This sample request for proposal (RFP) is used to solicit services to establish an internal audit function. It discusses the standard information providers should include in their proposals.

This sample template helps map out an organization’s business processes and their impact or reliance on IT systems and applications.

The purpose of this sample memo is to document the SEC restrictions on public communication by companies beginning initial public offerings of their capital stock.

This sample audit committee and disclosure committee agenda outlines the quarterly meeting topics for audit and disclosure committees.

This one-page approval sheet helps you track to completion the process of approving a contract or project. It allows you to identify the parties involved and then provides a checklist of the fundamental steps to be completed by different parties.

This dashboard provides an example of how to report the status of compliance with U.S. healthcare reform regulations.

This template will help capture the results of a risk assessment facilitated session. It allows leaders of these sessions to document their final results in an organized format.

This form assists in evaluating Sarbanes-Oxley control deficiencies and allows management to document related responses. The evaluation criteria includes: evidential deficiencies, potential impact to financial statements, safeguarding of assets and antifraud controls, likelihood that an error could occur, compensating controls and multiple similar control deficiencies.

The purpose of this memo is to document the audit approach, project scope and project timing for auditing various locations of a university in order to determine compliance with select university policies and procedures, whether key financial controls exist and are operating effectively and whether reasonable security protocols are being followed.

The purpose of this presentation is to facilitate a risk assessment workshop. It explains to workshop participants the objectives and ground rules, how to identify key risks, and how to plot significance and likelihood on a risk map.

This is a sample memo defining management’s approach to Sarbanes-Oxley Section 404 compliance. The memo outlines the processes in scope, testing approach, sample sizes and management sign-off.

Segregation of duties is an integral part of the internal control environment. The following assessment form will assist you in understanding a function’s segregation of duties and related internal control effectiveness. Sales, accounts receivables, related cash collections are included.

The purpose of this memo is to document the approach to administering and supervising internal audit projects.

This template is to be used by internal audit when developing an annual audit plan. It provides areas to document the planning approach, major projects and associated timelines, and project sponsors.

This is a sample memo notifying spreadsheet owners about the requirement to document the internal controls related to spreadsheets relied upon for financial reporting. The communication explains why these controls are important to manage spreadsheet risks.

This is a template to be used by a company when developing a service level agreement (SLA), providing areas to document the version history, audience, assumptions and escalation actions.

This memo provides a template for documenting the overall audit approach to evaluate the design of newly implemented controls or those planned to be implemented. It also focuses on evaluating the effectiveness of existing controls.

This is a sample request for qualified IT services to help create an IT vendor list for multiple year projects. The information requested in this document includes: description of work to be performed, service categories, procedures for obtaining services, and special contracting terms and conditions.

This sample provides a template to assess multiple project options using project risk factors and quantitative metrics.

This memo can be used as a working template to ensure all company entity-level controls exist, are reviewed in detail and can document additional findings in need of escalation.

This sample memo provides guidance on drafting an action plan that will remediate risks associated with the observations noted during an audit.

This form documents the request to change project scope, identifying the purpose and the change management impact of the requested scope change.

This document serves as an executive report template focused on the progress of the Sarbanes-Oxley Section 404 program.

This example presentation displays the results of an internal audit department evaluation to the audit committee, particularly following the quality assessment review process.

This memo describes example documentation requirements for Section 404 compliance efforts. The three levels of documentation standards described correlate to the priority rating of financial statement elements and associated processes.

This is an example memo used to define the process of prioritizing financial statement elements and related business processes for Sarbanes-Oxley Section 404 purposes. The prioritization of these items helps define the extent of a company’s process-level documentation efforts.

This crossword puzzle is a fun tool internal audit organizations can use as an activity during group meetings. The puzzle focuses on activities and skills key to the internal audit function. Many of the questions are derived from the IIA’s International Standards for the Professional Practice of Internal Auditing. The questions and answers for the puzzle are provided within this document.

This is a sample request for proposal (RFP) for Sarbanes-Oxley compliance assistance working with a company’s internal audit department.

This sample document outlines the internal audit plan for specific projects that are planned to be delivered. Further details on the scope of these projects, interaction with the auditee and execution steps are provided in this planning document.

This is a sample request for proposal (RFP) for an external quality assessment review (QAR) of a company’s internal audit department.

