Key Considerations for Your Internal Audit Plan AU1607

7/27/2019 Key Considerations for Your Internal Audit Plan AU1607

1/40

C]q[gfka\]jYlagfk^gjqgmjafl]jfYdYm\alhdYf=f`Yf[af_l`]jakcYkk]kke]flYf\

Y\\j]kkaf_]e]j_af_jakck

Afka_`lkgf_gn]jfYf[]$jakcYf\[gehdaYf[]

EYq*()+


2/40

iii Insights on governance, risk and compliance | May 2013

Risk assessment leading practices ..................... 2

Accounting ....................................................... 4

Finance ............................................................6

Tax .................................................................. 8

Sustainability .................................................. 10

Customer ....................................................... 12

Corporate development ..................................14

Fraud and corruption ......................................16

Information security ....................................... 18

Business continuity management .................... 19

Mobile ............................................................20

Cloud .............................................................21

IT risk management ........................................ 22

Program management ....................................24

Software/IT asset management ....................... 26

Social media risk management ........................ 28

Segregation of duties/identity

and access management ................................. 30

Data loss prevention and privacy ..................... 32

Human resources ............................................ 34

Supply chain and operations............................36

Contents


3/40

)Insights on governance, risk and compliance | May 2013

Lhe internal amdit risk assessment and the ongoing re^resh processes are

critical to identi^qing and îltering the activities that internal amdit can perôrm

to provide measmraZle Zeneît to the organiration&Ohile there are o^ten a

nmmZer o non%negotiaZle activities that internal amdit ^mnctions mmst

smpport KGP and other regmlatorq compliance, epternal amditor assistance!,

the internal amdit department has the opportmnitq to deliver increased risk

coverage, cost savings and measmraZle valme to the Zmsiness Zq identi qing and

perôrming amdits across the companqs valme chain& In omr role as the leading

provider o^ internal amdit services, oe have spent consideraZle time oorking

oith omr clients and thomght leaders to2

)& Identi q emerging risks and areas that most organirations are cmrrentlq

focused on

*&


4/40

* Insights on governance, risk and compliance | May 2013

Components of the

risk assessment

Data reviewed

Data analytics

Stakeholderengagement

Interview/surveytechniques

Collaboration

Audit prioritization

Outputs

Ohq is the need for a oorld%class internal audit risk assessmentmore vital than ever7

Lhere are multiple drivers Zehind the grooing importance of epecuting a roZust and

comprehensive risk assessment2

Internal audit executives continue to be challenged by the Audit Committee and

executive management to look around the corner and answer the question, Have

o]a\]fla]\Yddl`]Za_jakck7

Changes in the marketplace and external environment:

Increased risk due to expanding operations in emerging markets and developing

countries

Increased regulatory demands

Increased focus on cost savings across all functions including internal audit

Changes in the role of internal audit within organizations:

Effective use of internal audit resources no longer means only maintaining a world-class

assurance program that keeps the organization out of trouble. The department must

also improve the business through value-based audits and recommendations.

Investors are willing to pay for it 82% of institutional investors are more willing to

pay a premium for effective risk management (source: Ernst & Young survey)

Jisk assessmentleading practices

Ohen assessing risk to the organiration, internal audit functions

tqpicallq fall Zetoeen Zasic and leading on the maturitq curve Zeloo&

9s qour department moves tooard leading Zq utiliring the techniiues

listed here, qou increase qour aZilitq to look around the corner andidentifq the right risks&

)

*

+


5/40

+Insights on governance, risk and compliance | May 2013

:asic


6/40

4 Insights on governance, risk and compliance | May 2013

Operationalizing statutory

reporting: driving global

consistency to create savings

and transparency

www.ey.com/Publication/vwLUAssets/Operationalizing_Statutory_

Reporting/$FILE/Operationalizing%20Statutory%20Reporting_Driving%20global%20consistency.pdf

Operationalizing statutory reportingDrivingglobalconsistencyto createsavingsand transparency

