining an organization s risk profile. Examples of such approaches include, but are not limited to: 1) facilitated group sessions or workshops with key members of management; 2) online polling; 3) one-onone interviews; and 4) electronic surveys or questionnaires. The Engagement Team also uses information obtained from external sources, such as analyst reports, and internal management reporting (as available). Define Risk Thresholds, Measures and Scale The Engagement Team and the IA liaison co-develop a common definition of risk by quantifying and qualifying the organization s risk tolerance and by defining observable and/or measurable risk factors as characteristics of an auditable unit s presence or absence of likely risk. Examples of risk factors used include, but are not limited to: Significance relevance to the auditable unit in achieving its business objectives Impact of control failure the risk of business objectives not being met and/or extent of financial statement misstatement, regulatory noncompliance, reputational damage and alike Likelihood of control failure potential for business objectives not being met due to a control failure or inadequately designed processes and controls Management oversight degree and adequacy of supervisory governance Adequacy of internal controls the maturity level of the process in relationship to: 1) defined process documentation, policies and procedures; and 2) the adequacy and effectiveness of internal controls Human resources adequacy and competency (i.e., knowledge and experience) of staff and the extent of turnover 2016 RSM US LLP. All Rights Reserved 34 P age

42 3. PLANNING PHASE Operational and IT complexity the difficulty or complexity of a process, volume of transactions, degree of automation, degree of subjectivity involved, and potential for errors in processing, recording or reporting Legal/regulatory the regulatory and legal exposure the client has related to the process, be it from changes in laws, noncompliance, unfavorable judgments or voiding of contracts Changes frequency and breadth of changes in the environment, recent process changes, system upgrades or system implementations, and extent of business growth Years since last audit/historical deficiencies number of years since the last audit (internal audit, SOX or other) and severity and breadth of identified issues (Consideration should be given to management s responsiveness in remediating deficiencies.) Refer to a template that can facilitate the co-development of the definitions of risk that will be utilized throughout the risk assessment process. Determining Client Participants Participants in the risk assessment process regardless of the specific assessment approach selected typically include the Audit Committee chair, executive management, business unit managers, IT, legal/regulatory oversight, internal audit and other key stakeholders from across the client organization. Agreeing on Role of SMEs The firm strongly encourages Engagement Teams to augment the core Engagement Team with SMEs. Client expectations may indicate the need for expert-level involvement to achieve engagement objectives or the assessed risk environment may present a degree of complexity that calls for SMEs to augment the core Engagement Team. Examples of SMEs that can drive value in the risk assessment process include personnel who bring expertise in: Enterprise Resource Planning- (ERP-) specific IT assurance Operational efficiencies Cybersecurity Forensic and fraud mitigation Contract compliance SMEs can be located through the firm s Our People website Identify and Measure Risk (Phase III) Construction risk IPO readiness Foreign Corrupt Practices Act (FCPA) compliance Technical accounting or tax This phase encompasses the collection of risk information. As previously mentioned, the Engagement Team collects information about risks with the assistance of our proprietary Risk and Control Matrix (RACM) catalogs and characteristically through surveying techniques, facilitated sessions and/or interviews. In addition to the RAM and the aforementioned RACMs, RSM provides additional tools, such as those listed below, to assist the engagement teams during the risk assessment process. The segregation of duties (or SOD) accelerated assessment evaluates the appropriateness of segregation of duties within a process. This assessment can be made through the use of the Approva or Fastpath SOD tools on ERP applications. When use of the Approva or Fastpath SOD tools is not feasible, the team may leverage manual tools and utilize processspecific SOD matrices. The IT environment accelerated assessment enables Engagement Teams to quickly understand the key aspects of most clients IT environments, to assess the level of internal control and 2016 RSM US LLP. All Rights Reserved 35 P age

43 3. PLANNING PHASE process sophistication, as well as to identify potential needs for subject matter expertise during and after the risk assessment. The fraud risk accelerated assessment helps Engagement Teams assess the potential for fraud in the client s environment. The tool allows the Engagement Team to walk through a series of targeted questions with the IA liaison. Each question is weighted based on its relative significance in the fraud evaluation, and the output of the tool provides the Engagement Team with a course of action to consider related to coverage of fraud risk during the risk assessment process. The third-party risk accelerated assessment is similar to the above assessments, in that the tool provides a high-level view of whether third-party risk may be prevalent enough in the client s organization to warrant further attention (e.g., specific internal audit procedures or SME-level examination). Engagement Teams may also utilize the aforementioned tools in stand-alone internal audit projects. These various accelerated assessment tools are most effective when used by SMEs Prioritize Risks (Phase IV) Phase IV has the objective of appropriately grouping the risk information gathered in Phase III and classifying auditable units by their assessed risk (e.g., critical, high, medium, low and insignificant) Ratify Risk Assessment (Phase V) Phase V summarizes the results in a heat map format for presentation to the critical stakeholders identified in Phase II for validation of the underlying individual auditable unit assessment and consensus of the overall assessment Developing an Internal Audit Plan The Engagement Team considers all activities performed and results from the overarching risk assessment when developing the internal audit plan. In turn, the risk assessment and the IA plan provide the client s senior management and Audit Committee with relevant information that influences decisions about internal audit coverage and resource allocations. Insights provided by the risk assessment help drive development of the internal audit plan and assists senior management and the Audit Committee in effectively carrying out their risk monitoring and oversight roles. Based on results of the risk assessment, the Engagement Team develops the proposed internal audit plan with the goal of addressing key organizational risks and providing coverage across the organization. Preliminary effort estimates, in the form of hours per audit, are assigned; typically, these preliminary estimates are refined during each project s planning phase. The Engagement Team reviews the proposed internal audit plan with their IA liaison, along with any other stakeholders agreed upon with the client, and the entire plan is approved by each client party prior to presentation to the Audit Committee. The specific format and duration (e.g., one-year or multiyear plan) of the internal audit plan should be codeveloped with the IA liaison. The internal audit profession is trending towards a rolling internal audit plan, regardless of its overall duration, that is refreshed frequently (e.g., quarterly). Such a periodic, holistic process allows for the re-evaluation of risks and their business impact as the risk environment changes. It can also provide a forum for a discussion on these evolving risks. Each Engagement Team determines which assessment components to leverage each quarter to refresh the internal audit plan and identifies the most immediate audit needs. Throughout the plan year, the Engagement Team proactively works with senior management and the Audit Committee to provide appropriate periodic status updates of the IA plan. The Engagement Team gives status reports in conjunction with protocols agreed upon in the external communication plan. Status reports cover progress against the internal audit plan and future adjustments to the internal audit plan due to the re-evaluation of relevant risks. Updates to the internal audit plan become a valuable tool for senior management and the Audit Committee as they carry out their risk oversight responsibilities RSM US LLP. All Rights Reserved 36 P age