This is a sample memo documenting a company’s testing strategy for Sarbanes-Oxley compliance. This memo focuses on the test strategy for business process controls including entity-level controls and validating this strategy with external auditors.

This is a sample request for proposal (RFP) and vendor questionnaire from a company seeking a service provider to establish an internal audit function with an emphasis on compliance with the Sarbanes-Oxley Act.

This sample memo documents a company’s annual Sarbanes-Oxley compliance process. It details steps followed and conclusions reached during the project including: the scoping, materiality and risk assessment process; testing; walkthroughs; evaluating deficiencies; and management’s conclusion on internal control over financial reporting.

This is an example email you can use to notify SOX process owners that the external auditors will perform at least one walkthrough for each significant class of transactions. This communication explains what is involved in an audit walkthrough, preparatory actions to take, and tips and suggestions for the auditor’s assessment.

This template provides sample performance measures for the following business processes: accounts payable, accounts receivable, billing, close the books, commissions, finance and accounting, fixed assets, internal audit, inventory, payroll, purchasing, spare parts, supply chain, tax, and travel and entertainment.

This sample code of business conduct covers a wide range of business practices and procedures, including the Foreign Corrupt Practices Act. It sets out basic principles to guide all employees and officers of a company. The code of business conduct should be tailored to each company’s needs and governing rules.

This example memo defines a process to update Sarbanes-Oxley testing of internal controls near or as of fiscal year-end. Such a process includes determining which controls to select for update testing as well as the type of testing to perform based on specific criteria.

This sample internal audit engagement letter informs the auditee of an upcoming audit. It details the audit objectives, audit timeline, audit team members, expected deliverables and audit team’s mission.

This sample document establishes a framework and standard policy for compliance with Section 404 of the Sarbanes-Oxley Act.

This sample helps project teams track key information and dates associated with developing Sarbanes-Oxley process documentation and management review.

This is an example of a relatively informal RFP for specialized systems audit outsourcing services to be coordinated by the Internal Audit Director.

The purpose of the matrix is to communicate assignments and responsibilities related to the account reconciliation process. It also helps to ensure these activities are completed on time and conducted properly and accurately in conjunction with the overall financial close process and internal control structure

This risk assessment sample helps to identify and document critical business processes. Combined with facilitated management meetings, this approach can help gain company-wide consensus by including key process owners in risk and controls analyses.

The document serves as a sample project plan for integrating the finance and accounting processes for a company planning to go public. It addresses key issues such as: system integration, payroll processing, and billing and collections processes. It lists down the key actions that need to be taken by each department and milestones that they should set out to achieve.

This sample schedule provides an annual planner for audit committee activities and demonstrates how to schedule and track audit committee activities throughout the year. Using an annual planner helps ensure that required topics and issues are discussed and not overlooked.

This evaluation form can be used by an interviewer or recruiter to rate a candidate for an internal audit position. The form suggests competencies and criteria that could be applied to someone seeking to obtain employment in the audit group.

This simple one-page tracking sheet allows you to follow the status of a particular internal audit report. It tracks the date the draft was distributed, the intended reviewer, and date of comments received.

This document provides a template to track the progress of all completed and in-progress audit activity during a specified period.

This sample provides a template for documenting the overall audit approach. Topics addressed include: risk indicators, regulatory requirements, scope of audit work, internal control evaluation, and operation and functional structure.

Role-based access plays a big part in an identity management strategy. The implementation of an identity management system and the associated process redesign has many benefits for an organization if done right. This document provides a sample template to outline a role-based access approach.

This template provides a structured way to define an organization’s system landscape. Use this document to capture applications utilized in the company and assess whether they fall within scope for Sarbanes-Oxley compliance testing purposes.

This template can be used by the audit team when planning and scheduling specific audits. The document allows users to organize audits by process and location while assigning hours to specific dates throughout the year.

This document is a sample application control review risk control matrix (RCM) that can be used while reviewing the existing application controls of an organization. It can also act as a basic checklist for organizations which have applied or plan to apply Enterprise Resource Planning (ERP) software.

This document represents a sample risk control matrix (RCM) relevant to the logistics department of a corporation. It provides an overview of different risks organizations can face and the corresponding controls to safeguard the company against such risks. This RCM also addresses how a good Enterprise Resource Planning (ERP) system coupled with good management can prevent fraud.

The Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (MMA) established a system of "risk corridors" for prescription drug plans and Medicare Advantage drug plans. That system would to some extent limit the profits or losses those plans would incur if their costs of providing the basic Medicare drug benefit turned out to be lower or higher than estimated in their bid submission. This sample risk and control matrix (RCM) addresses the risk corridor process.

The purpose of this month-end close document is to ensure that all responsible employees are fully aware of their assignments and their responsibilities are completed on time, properly and accurately in accordance with the company’s financial closing and reporting internal control structure. This document is organized by ERP cutoff tasks and activities broken down into pre-close, recurring entries, reconciliations, internal controls and analysis & reporting.

This document serves as a template to use in tracking the testing of internal controls. The spreadsheet can be used to track control testing status and operating effectiveness and to create a testing timeline.

This sample timeline outlines steps needed to complete the financial reporting process. It helps management define roles and responsibilities and meet specified deadlines.

This document details an internal audit plan for a specific period and the related projects that are planned to be delivered to the organization. Further details on the scope of these projects are provided in relation to planned internal audit activities.

Performing regular account reconciliations contributes to strong internal controls. The purpose of this sample is to provide a template to document the reconciliation of the intercompany payable and receivable accounts.

Use this template upon completion of an audit to have team members discuss the audit and to provide feedback on audit execution, lessons learned, best practices, and future audit considerations. Sections include names of audit team members, performance against budget, lessons learned, internal process improvement suggestions, and future audit considerations.

This survey is intended to be sent to relevant departments upon completion of work performed by internal audit. The questionnaire focuses on topics such as: communication, exit and closing meetings, technical proficiency, and level of value the audit provided to the business unit.

The purpose of this sample template is to document the positions that currently make up a company’s accounting function during the competency assessment process. Information in this template includes: job title, job function and responsibilities, start date, relevant work history, education level, and professional organizations and accomplishments.

This is a sample form used to communicate specific findings identified during an audit. This form focuses on the condition and/or significance of the finding, the standard by which the finding is compared, and the Management Action plan recommended to address the finding.

This is a sample spreadsheet used to track acquisition details. Data tracked in this spreadsheet can accommodate several acquisitions and details that include important dates, information related to the First Binding Agreement, and analysis.

This interview template can assist with capturing information related to a process being reviewed by internal audit. The specific information tracked in this document includes identifying key personnel, relevant IT applications, relevant risks, controls currently in place, and related control gaps.

This testing status sample template can assist in tracking the testing of controls, control attributes, and testing attributes such as control description, control method, and control frequency.

This template was designed to assist companies in the periodic evaluation of potential impairment of Goodwill and Indefinite Lived Intangibles. Note that this is a tool to assist companies in the summarization of their impairment evaluations under U.S. GAAP, but is not intended to promote one valuation model/methodology over another.

The purpose of this sample is to document the activities performed as part of the monthly financial close process and identify areas where task duration can be improved upon. As part of this effort, users are encouraged to document the responsible person for each financial close task, current task duration, and desired task duration.

This document serves as a template to use in tracking the number of key internal controls identified in an organization. The information compiled in this template can be used to develop project status reports and plan for remediation efforts.

This sample serves as a template to use when documenting internal control issues and associated remediation plans. It provides an outline of information to use in this tracking process including: process, nature of issue, observation, control description, and action plan.

The Six Elements of Infrastructure Framework is a useful tool for categorizing issues, understanding where problems are occurring within the organization, and drawing conclusions to form the basis for process recommendations. This template may be used by a company when identifying, assessing, or designing processes using this framework. For each of the Six Elements of Infrastructure, this sample template provides areas to document innovative practices, current practices, and improvement opportunities.

The purpose of this document is to provide a template to use when analyzing whether a lease should be classified as a capital or operating lease for financial reporting purposes. This template is based on the criteria outlined in SFAS 13. Note: This template contains formulas as outlined in the instructions.

This risk and control matrix focuses on high-level control objectives DS10 (Manage Problems and Incidents) and DS13 (Manage Operations) of the COBIT Delivery and Support domain.

This sample matrix aligns high-level control objectives DS4 (ensure continuous service) and DS11 (manage data) of the COBIT Delivery and Support domain and with their associated risks.

This Risk and Control Matrix focuses on high-level control objectives AI2, AI5, and AI6 of the COBIT Acquire and Implement domain, PO10 and PO11 of the Plan and Organize domain, and DS11 of the Deliver and Support domain.