:mkaf]kkZ]f]lk2

afYf[aYd9[[gmflaf_9\nakgjqK]jna[]k

Ernst&Youngrapidassessment

;mklgear]\lggdkYf\]fYZd]jklg_Yl`]j

\YlYgfdaf_klYlmk$[mjj]flhjg[]kkYf\j]dYl]\[gklk

Customizedglobalstatutory

reporting database

Hjgna\]knakaZadalq Y[jgkkqgmj _dgZYd

gj_YfarYlagf

>Y[adalYl]kYfYd qkakYf\a\] fla[Ylagf

g^[gfkakl]fll`]e]kYf\akkm]kZq

_]g_jYh a[Yddg[Yl agfYf\Zq hjg[]kk

Dashboardandreporting

=^^][lan]hj]k]flYlagfg^af^gjeYlagflgkmhhgjlh jg b][leYfY_]e]flYf\

eYfY_]e]fl\][akagf eYcaf_

Ernst&Youngglobalaccounting

database

Hjghja]lYjq\YlYZYk]l`Ylhjgna\]k

Y[[]kklgmh%lg%\Yl]$\]lYad]\$dg[Yd

j]hgjlaf_j]imaj]e] flk

Jecommended reading

Accounting

The pace of change to accounting standards is unprecedented

in the US and globally. Multinational organizations need to

understand how business decisions affect accounting and

reporting today, as well as the impact anticipated changes to

standards may have. The business needs to develop practical

strategies for managing the impact of accounting changes on

the organization. There needs to be particular focus in countrieswhere regulators are increasingly aligning local regulations with

IFRS, such as Brazil and the United Kingdom. It is imperative for

the internal audit department to be aware of potential changes

to accounting regulations, such as:

SEC accounting, disclosure and reporting matters The

K=;klY^^j][]fldq\ak[mkk]\q]Yj%]f\fYf[aYdklYl]e]fl

considerations and their areas of focus: revenue recognition

disclosures, valuation of deferred tax assets and observations

related to the new fair value disclosures. It is expected that

auditors will need to place extra scrutiny in these areas.

FASB and IASB The two organizations recently commented

on their joint convergence projects related to:

Revenue recognition. The new standard is expected to be

fYdar]\af*()+&L`]j]eYafaf_akkm]klgZ]fYdar]\j]dYl]

to disclosure and transition to the new standard.

Leases.Ka_fa[Yfl[`Yf_]k`Yn]Z]]feY\]lghjagj\jY^lk

developed by the Boards, and the revised proposal is expected

lgZ]j]d]Yk]\^gj[gee]flafl`]jklimYjl]jg^*()+&L`]

new draft is expected to end off-balance-sheet accounting for

leases by lessees.

Seizing the opportunity in

global compliance and

reporting: survey trends

www.ey.com/GL/en/Services/Tax/Seizing-the-opportunity-in-Global-

Compliance-and-Reporting--Global-Compliance-and-Reporting-Survey

K]araf_l`]ghhgjlmfalqaf?dgZYd;gehdaYf[]Yf\J]hgjlaf_Kmjn]qYf\lj]f\k

Financial instruments.L`]]phgkmj]\jY^lgf[dYkka[YlagfYf\

e]Ykmj]e]flak]ph][l]\lgZ]akkm]\afl`]jklimYjl]jg^

2013. Many changes have been made for convergence in these

areas, but the two Boards remain relatively far apart on the

issue of impairment.

IFRS update The SEC is continuing to investigate whether to

af[gjhgjYl]A>JKaflgl`]MKfYf[aYdj]hgjlaf_kqkl]eYf\$a^so, when to do so. The indication is that a decision will not be

made anytime soon.

As organizations are executing the day-to-day activities to meet

l`]j]hgjlaf_j]imaj]e]flk$l`]j]Yj]kh][a[Yj]Ykl`Yll`]q

need to focus on to mitigate the associated risks:

Statutory reporting Multinational organizations need to

understand the statutory reporting requirements and the

processes they need in place to meet them. The business must

assess its requirements and evaluate the opportunity to increase

[gfkakl]f[qafalkfYf[aYdj]hgjlaf_hjg[]kk]k&

Business transformation As organizations continue to lookfor opportunities to drive cost out of the business through major

transformations (e.g., shared service center implementations),

the accounting and reporting function must be aware of the

ka_fa[Yfljakclgl`]Zmkaf]kk&Gj_YfarYlagfkemklmk]l`]k]

transformations as an opportunity to streamline their accounting

policies and controls, thereby reducing both cost and risk.