44 3. PLANNING PHASE 3.5 Other Project-Level Planning Activities Planning: Complete Remaining Planning Activities Activity Required Level of Review Required Objective Activity Outsourcing Cosourcing Discrete Project Preparer Level 1 Level 2 Engagement Leader Refine the details of the project and obtain consensus with the client. Document alignment with your client as to specific details of the project through the project planning memo, engagement charter or other relevant agreement. Prepare the Engagement Team for fieldwork. Communicate project details to the RSM team members assigned to the project. Based on the scope/ objective of the project, determine whether the Engagement Team should include SMEs. Document the role of SEMs on this project. Evaluate historic audit results for the area under review and determine the impact on the current project. Review reports and other findings from previous audit activities related to the scope of the current project. Obtain an understanding of the business process(es) included in the scope of the project. Perform processbased walkthroughs specific to the project s inscope process(es). Inform key client personnel of the upcoming internal audit project. Communicate details of the upcoming project in accordance with the engagement 2016 RSM US LLP. All Rights Reserved 37 P age

45 3. PLANNING PHASE Planning: Complete Remaining Planning Activities Activity Required Level of Review Required Objective Activity Outsourcing Cosourcing Discrete Project Preparer Level 1 Level 2 Engagement Leader communication plan. Link the specific activities that will be performed to the project scope and objectives agreed to with the client. Create a workprogram (i.e., define audit procedures) customized for the scope of the current project. Identify, monitor and report progress against key engagement milestones and related activities. Customize project milestone timeline template for the individual project, if needed. Identify, monitor and report progress against key engagement milestones and related activities. Revise the project budget and staffing requirements (if needed) based on results of planning activities and final scoping. Obtain the documentation needed to fulfill the procedures outlined in the workprogram. Create and distribute the initial document request list for project fieldwork. In addition to those outlined above, the planning phase involves additional engagement-level and projectlevel steps that require consideration when preparing to begin any project whether part of an outsourcing or co-sourcing internal audit engagement, a discrete project, or as applicable within a staff augmentation The Planning Checklist AA provides a planning checklist that guides the planning process and provides a completeness-check over the entire process. RSM requires that the engagement leader approve the checklist within AA Refine Project Details and Obtain Consensus With the Client As discussed in Section 3.2.4, the Engagement Team must align the scope, objectives, approach, key assumptions, timeline, deliverables, team composition and key client participants with the expectations of 2016 RSM US LLP. All Rights Reserved 38 P age

46 3. PLANNING PHASE the client for each project. Agreement with the client must occur through clearly articulated terms, often accomplished through the execution of either an engagement letter or SOW or through an engagement charter or project scoping memorandum. At the conclusion of the planning phase, Engagement Teams should revisit these documents and determine if modifications are needed given the information gathered through the planning activities Internal Project Kick-Off Meeting Before beginning fieldwork, key members of the project team should meet with the broader RSM team assigned to the project to discuss details of the project and ultimately prepare the team for fieldwork. Before the internal project kick-off meeting occurs, the IA liaison should confirm the audit, timing and expectations. The internal project kick-off meeting typically addresses: The objective and timing of the audit The planning checklist and the resulting assignment of next steps Staffing needs and challenges (SME, MDC and RSMi) Logistics and other relevant client protocols Internal and/or external communication plan Any concerns such as unscheduled vacations or knowledge gaps Other issues Notice of Intent to Audit Once the Engagement Team and the client have confirmed the date for the start of fieldwork, the distribution of an audit confirmation confirms the start date. The notification should be distributed according to the protocols defined in the communication plan. AA includes an example template of the Notice of Intent to Audit template Evaluating Control Design When the project entails evaluating the design of controls for a process, system or location as opposed to performing a compliance activity or consultative process assessment where control design is out-ofscope the Engagement Team is tasked with assessing the suitability of those controls to adequately manage and/or mitigate risk. In particular, we identify controls to learn about the methods that the client uses to manage an activity covered within the project scope. The controls provide details regarding processes; organizational structure and responsibilities; the reasons for the activity; and the timing of the activity. To obtain the level of understanding necessary to evaluate the design of controls within any given process, the Engagement Team must first document the process. Documenting the process (or system) can be initially done through narrative notes, flowcharting, various spreadsheet tools, or review (and annotation) of the client s process and/or policy documentation. Documentation produced by the Engagement Team should allow an external reviewer of the workpapers to discern where in a given process the controls exist, and who performs them (see Section 4.4 for further discussion of documentation techniques). Engagement Teams confirm their understanding of the process flow and related controls through an exercise called a walk-through. A walk-through traces a sample of one or two transactions through each stage of the system/process, with each stage documented by following the agreed-upon documentation protocol (e.g., flowcharts, narratives). This can help confirm whether the process operates as described to the auditor or as set forth in the client s procedural documents. With the walk-through, the auditor also identifies the Documentation supporting the walkthrough (e.g., photocopy of supporting documents, reports, etc.) should be retained within Auditor Assistant RSM US LLP. All Rights Reserved 39 P age