This internal audit planning memorandum documents the audit approach and administrative details for each audit. This memorandum should be completed as part of the initial audit planning process and is meant to enhance audit efficiency.

The COBIT Delivery and Support (DS) domain focuses on the delivery aspects of information technology. It covers areas such as the execution of the applications within the IT system and the results, as well as, the support processes that enable the effective and efficient execution of these IT systems. These support processes include security issues and training. This risk and control matrix focuses on control objective DS5 - Ensure Systems Security.

A fundamental element of internal control is the segregation of certain key duties. The basic idea underlying segregation of duties is that no employee or group should be in a position both to perpetrate and to conceal errors or fraud in the normal course of their duties. This worksheet has been designed to highlight conflicting duties performed by one individual or group of individuals. Audit teams are encouraged to use this form to help identify potentially commingled duties within accounting processes that may constitute a control weakness.

The goal of Enterprise Risk Management is to identify, evaluate and manage key risks impacting an organization’s ability to achieve its objectives and strategies. This document provides a template to inventory and assess critical risk areas (business functions) and the associated risks embedded within each area. The results can be used to help develop an Internal Audit Plan. The results may also be included in the Risk Assessment Report provided to the Audit Committee.

The process to evaluate and classify an individual process/transaction-level control deficiency incorporates the evaluation of quantitative and qualitative factors. This sample form assists in documenting and analyzing exceptions identified during individual process/transaction-level control testing.

While your business environment evolves, so do the risks you face. New vulnerabilities appear while old fears antiquate. Can you distinguish between the two? Identify, understand, mitigate. This is the ERM formula for a good nights sleep.

The SAS 70 report is intended to communicate, from auditor to auditor, the testing performed around the outsource provider’s internal controls, particularly controls over IT processes. This report provides an example of how to communicate the findings of a Type II SAS 70 review when a company outsources the processing of its employee payroll checks. It assess how the results of the report impact the company’s SOX compliance process.

This excel template can assist organizations in capturing results of a risk assessment facilitated session. It allows leaders of these sessions to document the final results, based on discussion or the use of voting technology, in an organized format. This sample also provides the opportunity to capture next steps and ownership related to the risk assessment results.

Enterprise Risk Management (ERM) requires clear risk management goals and objectives, linked to business objectives and strategies. This document is a sample project plan utilized during the planning phase of implementing ERM across an organization. The project plan supports a phased implementation approach detailing tasks, deliverables, and a project timeline.

An internal audit department led a self-assessment initiative to evaluate the effectiveness of the design of internal controls for their company’s operations and budget process. This report describes the approach, the results, and the recommendations that resulted from the initiative.

This template provides a format to document SOX internal control testing procedures, results, and conclusions. It allows the user to detail the control being tested, testing procedures, test results to answer test procedures, and management’s response.

This matrix provides sample application controls to consider within a property-management accounting system. This document guides the user in assessing the priority and vendor capability of each control. The control assessment is then summarized to develop an action plan.

This is a sample request for proposal (RFP) and vendor questionnaire from a company seeking a service provider to conduct a quality assessment review of its internal audit department and coverage of its entities.

This is sample request for proposal (RFP) from a financial institution seeking a service provider to conduct an evaluation of its internal audit approach and coverage of its regulated subsidiaries.

This sample request for proposal (RFP) document focuses on finding a service provider to perform an external quality assessment review of an internal audit department. It details the process and timeline for responding to the RFP. In addition, it documents proposal requirements and the acceptance or rejection process.

This form assists in evaluating SOX control deficiencies and documenting management responses. Users can also assess the severity of deficiencies noted during the documentation and testing process. The evaluation criteria includes: evidential deficiencies, potential impact to financial statements, safeguarding of assets and antifraud controls, likelihood that an error could occur, compensating controls, and multiple similar control deficiencies.

This is an example of how a Sarbanes-Oxley (SOX) team can report their findings related to the tax compliance process. This document reviews the business processes related to the tax compliance process, identifies manual and system-based controls, and documents issues and weaknesses.

This guide outlines the risks, control objectives, manual controls, IT controls, and responsibilities related to creating, maintaining and executing disaster recovery and business continuity plans within an organization.