ERP system implementation The implementation of an ERP

kqkl]eakYka_fa[Yflafn]kle]flZql`]gj_YfarYlagfYf\g^l]f

takes several years to be fully integrated. As an organization

is planning such a migration, the business should assess the

changing accounting and control requirements and incorporate

them into their plans.


7/40

5Insights on governance, risk and compliance | May 2013

Lhe audits that make an impact Cey iuestions to evaluate during audit

Accounting policy review The internal audit team focuses on

l`]\]f]\]flalq%oa\]Y[[gmflaf_hgda[a]kg^l`]gj_YfarYlagf&

The team reviews the consistency of application across entities

through sample testing (e.g., account reconciliations, accruals,

manual journal entries). Additional time is spent reviewingaccounting policies against leading practices (e.g., number of

days to close each month/quarter) and proposed legislation or

regulatory changes.

O`YlYj]l`]\]f]\Y[[gmflaf_hgda[a]kg^

l`]gj_YfarYlagf7

What is the process to disseminate updates and/or changes

lgl`]hgda[qlgYddh]jkgff]d7

What is the process for deviating from policy and is there anYhhjgnYdeYljap^gjl`]k]\]naYlagfkZYk]\gfeYl]jaYdalq7

Lease accounting review The internal audit team inventories

and reviews the organizations leases. A review of the policy for

leases is conducted, with individual leases being sampled for

adherence to policy and applicable guidance. For additional

Y\\]\nYdm]lgl`]gj_YfarYlagf$l`]afl]jfYdYm\all]Yea\]fla]k

improvement opportunities in the lease analysis (e.g., use of

a standard template) process.

Does the organization have a database or repository of all of

alkd]Yk]k7

Akl`]j]YfYhhjgnYdeYljap^gjd]Yk]kZYk]\gfeYl]jaYdalq7

O`Ylakgj_YfarYlagfkhgda[qgfd]Yk]k7

O`YlYj]l`][gfljgdkafhdY[]afl`]d]Yk]a\]fla[YlagfYf\

]p][mlagfhjg[]kk7

Statutory risk assessment The internal audit team focuseson the countries in which the organization operates and

assesses the statutory risk to the business. A risk assessment

is performed of the locations based on the statutory reporting

risk of each location, as well as the materiality and inherent

risk of the companys operations in each location.

O`ggofkklYlmlgjqj]hgjlaf_7 Where have we had issues from a statutory reporting

h]jkh][lan]afl`]hYkl7

For countries in which we operate, which are inherently

`a_`]jjakc7

Are we appropriately aligning our resources for statutory

j]hgjlaf_ZYk]\gfjakc7


8/40


Jecommended reading

>inance

Oàd]fYf[]^mf[lagfk`Yn]àklgja[YddqZ]]fY^g[mkgâfl]jfYd

audit departments, pressures from within the organization to

dgo]j[gklkYf\aehjgn]l`]]^[a]f[qg^l`]^mf[lagf`Yn]Z]]f

augmented by emerging challenges. The push for shared service

centers, implementations of global ERP systems, and the

standardization of global policies, procedures and operations

have increased the pressure on CFOs and their functions. With

these initiatives come risks that internal audit needs to identify,

assess and help the organization mitigate with appropriate

controls and strategies.

In addition to the internal pressures to reduce costs and operate

egj]]^[a]fldq$]pl]jfYd\]n]dghe]flkYj]Ydkg\]eYf\af_egj]

g^fYf[]^mf[lagfk&>gjafklYf[]$[gfka\]jl`]j][]flljYmeYaf

l`]_dgZYdfYf[aYdeYjc]lk$l`]mfcfgofaehY[lg^l`]

implementation of the Patient Protection and Affordable Care Act

in the United States, and the uncertainty surrounding additional

governmental policy and legislation. While all of this is occurring,

fYf[]Yf\alkd]Y\]j$l`];>G$Yj]]ph][l]\lgk]jn]YkYZmkaf]kk

partner in strategic decision-making by putting the right informationin the hands of decision makers at the right time.