47 3. PLANNING PHASE controls performed within the process. Leveraging the client s understanding of the process gained through the walk-through, the auditor can then evaluate whether the control is designed in such a way as to effectively mitigate the risks associated with the process. When testing the design of controls as part of an internal audit project, the Engagement Team gains and documents an understanding of: The control objectives of the process(es) (The Why) The frequency or timing of the occurrence or performance of the control (The When) The party responsible for conducting the activity (The Who) The specific activity being performed by the individual performing the control (The What and How) The source of the information to which the control is applied, including if the information is sourced from system-generated reports (The Where) Various risks that present the possibility of a control objective not being achieved Key controls that mitigate the aforementioned risks, or those controls that are the most important and effective in either preventing or detecting and correcting a misstatement Gaps in controls due to inadequate design (e.g., missing controls), the lack of control strength, or lack of documentation evidencing that the control is functioning Process and/or control efficiencies (e.g., opportunity to streamline or automate a process, or to reduce redundancies) Throughout the testing of control design, the Engagement Team should study any information provided by the client, (for example system reports, manually prepared spreadsheets, or any combination of the two), as well as perform interviews and hold small group discussions as necessary to help consider the risks that can affect the proper functioning of the controls. If necessary, the Engagement Team should consult with SMEs to help consider areas of specialized risk. In evaluating control design, the Engagement Team should obtain reasonable assurance of the completeness and accuracy of any such information. When documenting the information provided by the client during the walk-through, the Engagement Team should describe how the parameters of the report are validated during performance of the control that utilizes the report. Not doing so may reduce the overall effectiveness of the control. If the Engagement Team cannot reasonably assure completeness and accuracy of such client-provided information, it may highlight areas of potential control or process improvement and, furthermore, root causes for control operating ineffectiveness noted during substantive testing (as described in Section 4) Identifying Controls and Key Controls For internal audit engagements involving the identification of internal controls correlating to certain risks and/or processes, Engagement Teams may use for select processes information contained in the firm s catalog of Risk and Control Matrices (RACMs) to assist with the identification of risks and controls usually present within a given process or system. By starting with the prepopulated RACMs, Engagement Teams can confirm the presence of controls they have noted through the walk-throughs and identify potential gaps based on controls listed in the RACMs, which they may not have observed during the walk-throughs. RSM encourages Engagement Teams to customize their RACMs for their clients and maintain them over time as living documents Project-Specific Workprogram RACMs are reference tools and are not all-inclusive lists of risks and controls. Engagement Teams need to exhibit judgment by customizing the risks and controls to the specific circumstances presented at their client. The workprogram provides a documented link between the engagement scope and objectives, and the specific testing activities the Engagement Team will take to achieve them. Though RSM generally prefers 2016 RSM US LLP. All Rights Reserved 40 P age

48 3. PLANNING PHASE a risk-and-control view when developing our workprograms, the option exists to deviate from that approach (i.e., when a more procedural or compliance-based approach is warranted). The workprogram identifies the controls for testing and describes the tests performed to confirm the effective operation of the controls. A workprogram also establishes the sampling methodology used by the Engagement Team and acknowledges whether the client has approved any deviations from the firmstandard sampling approach (see Section for full coverage of RSM s preferred sampling methodology). The workprogram demonstrates a sufficient level of detail and provides clear guidance to the Engagement Team about the testing approach for the project. The Engagement Team must document the client s approval of any deviations from firm sampling guidance. To help assist Engagement Teams with the preparation of their workprograms, the firm has provided the RACMs noted above with sample audit procedures (available in AA s Document Library). Along with use in planning the risk assessment and documenting controls after walk-throughs, the RACMs can assist in creating the workprograms. AA also allows Engagement Teams to create custom test steps, whether for adding to a pre-existing RACM or as part of creating a fully customized stand-alone workprogram. The customized test steps can be exported into RSM s standard template format, allowing consistency from project to project. The RSM project team should facilitate approval of the workprogram, following the approvals required within AA, prior to the beginning of work. Approval from the IA liaison about the scope and extent of procedures ensures that the workprogram reconciles with the accepted engagement letter, engagement charter or SOW. The Workprogram Library in AA stores workprogram libraries consisting of standardized risks, controls, tests, procedures and workpapers. One exception to the process and protocols described above is when we have been engaged in a cosourcing, discrete project or staff augmentation arrangement, and the client would prefer that we use their own workprograms. In such circumstances we may do so; the Engagement Team should document in AA that the client has requested the use of their workprograms. Prior to using any client-provided workprogram, the Engagement Team should confirm that the objectives of the engagement may be met using the workprogram provided, and make recommendations to the client s IA liaison in the event that the workprogram does not support achievement of the engagement objectives Refine Project Budgets and Milestones The project budget assigns specific staffing resources to align with the project scope. If the risk assessment results indicate a considerably different scope than expected, the project manager may opt to revise the project budget and associated staffing assignments. The project manager remains responsible for tracking actual progress throughout the engagement, comparing actual time incurred to the budget, identifying variances and escalating variances when necessary. AA s client management module provides a budget-to-actual tracking template. Although RSM requires tracking of budget-toactual during every project, the firm does not mandate a specific tool used for tracking. The engagement leader reviews and confirms staffing assignments and overall project resourcing mix prior to beginning fieldwork. Unforeseen complexities or changes to scope, whether related to processes or subprocesses to include or exclude from scope or a change to geographic considerations, may require adjustments to the leverage model. If such adjustments require changes to the project economic forecast, such adjustments should occur prior to beginning fieldwork. The Margin Forecasting Tool includes adjustment approval thresholds for all RAS service lines. Engagement Teams refer to the margin forecasting tool whenever such an adjustment becomes necessary. Additionally, the Engagement Team confirms whether the changes will require updating the MRAM and potentially require further approval of the engagement economics. Again, the Engagement Team should follow approval requirements stated in the staffing and margin forecasting tool whenever adjusting engagement economics. If the project scope requires MDC involvement, the project manager or another team member must complete the MDC Work Instruction Form and forward the form to the domestic MDC liaison for facilitation 2016 RSM US LLP. All Rights Reserved 41 P age