Section 404 of SOX requires that each company have a documented, on-going process to identify, assess and evaluate fraud risks related to internal control over financial reporting. This example provides an overview of the process one company undertook to satisfy the requirements of evaluating fraud risk that pertain to internal control over financial reporting.

Type II SAS 70 reports are an integral part of assessing a company’s internal controls over financial reporting if a company uses an outsource provider. The SAS 70 report is intended to communicate, from auditor to auditor, the testing performed around the outsource provider’s internal controls, particularly controls over IT processes. This report can help an organization communicate the findings of a Type II SAS 70 review and assess how the results of the report impact the company’s internal controls over financial reporting.

Lack of controls over spreadsheets can present a risk to the accuracy of financial statement information and may be identified as a deficiency under Sarbanes-Oxley Section 404. This document contains an example of spreadsheet control procedures. The procedures outline the access and change control steps that could be applied for financial spreadsheets. Also included is a checklist that tracks the spreadsheet control procedures and can be used in SOX spreadsheet testing.

This sample report records the result of an evaluation of security policies and procedures at a hypothetical company. The sample illustrates security policy issues and best practices regarding controls and responsibilities that could be incorporated into a review, and provides a useful format for reporting the results.

This sample RFP for Internal Audit Co-sourcing and Sarbanes-Oxley compliance services provides a number of interesting questions to be asked of a potential outsource or co-source partner. A thorough RFP that asks the for the right information can save time and help identify the best company for the job.

This sample report records the result of an evaluation of security policies and procedures at a hypothetical company. The sample illustrates administrative and personnel security policy issues and best practices that could be incorporated into a review, and provides a useful format for reporting the results.

This sample report records the result of an evaluation of security policies and procedures at a hypothetical company. The sample illustrates communications security policy issues and best practices that could be incorporated into a review, and provides a useful format for reporting the results.

This sample report records the result of an evaluation of security policies and procedures at a hypothetical company. The sample illustrates application development and change control policy issues and best practices that could be incorporated into a review, and provides a useful format for reporting the results.

This sample report records the result of an evaluation of data security policies and procedures at a hypothetical company, Company X. The purpose of this sample is to illustrate: A report format that can be used to communicate the status of company policies, and also to present recommendations for policy changes to management, including details of specific policy and procedure findings, gaps, and recommendations regarding policy changes; Data security policy issues and practices that could be incorporated into your own review.

This sample report records the result of an evaluation of software security policies and procedures at a hypothetical company, Company X. The purpose of this sample is to illustrate: A report format that can be used to communicate the status of company policies, and also to present recommendations for policy changes to management; Software Security Policy issues and practices that could be incorporated into your own review.

This sample Request For Proposal (RFP) illustrates the types of questions can be asked of a potential internal audit outsourcing/co-sourcing service provider.

This risk management manual contains a methodology that can be modified and used by other construction companies, or by businesses that are themselves undertaking construction projects. The methodology allows for project risk analysis and deciding whether or not to proceed with the project.

This sample Request For Proposal (RFP) contains many questions to be considered when outsourcing or co-sourcing any part of an internal audit function. Many or all of the questions presented on the list can be placed in the RFP to potential service providers.

This sample Request For Proposal (RFP) illustrates the types of questions that can be asked of a potential internal audit outsourcing/co-sourcing service provider.

Benford's Law demonstrates that seemingly random numbers in large volumes of data have digits that can be predicted to occur with certain frequencies. Internal auditors can use this principle to analyze large volumes of numerical data. This spreadsheet contains formulas for calculating expected frequencies using Benford's Law.

This calculator identifies some common fraudulent and/or deceptive financial accounting practices, and gives the user examples of substantive audit tests and ratios to help catch the activity.

These internal audit meeting and schedule planning templates can be used in the planning and scheduling of meetings.

These case studies describe internal audit situations for different business processes.

The following is taken from an actual self assessment session, investigating possible process improvements for the Foreign Exchange process.

This presentation provides an example of how recommendations and action plans can be presented to management upon completion of a Quality Assurance Review (QAR).

Balanced scorecards look at performance from four perspectives, rather than from a single bottom-line measure. Balanced scorecards can be used to demonstrate the value of departments to their companies, and to make departments more responsive to corporate needs.

"This worksheet can be used as a template for documenting and linking business risks, process objectives, related controls, and an auditor's evaluation. It is based on the COSO framework."

This report-writing example illustrates how different types of opinions/conclusions could be issued at the completion of an audit.