;gfka\]jl`]^gddgoaf_fYf[]jakckYf\l`]ajaehY[lgfl`]

function and organization.

Disparate nance systems and processes Multinational and

global organizations frequently grow through inorganic methods

(e.g., acquisitions), often leading to the need to manage

different ERP packages and supporting systems. Additionally,

l`]fYf[aYdhjg[]kk]kYf\l`]aj[gfljgdkYj]g^l]ffgl

consistently designed (or performed), leading to a potential

roadblock in the businesss operations.

Managing performance

through famine and feast:

the CFOs role as economic

advisor

www.ey.com/GL/en/Services/Advisory/Managing-performance-through-famine-and-feast---CFO-report

Views. Vision. Insights:

the evolving role of

todays CFO

www.ey.com/GL/en/Issues/EYfY_af_%fYf[]'L`]%


9/40


The audits that make an impact Cey iuestions to evaluate during audit

Analysis of the budgeting and forecasting process

Assess the annual budgeting and forecasting processes including

the internal controls and potential process, improvement

recommendations. Review the primary business segments of the

organization, current state processes and root cause issuesdriving inaccuracies in the forecast.

What is the current process for budgeting and forecasting and

akal[gfkakl]flY[jgkkZmkaf]kkmfalk'dg[Ylagfk7

How do we monitor the accuracy of the budgeting and

^gj][Yklaf_hjg[]kk7

What are the controls in place to assess accuracy and[gehd]l]f]kkg^l`]hjg[]kk7

O`YlY[lagfkogmd\Z]j]imaj]\lgY\\j]kkl`]_Yhk7

Capital allocation review Review the comprehensive capital

allocation process focusing on internal controls and potential

process improvement recommendations. Evaluate the capital

request and approval process, committee and approval structure

and return on investment tracking.

How does the organization manage capital allocation requests

Yf\o`Ylakl`]hjg[]kk^gjhjagjalaraf_l`]e7

How does the capital allocation process mirror the goals and

kljYl]_a]kg^l`]gj_YfarYlagf7

Global costing review Review the policies and internal controls

g^l`]hjg[]kklgegfalgj[gklYf\hjglYZadalqeYj_afZqhjg\m[l

line/service. Evaluate the organizations internal control structure

and provide potential process improvement recommendations for

a\]fla]\[gfljgd_Yhkgj\][a]f[a]k&

O`Ylakl`]hjg[]kk^gj\]l]jeafaf_l`]hjglYZadalqeYj_af!

_gYdZqk]jna[]'hjg\m[ldaf]7

Are controls related to margin analysis designed and operating

]^^][lan]dq7

9j]l`]j]ghhgjlmfala]klgaf[j]Yk]l`]]^[a]f[qg^[gfljgdk7

Treasury process review The internal audit team focuses on

the business process and controls for cash forecasting, funding,

hedging and derivatives, and compliance with applicable debt

covenants. Additional focus is given to the vetting and granting

of credit to customers (if owned by Treasury).

O`ggofklj]YkmjqYf\akalY_dgZYdhjg[]kk7

@go\go]egfalgjl`]Y[[mjY[qg^[Yk`^gj][Yklaf_7

O`YlYj]l`][gfljgdkafhdY[]lgYkk]kkl`]lj]Ykmjqhjg[]kk7

O`YlY[lagfkogmd\Z]j]imaj]\lgY\\j]kkl`]akkm]_Yhk7

O`Ylogmd\Z]l`]Z]f]lkg^Y\\j]kkaf_l`]a\]fla]\_Yhk7

Finance benchmarking assessment As the organization

h]j^gjekYZ]f[`eYjcaf_Ykk]kke]flg^alkfYf[]^mf[lagf$

internal audit has a role in the compliance and controls

workstream. The team focuses on benchmarking the

organizations cost of controls relative to its competitors and

industries. Additional feedback is provided on the utilization ofl][`fgdg_qafl`]fYf[]hjg[]kk]kYmlgeYl]\[gfljgdk$

continuous control monitoring).