49 3. PLANNING PHASE purposes. In some situations, the project scope may require RSMi resources. The project manager or another team member must contact the International Office for facilitation purposes Prepare and Send a Document Request List The Internal Audit Team derives the Document Request List (DRL) from everything that the Engagement Team learns throughout the planning process and during walk-throughs. A DRL includes only those documents necessary for us to complete our fieldwork testing. Accordingly, the senior on the engagement issues the DRL to the IA liaison or directly to the relevant client process owners after completing the planning phase of the project and prior to beginning testing. All planning phase procedures as described throughout this section must be completed, and approved as needed within AA, prior to the beginning of fieldwork RSM US LLP. All Rights Reserved 42 P age

50 4. EXECUTING PHASE 4. EXECUTING PHASE During the executing phase, Engagement Teams gather data, learn business insights and execute against the internal audit program or project plan by employing tools, enablers, audit techniques and an integrated audit team, and engaging subject matter resources, where appropriate. Proper and factual documentation serves as the foundation for their findings and conclusions. An internal audit project whether an outsourcing, co-sourcing or discrete project arrangement can take many forms. A partial list of internal audit projects includes: Evaluating process/system design and effectiveness Assessing risks and controls Identifying process improvement opportunities Testing compliance with various policies and/or authoritative regulations Performing data analysis and/or substantive testing of balances Evaluating IT control environments, including general and/or application controls While the internal audit strategy varies depending on the nature of these projects, adherence to the internal audit standards on documenting the work performed and the conclusions reached remains consistent. Similarly, the standards that apply to the nature and levels of review of an Engagement Team s work product remain consistent regardless of the nature of the project. For example, Engagement Teams need to scope and execute each audit efficiently and effectively, in collaboration with stakeholders; perform timely reviews of workpapers; leverage MDC for testing, when appropriate; identify and validate issues and root cause analysis; develop recommendations/actions plans collaboratively with the auditee; manage the budget; and escalate significant matters. 4.1 Auditor Assistant and the Executing Phase The Engagement Team uses AA throughout the executing phase. AA improves internal audit efficiency and facilitates document retention in compliance with firm-wide requirements. Unless a client specifically requests otherwise, the use of AA is required for all internal audit engagements. Additionally, our internal audit teams and individual auditors have access to a suite of tools/enablers that support the executing phase of our methodology. Those tools include audit enablers such as processspecific risk and control matrices, audit programs, sample workpaper forms and various other templates, all of which are to be customized to address your specific client s needs. 4.2 The Formal Opening Client Meeting Executing: Conduct Formal Opening Meeting with the Client Activity Required Level of Review Required Objective Activity Outsourcing Cosourcing Discrete Project Preparer Level 1 Level 2 Engagement Leader Kick off the internal audit project fieldwork at the client. Conduct formal opening meeting with the client/auditee. The opening client meeting for the project builds on information gained from the planning phase and sets the focus on the internal audit process. The firm encourages Engagement Teams to have this meeting in 2016 RSM US LLP. All Rights Reserved 43 P age

51 4. EXECUTING PHASE person with the client. However, the meeting may occur through conference calls or even through notifications. The opening client meeting can cover introductions, project scope, project approach, project timing and communication plan, terminology, status of items on the document request list, issue rating definitions, report rating definition (if applicable), issue and root cause validation protocols, confirm client expectations, logistics, security badges and respond to questions or concerns with the audit Introductions The opening meeting provides an opportunity for the mutual introduction of audit team members and auditees, as well as discussion about the roles of those team members within the engagement/projects and the functional/business units Project Scope During the opening client meeting, the participants formally confirm that the project scope aligns with the expectations and procedures developed during the planning phase Project Approach A review of the project approach also occurs during the opening client meeting. This review may cover the existing processes for the approach; the organizational structure associated with the engagement/project; relevant budgetary, financial or performance information; and any anticipated significant changes that may occur within the existing systems or processes Terminology The opening client meeting provides an opportunity to explain the agreed-upon terminology/definitions that will be utilized throughout the project (e.g., risk tolerance, ratings of findings) Project Timing and Communication Plan The auditor establishes the timing of the internal audit and the scheduling of client interactions (e.g., interviews, document preparation) Status of Items on the Document Request List The opening client meeting provides a good opportunity to confirm the status of items requested of the client during the planning phase. Engagement Teams should retain documentation of the opening client meeting through an annotated formal agenda and/or in a memorandum covering who was in attendance, items discussed, and actions or conclusions reached. Additionally, changes to the internal audit scope or strategy resulting from this meeting needs to be reflected in the documents developed during the Planning Phase (e.g., risk assessment model, workprogram). See the Engagement page for the various tools available to assist Engagement Teams in conducting an opening client meeting. The Engagement Team has the responsibility for documenting a summary memorandum, which includes significant changes to audit scope, issues encountered, key judgments made, consultation on key matters, modifications to work products or other key and significant matters (see template) RSM US LLP. All Rights Reserved 44 P age

52 4. EXECUTING PHASE 4.3 Executing Internal Audit Fieldwork Once the Engagement Team has confirmed the appropriateness of the workprogram developed in the planning phase, they perform work procedures and document results within an agreed-upon format. Engagement Teams need to understand current state by performing a detailed review of relevant project processes, transactions, policies and procedures, and infrastructure, depending on the scope. Once an understanding of current state is obtained, Engagement Teams analyze issues identified through testing, data analysis or benchmarking against leading practices. Based on the knowledge gained from the analysis, compelling recommendations or other deliverables are developed. The Engagement Team must provide and maintain sufficient evidence to support its work for review by an independent party. In addition, the Engagement Team must ensure that all final workpapers and documentation reside in AA Evaluating Control Design When the project entails evaluating the design of controls for a process, system or location, the Engagement Team has the task of assessing the suitability of controls to adequately manage and/or mitigate risk. In particular, we identify controls to learn about the methods that the client uses to manage an activity covered by the scope. The controls tell us about: processes; organizational structure and responsibilities; the reasons for the activity; and the timing of the activity. See the Planning Section for a detailed discussion on evaluating control design Evaluating Control Effectiveness When the project involves evaluating the effectiveness of controls, the Engagement Team performs procedures directed toward obtaining audit evidence (see below) and evaluating the effectiveness of the operation of internal control. Tests directed toward obtaining audit evidence cover: 1) obtaining evidence about the methods for applying the policy or procedure (whether manual or automated); 2) maintaining the consistency for the application during the period; and 3) evaluating the competency of the representative applying the policy or procedure. In other words, the key controls identified in the test of control design occur and operate effectively throughout a specified time frame Internal Audit Evidence Sufficiency and appropriateness are closely interrelated. While a small amount of quality audit evidence may seem sufficient in some situations (i.e., the higher the quality, the lesser evidence required), a large sample quantity does not correlate to quality of evidence (i.e., poor quality of audit evidence cannot be rectified by merely increasing the amount of evidence). The source of the evidence, nature of evidence and individual circumstances involved with obtaining the evidence influence the reliability of audit evidence. Generalizations about the reliability of various kinds of audit evidence can occur. However, such generalizations remain subject to important exceptions. Even when the Engagement Team obtains audit evidence from sources external to the entity, circumstances may exist that could affect the reliability of the information obtained. For example, audit evidence obtained from an independent external source may not be reliable if the source is not knowledgeable RSM US LLP. All Rights Reserved 45 P age

53 4. EXECUTING PHASE While recognizing that exceptions may exist, the following generalizations about the reliability of audit evidence remain important: Audit evidence has greater reliability when obtained from knowledgeable independent sources outside the entity. Audit evidence generated internally has more reliability when the related controls imposed by the entity are effective. Audit evidence obtained directly by the Engagement Team (e.g., observation of the application of a control) has greater reliability than audit evidence obtained indirectly or by inference (e.g., inquiry about the application of a control). Audit evidence has greater reliability when it exists in documentary form whether paper, electronic or other medium (e.g., a contemporaneously written record of a meeting is more reliable than a subsequent oral representation of the matters discussed). Audit evidence provided by original documents has greater reliability than audit evidence provided by photocopies or facsimiles. Internal Audit Evidence To ultimately conclude on a finding, the Engagement Team is required to stay objective and should draw their conclusions based upon audit evidence that is both sufficient and appropriate. Sufficiency measures the quantity of audit evidence. The amount of evidence obtained must be enough that it can be used and considered by the Engagement Team. The quantity of audit evidence required depends on the assessment of risk conducted by the Engagement Team. If the risk of error is high then a higher quantity of audit evidence is required to establish reliance on the audit evidence. Appropriateness measures the quality of audit evidence. Appropriate audit evidence is relevant and reliable in the given set of circumstances. However, the appropriateness of audit evidence is affected by the time, source and circumstances under which the evidence is obtained. Engagement Teams should also consider circumstances that may limit the effectiveness of controls. Examples include: Human errors that may arise from misunderstanding of instructions, mistakes of judgment and personal carelessness, distractions or fatigue Collusion that may circumvent the separation of duties Management overriding the control structure to commit fraud or misstate the financial statements Conditions that may change and weaken a system that was adequate at a point in time An employee performing conflicting job duties Engagement Teams obtain sufficient and appropriate audit evidence by applying appropriate audit procedures while keeping the risk assessment in mind. Sufficient and appropriate audit evidence is obtained when the auditor reduces the audit risk (through the application of audit procedures) to such a level that enables the auditor to draw reasonable inferences upon which the auditor can ultimately base a conclusion Testing Techniques The Engagement Team has the responsibility for deciding whether a particular audit procedure is appropriate enough to obtain sufficient and appropriate evidence in a particular situation. As discussed in the planning section, the Engagement Team may deploy various audit techniques when assessing the effectiveness of controls. Engagement Teams must consider the reliability of the audit evidence in determining their audit strategy and concluding upon their findings RSM US LLP. All Rights Reserved 46 P age

54 4. EXECUTING PHASE When the Engagement Team deploys a test, the team must document the testing strategy against the relevant control in the workprogram (see planning discussion). The strategy should state the objective of the test, methods for achieving the test and what constitutes an exception to the control. As with the test of control design, Engagement Teams may use information contained in the firm s catalog of RACMs to assist them in identifying potential testing strategies for select processes. RACMs are reference tools and are not all inclusive lists of risks, controls or audit procedures. Engagement Teams need to exhibit judgment by customizing their audit strategy to the specific circumstances presented at their client Sampling Techniques Oftentimes, Engagement Teams use audit sampling techniques when testing controls. Engagement Teams use discovery sampling (i.e., a form of attribute sampling) when employing this audit strategy. In statistical surveys, when subpopulations within an overall population vary, sampling each subpopulation (stratum) independently provides advantages. During this process, Engagement Teams apply simple random sampling or systematic sampling within each stratum. Following this process often improves the representativeness of the sample by reducing sampling error. In addition, the process can produce a weighted mean that has less variability than the arithmetic mean of a simple random sample of the population. Before applying the below sampling guidance, the Engagement Team must establish (and document) the appropriateness and completeness of the population from which the samples are to be selected. The following tables show our sampling guidance for large populations (i.e., greater than 250 items): Stratification is the process of dividing members of the population into identical subgroups before sampling. The subgroups are called stratum. As a whole, the strata are mutually exclusive. Every element in the population must be assigned to only one stratum. The strata should also be collectively exhaustive. No population element can be excluded. Consequently, when sampling techniques are used, Engagement Teams must satisfy themselves as to the completeness of the population from which the samples are selected. SAMPLING TABLES Daily or continuously operating controls Controls that operate less frequently than daily or continuously In situations in which the population is less than 250 items, Engagement Teams use the following sample sizes: Occurrences ranging from 52 to 250: minimum sample size of 20 percent of the population Occurrences ranging from five to 49: minimum sample size of five items Less than five occurrences: examine 100 percent of the population 2016 RSM US LLP. All Rights Reserved 47 P age