What is the companys total spend on the planning, execution

Yf\egfalgjaf_g^[gfljgdkYf\[gehdaYf[]7

@go\g]kgmjkh]f\[gehYj]oal`gmjh]]jk'af\mkljq7

Akl`]j]Yfghhgjlmfalqlgd]n]jY_]Y\\alagfYdYmlgeYlagf7A^

kg$o`]j]Yf\`go7

Opportunities for integrated audits between IT and operational audit Audit was frequently mentioned in survey of leading IA organizations


10/40


Tap

Tax risk goes well beyond the tax technical application of the law.

Factors that contribute to increased pressure on organizations to

develop and maintain an effective tax risk management strategy

include expanding business operations, increasingly complex tax

d]_akdYlagfYf\j]_mdYlagfk$ka_fa[YflY[[gmflaf_\]n]dghe]flk$

expanding global internal control and tax authority regimes and

greater transparency and increased accountability to stakeholders.

Interestingly, since the inception of reporting under Section 404

of the Sarbanes-Oxley Act (SOX 404), tax reasons have accounted

^gjYZgml+(g^Y\n]jk]ghafagfkd]\mf\]jKGP,(,]Y[`q]Yj

and continue to be a leading cause of restatements.

L`]fYf[aYd[jakak`YkZjgm_`lYZgmlYfmhla[caf_dgZYdarYlagf$

[Ymkaf_YdYj_]k`a^laf[YhalYdgoklgoYj\]e]j_af_eYjc]lk&

Policy-makers in emerging markets are rapidly enacting mechanisms

to capture their fair share of the global tax pie. In many mature

markets, governments have an urgent need to increase revenues.

As a result, they are attempting to raise taxes and intensify

enforcement for companies operating within their borders.

It is in this context that the following tax topics are receivingattention across the enterprise and should be considered during

the risk assessment and potentially in the audit plan:

Failure to integrate tap in large global initiatives Large

initiatives such as moves to a shared service environment,

implementation of an ERP or supply chain transformation

are all examples of initiatives that are critical for tax to be

involved in up front. Where tax is not involved, tax compliance

akkm]k$hjg[]kkaf]^[a]f[a]kgjYdY[cg^YnYadYZd]\YlY^gjlYp

purposes all emerge as concerns for the organization.

Dack of availability of data Tax is one of the largest

consumers of data within any organization. A lack of accurate

and accessible transactional data for tax purposes is a top root

cause of tax compliance issues, not to mention a driver

g^af]^[a]f[a]kYf\]p[]kk[gkl^gjl`]gj_YfarYlagf&

Transfer pricing While tax owns the transfer pricing policy, it

akl`]Zmkaf]kkl`Ylaklqha[YddqYkc]\lg\]f]Yf\]p][ml]l`]

controls that ensure compliance with the policy. Therefore, a

key risk related to transfer pricing remains the ability to sustain

transfer pricing controls. Operationally, a lack of transparency

aflgljYfk^]jhja[af_hjgl\m]lgYdY[cg^\YlY!g^l]fd]Yn]k

the organization waiting until it is too late to make changes to

prices or controls. Transfer pricing risk is compounded by tax

authorities with very divergent goals.

VAT and other indirect tapes These transactional taxes

continue to create risk due to the fact that heavy reliance is

placed on the accuracy of information in the business to comply.

While tax can provide direction and guidance related to indirect

taxes, it is the transactions being executed by the business that

drive compliance, and organizations often do not have the right

processes and controls in place. Identifying the right structure

(in the business, versus within tax) to manage VAT and indirect

tax is a complex issue companies continue to assess.

Tap complepity in :razil and Datin America Latin America,Yf\kh][a[Yddq:jYrad$[gflafm]klghj]k]flY_j]Yl]jd]n]dg^

tax risk for organizations. This is driven by the complexity of tax

rules, a lack of resources familiar with both US and Brazilian tax

rules in the region and governmental policy decisions.

Other risks that continue to receive attention include: failure to

identify tax planning opportunities and manage tax obligations

across all jurisdictions; failure to manage non-income tax

obligations like customs duties; failure to track the movement

of expatriates and assets across foreign tax locations, resulting

in permanent establishment or nexus issues; and/or a lack of

resources with tax accounting skills in foreign jurisdictions.