55 4. EXECUTING PHASE Deviations from the above sampling guidance that result in a smaller sample size must be approved by the engagement leader and the impact on the statistical reliability must be discussed with the IA liaison. This discussion must be documented in our workpapers. Further guidance can be found at Assurance website Section ) Other Testing Activities Members of the Engagement Team consult with the engagement leader regarding the audit approach when the project utilizes testing strategies other than tests of controls. Examples may include performing an analytical review, data analysis, substantive testing or compliance testing. In some of these circumstances, the firm encourages the use of use an audit software tool, such as Idea or ACL. If this is the case, the Engagement Team should plan for the use of the software with a team member trained in the application. 4.4 Documentation Executing: Complete Workprogram/Audit Procedures and Document Testing in a Format Agreed to by the Client Activity Required Level of Review Required Objective Activity Outsourcing Cosourcing Discrete Project Preparer Level 1 Level 2 Engagement Leader Evaluate the design and/or operating effectiveness of controls and processes. Evidence completion of the procedures outlined in the workprogram and review by the appropriate personnel. Communicate with the auditee (i.e., key client contact(s) for the project) as to the status of the project. Conduct regular project status meetings throughout the project and discuss with the client in accordance with the parameters agreed to within the communication plan. Capture findings identified through the completion of the workprogram (e.g., testing activities). Record all findings (per the project workpapers) in AA s issue summary RSM US LLP. All Rights Reserved 48 P age

56 4. EXECUTING PHASE Executing: Complete Workprogram/Audit Procedures and Document Testing in a Format Agreed to by the Client Activity Required Level of Review Required Objective Activity Outsourcing Cosourcing Discrete Project Preparer Level 1 Level 2 Engagement Leader Issue invoices as services are delivered to the client. In combination with the status report and budget-toactual analysis, this will drive awareness of potential budgetary challenges or service delivery issues. Prepare interim billings and perform related budget-to-actual analysis. Executing: Create Status Reports and Discuss with the Client in Accordance with the Parameters Agreed to Within the Communication Plan Activity Required Level of Review Required Objective Activity Outsourcing Cosourcing Discrete Project Preparer Level 1 Level 2 Engagement Leader Communicate with the engagement sponsor and/or internal audit sponsor as to the status of the engagement (including all projects, if applicable). Create status reports and discuss with the client in accordance with the parameters agreed to within the communication plan. Audit documentation (i.e., workpapers) provides comprehensive support for the Engagement Team s work by connecting the results of their test procedures to the internal audit findings. It should also align with the expectations agreed upon in the engagement letter and/or SOW. The workpapers must include sufficient detail to: 1) clearly indicate the items tested and their nature and timing; 2) the type of test strategy used; and 3) the results of the test procedures. Types of workpapers include RACM, meeting notes, issue support (copies of process documents reviewed, process narratives, and process or data flows). Engagement Teams need to show compliance with engagement and firm requirements and follow engagement- or client-specified requirements regarding what we include as a workpaper. Unless the client (or their auditor) requests otherwise, the Engagement Team does not need to scan or photocopy supporting documentation of every sample tested during the audit. At a minimum, the Engagement Team should retain supporting documentation for: 2016 RSM US LLP. All Rights Reserved 49 P age

57 4. EXECUTING PHASE One of the transactions tested so that the reviewer can determine that the preparer understood and properly performed the audit technique (The firm recommends the best practice of retaining the other supporting documentation in AA s recycle bin until the closing the project. After closing, the Engagement Team retains only the supporting documentation for one transaction in the file.) Any transaction that includes a noted exception (This type of documentation provides useful evidence in the closing meeting.) Characteristics of High-Quality Documentation The preparation of workpapers requires a careful and detailed approach. High-quality workpapers have the essential characteristics of completeness, accuracy, organization, relevance and conciseness. At a minimum, the Engagement Team should consider the following characteristics: Completeness Each workpaper should function as a self-standing and self-explanatory document. Even when separated from the engagement file, the workpaper should allow the reader to understand its purpose, work performed and results obtained. All individual documents must provide adequate evidence of performed work because of the possible review by internal and external parties. Accuracy High-quality workpapers include accurate statements and calculations. Engagement Teams are required and trusted to have reasonable proof that their factual claims and statements are true and accurate. A factual claim describes something that is objective, tangible and measurable. Organization Because of the possibility of internal and external review that concentrates on purpose, procedures and results, workpapers must have a logical numbering system and a reader-friendly layout. Workpapers should cross-reference from source documentation to test grids and audit work steps. The Issues Summary must cross-reference to the audit report and clearly communicate the basis of audit observations. Relevance Audit workpapers and items included within each workpaper should have relevant meaning when applied to audit objectives. Conciseness Writing concise and clear notes and removing any unnecessary pages improves the review efficiency and documentation quality. Unnecessary comments, vague generalizations, etc., should not be included, and proper grammar and spelling should be priorities Workpaper Elements As a general rule of thumb, an independent person should be able to re-perform a test based on the information included in the test schedules. An example test grid/lead-sheet can be found via the intranet. Internal audit workpapers may vary in type and may utilize different formats, such as narratives, memorandums, flowcharts and test grids/lead-sheets. Workpapers should include the source, scope, sign-off, a tick mark legend and exceptions noted. Source The workpaper records the name and title of the individual providing the documentation to facilitate future follow-up questions or audits. Scope The workpaper includes the nature, timing and extent of procedures and a statement describing the purpose of the particular document with respect to the audit objective. Sign-off The preparer s and the reviewer s electronic sign-off in AA provides evidence of completion and accountability RSM US LLP. All Rights Reserved 50 P age

58 4. EXECUTING PHASE Tick Mark Legend A concise definition of all tick marks within the audit workpaper or at a central location clearly describes the work performed during the engagement. Exceptions The workpaper documents and explains audit exceptions with logical numbering that cross-references other workpapers Documenting Individual Findings/Conclusions The Engagement Team captures test results in the test results field within AA. The information in the test results field provides an overview of the work undertaken, the key findings and the implications of those findings. This information should have sufficient detail so that the reader may understand how the Engagement Team has determined any issues or weaknesses. When identifying issues, the Engagement Team must explain the related risk of this weakness for the purpose of informing the client about the implication of the finding. When the Engagement Team finds no issues and the testing complies with control as expected, the team states the finding in the test results field. Throughout fieldwork, the Engagement Team utilizes AA to compile all identified issues in the issues summary before conducting the root cause analysis or formal fieldwork exit meeting (see below), the Engagement Team needs to validate their findings and management s responses with the IA liaison and the client representative most closely associated with the processes involved in the issue Root Cause Facilitation All work products within an engagement/project will have at least one detailed-level review performed prior to the issuance of a findings report. Additionally, the engagement leader must complete and document the review of the significant/major level activities prior to the issuance of a report. These review responsibilities have been identified in call-out boxes throughout the internal audit manual. Additionally, AA will assist Engagement Teams in ensuring that the appropriate level of reviews have been performed prior to the issuance of a report. Oftentimes, individual audit observations disclose symptoms of larger issues. As such, once client agreement regarding specific issues exists, the Engagement Team should perform a root cause analysis. The Root Cause Facilitation Tool assists the team with deriving the underlying fundamental cause of identified audit findings. 4.5 Quality Controls and Review Protocols The firm has quality control policies that provide reasonable assurance that: Personnel comply with firm and professional standards and applicable legal and regulatory requirements Issued reports are appropriate in the circumstances. In alignment with the firm s quality assurance standards, internal audit has established formal review protocols that depend on the role that an individual has on an engagement and/or project. Those roles are: Preparer associate or above Level 1 reviewer senior or above Level 2 reviewer manager and above Engagement leader director or partner/principal SME review is optional, as needed 2016 RSM US LLP. All Rights Reserved 51 P age

59 4. EXECUTING PHASE Following the review schema built into AA, the review of all testing procedures, workpapers and revisions to the workprogram follows a one-level-up protocol. For example, senior associates review the work of associates and supervisors review the work of senior associates. If the Engagement Team does not include all staffing levels, the individual at the next logical level above the individual performing the work should perform the review. The nature of each level s review will vary from project to project. The following information describes typical but not all inclusive review activities by level Preparer s Self Review Before a preparer signs off as having completed a workpaper, they should: Be confident and able to support that all work was performed as described in the engagement letter/sow. Adhere to the documentation standards discussed in Section 4.4 Documentation. Assess that the workpaper is self-contained (i.e., does not need additional comments/material to be interpreted). Make certain that issues and proposed solutions are adequately investigated and documented. Address any inconsistencies between other audit areas. Confirm no open items are present and all to-do comments are removed from the document. Review grammar and run spell-check. Ensure the integrity of spreadsheets (e.g., formulas are appropriate, no hidden rows, panes are unfrozen and that the print area has been set) Level 1 and Level 2 Reviews The Level 1 and Level 2 reviewers ensure that the following processes occur before signing off: Testing is complete and documented in accordance with documentation standards. Findings and recommendations are consistent with the results of the test procedures. The client has agreed with the findings and recommendations, or reasons for their disagreement are documented. All internal control matters are captured in the Engagement Risk and Issue Log. Findings and recommendations address root causes and are written in a clear and concise manner. All to do and review comments have been addressed and removed. Modifications resulting from review procedures are properly reflected in the underlying documentation. Preparer and reviewer sign-offs are documented in AA (please note that AA will automatically lock down and restrict access 60 days after issuing each project report). will be responsible for the quality of the workpapers, which need to be clear and understandable. They should allow for re-performance so that another interested party could reach a similar result Subject Matter Expert Reviews When a project includes an SME, the Engagement Team should consider having another SME within that service line perform the Level 1 and/or Level 2 reviews RSM US LLP. All Rights Reserved 52 P age

60 4. EXECUTING PHASE Engagement Leader Review The engagement leader s review should address: Initiating and planning (prior to the commencement of fieldwork): o o o Client acceptance procedures (e.g., independence and conflict checks, MRAM) The overall audit strategy utilized The engagement staffing, including the use of SMEs and the MDC Executing and reporting (prior to issuance of final report) o o o o o Content of the findings, root causes and the client s action plan Consistency of issues and report ratings Clarity of the report presentation Confirmation that all work has been reviewed and signed off in accordance with the engagement and firm s requirements Appropriate consultation occurred and was documented, if deemed needed 4.6 Conducting the Fieldwork Exit Meeting Executing: Conduct Fieldwork Exit Meeting with the Client Activity Required Level of Review Required Objective Activity Outsourcing Cosourcing Discrete Project Preparer Level 1 Level 2 Engagement Leader Communicate key items about the project to the auditee (e.g., project overview and status, findings and root causes) and define next steps (e.g., define the process for obtaining management action plans, establish target dates for the draft report, etc.). Conduct fieldwork exit meeting with the client. The fieldwork exit meeting provides an opportunity for the Engagement Team and the client to Review the project objectives, the project scope and the project approach. Discuss observations and root causes. Define the process for obtaining management action plans. Establish target dates for the draft project report, the closing meeting and the issuance of the final report. Most importantly, the fieldwork exit meeting provides an opportunity for the client to give feedback and ask questions. If the Engagement Team has found issues, the fieldwork exit meeting allows everyone to 2016 RSM US LLP. All Rights Reserved 53 P age

61 4. EXECUTING PHASE achieve an accurate understanding of the issues and ensure the factual accuracy of the findings. Select the Engagement Page to find an example agenda for the closing meeting Project Overview and Status The firm encourages the engagement manager, director, or principal/partner to lead the fieldwork exit meeting and the discussion about findings and recommendations. Alternatively, the engagement senior may lead this discussion. In keeping the client s needs as a priority, the Engagement Team should offer practical recommendations. When providing a project overview, the Engagement Team also provides supporting evidence for each recommendation and realistic actions that management can take. Clients may or may not agree with all recommendations. If a client disagrees with a recommendation, the Engagement Team is responsible for understanding the reason for the objections and for documenting the objections in the client section of the draft report Communicating the Issues RSM encourages the timely communication of issues throughout the course of a project. The firm encourages Engagement Teams to produce a draft report of findings and recommendations for management review as a best practice. Issuing a draft report summarizes the audit findings, conclusions and recommendations, expedites the authoring of the final audit report and focuses the Engagement Team and the auditee on the key issues Develop Target Dates for Next Steps One of the most important tasks within the final stages of the executing phase involves setting the target date for the engagement-level closing meeting, due dates for management action plans and other activities. The client has responsibility for setting the dates for the completion of management action plans and for the assignment of responsibilities that involve implementation RSM US LLP. All Rights Reserved 54 P age

62 5. REPORTING PHASE 5. REPORTING PHASE Throughout the internal audit cycle, an Engagement Team can utilize numerous forms of communicating with the client. Examples include: Audit committee-level reports Engagement Teams are often called upon by audit committees to present such items as a risk assessment and internal audit plan, summary results of internal audits performed, status updates on the audit plan and remediation status updates. Internal audit reports Findings and recommendations of internal audit procedures, and other business advice, are normally captured in some form of report that is presented to management, the IA liaison and/or the Audit Committee. As a means to limit our firm s liability exposure, we do not make reference to, much less indicate compliance with, professional standards such as those put forth by the AICPA, IIA or FDICIA. Process narratives and process flowcharts Depending on the nature of the internal audit engagement, our deliverables may take the form of providing either process narratives and or flowcharts. Informal/formal presentations Presentations facilitated by internal audit may be made in response to client requests or education requirements. They may take the form of workshops, forums or roundtable discussions. These reports are the most visible and widely distributed of our work product. For certain client personnel, these reports may be their only interaction with RSM and thus may serve as the only basis on which they judge our performance. As such, careful report preparation is of utmost importance. This includes formatting reports to the client s needs, remaining objective in our reporting, and being succinct. 5.1 General Reporting Considerations Irrespective of the nature of the report, internal audit communications have three main objectives: Inform by communicating the results of our work. Persuade by convincing the client about the validity of our observations and recommendations. Provide results that convince the client to take proper action. Readers of our reports want ideas and plans presented clearly, concisely and simply. Unnecessary complexity gets in the way of the message. Before writing a report, consider: What is the report s purpose? Who are the readers? What are their interests? How much do they already know? What will make the report easy for them to understand or act upon? Begin reports with the most important information and taper off to the least important. Avoid mere chronology or a listing of observations. Remember the axiom: Make your bottom line your top line RSM US LLP. All Rights Reserved 55 P age

63 5. REPORTING PHASE General Guidance When writing reports, the most basic requirement is that we spell words correctly and use proper English grammar. If we do not, our readers may distrust our ability to be accurate in other areas of our work. Acronyms can be difficult for readers to absorb, so think carefully about how to use them. When you introduce an acronym, always place it in parentheses after the fully written version when first mentioned. Additionally, internal audit projects, and thus any resulting reports, are anchored in the scope and approach documented in the engagement letter, SOW or engagement charter. As such, the scope and approach articulated in any form of report must remain consistent with the scope and approach outlined in the engagement letter/sow. We are not to provide positive assurance on the results of our work (i.e., avoid making statements along the lines of Based on our test results, controls are performing as designed ). Instead, when necessary, we should provide negative assurance (i.e., No exceptions were noted. ) Prohibited Terminology As shown in the following table, Engagement Teams should avoid certain words and phrases for the reasons articulated. Avoid Inappropriate use of superlatives, subjective commitments or other unconditional future commitments like: Derogatory, defamatory, or discriminatory, wording or concepts Using someone s name within the contents of a report (use their title instead) Referring to RSM and RSMi as: One Firm Global Firm Global Partnership Reason Implies an absolute promise and guarantee in all circumstances that can create unintended legal obligations (For example, courts in some jurisdictions have interpreted ensure, assure and guarantee as legally binding warranties, while other courts have interpreted best efforts to mean all efforts of the entire firm. Similarly, partner, partnered or partnering may be misconstrued to mean that we lack independence and/or objectivity.) Such wording is contrary to the firm s values and code of conduct Personalizes a finding or comment and may lead unnecessary confrontation These are not factually accurate descriptions of our structure and thus present legal and regulatory risks Format Flexibility RSM encourages Engagement Teams to either use a client s report format or co-develop a format with the IA liaison. As such, RSM does not mandate the use of predefined formats for the various reports that we issue (e.g., audit presentations, risk assessments, audit findings). Templates to assist teams in the codevelopment process can be found on the Engagement Page RSM US LLP. All Rights Reserved 56 P age