The management of tax risk is complex and requires the participation

of different constituents with the requisite skills partnering with the

business and tax department to properly assess, remediate and

monitor these risks. Internal audit can, and should, play an integral

role in the organizations broader tax risk management approach.


11/40


Jecommended readingwww.ey.com/US/en/Services/Tax/Tax-Library


Transfer pricing audit This audit is not just an assessment

of the companys compliance with policy but a broader look at the

processes, controls and data in place to sustain compliance. Assess the

accuracy, completeness and availability of data used to understand

ljYfk^]jhja[af_hjgleYj_af$[gfjeafnga[]kY[[mjYl]dqj]][l

transfer prices, and evaluate the design and operating effectiveness

of managements monitoring processes, including reports and

periodic meetings to monitor performance. An emerging area of

risk to consider would be the harmonization of transfer pricing and

custom valuations.

Akl`]\YlYl`Ylakf]]\]\lgmf\]jklYf\ljYfk^]jhja[]hjglYZadalq

YnYadYZd]Yf\Y[[mjYl]7

What controls are in place within the business to monitor transfer

hja[af_[gehdaYf[]7

What can be done to improve the accuracy of transfer prices and

j]\m[]^j]im]fl[`Yf_]klgljYfk^]jhja[]kgjq]Yj%]f\kmjhjak]k7

Is the organization at risk for inconsistent transfer pricing and

[mklgenYdmYlagfk7

Tax data assessment Evaluate the availability, completeness

and accuracy of data needed to comply with tax regulations.

L akYm\alak]p][ml]\Zqjklmf\]jklYf\af_l`]kgmj[]g Ydd\YlY

necessary for tax (determined in coordination with tax or third

party). The team then evaluates gaps in either the completeness,

accuracy and availability of data and articulates the impact of the

gap. Management can use the results of this audit to evaluate future

Y[lagfkYf\l`]Z]f]lkg^Y\\j]kkaf_l`]_Yhk&

What data and related data resources are the most critical to

]^[a]flYf\]^^][lan]lYp[gehdaYf[]oalàfl`]gj_YfarYlagf7

Where does a lack of data availability, completeness or accuracy

[j]Yl]af]^[a]f[a]k^jgeY[gklgjlae]klYf\hgafl!^gjl`]

gj_YfarYlagf7O`Ylakl`]aehY[lg^l`gk]af]^[a]f[a]kYf\o`q

\gl`]q]pakl7

@go[Yfl`]_YhkZ]Y\\j]kk]\$Yf\o`Ylogmd\Z]l`]Z]f]lk

g^Y\\j]kkaf_l`]e7

VAT (indirect taxes) Perform an end to end process review of the

companys VAT tax process. This includes evaluation of how data

is compiled, processed and ultimately reported to tax authorities.

;gfjel`YlYhhjghjaYl][gfljgdk$l][`fgdg_q$[geh]l]f[a]kYf\

hjg[]kk]k]pakllg]^[a]fldq[gehdq&LàkYm\aleYqYdkgj]kmdlaf

opportunities for substantial cost savings by improving the accuracy

Yf\]^[a]f[qg^l`]N9LlYphjg[]kk&Gl`]jYj]Ykgâf\aj][llYp

such as sales and use tax could also be considered for this audit.

Is data needed for VAT purposes captured accurately and

[gehd]l]dq7

9j][gfljgdkafhdY[]lg]fkmj]N9Lak[Yd[mdYl]\Y[[mjYl]dq7

Who owns VAT processes and do they have the necessary skills

lg]fkmj][gehdaYf[]7

9j]l`]j]ghhgjlmfala]k^gj[gklkYnaf_kj]dYl]\lgN9L7

Tax compliance audit Evaluate the tax provision and other tax-

[gehdaYf[]%j]dYl]\hjg[]kk]klg[gfje[gfljgdkYj]\]ka_f]\Yf\

operating effectively. To add value to the organization, identify

ways in which controls can be further optimized for adequate risk

[gn]jY_]oàd]af[j]Ykaf_]^[a]f[q&

@go]^[a]flakl`]hjg[]kklg[gehad]\YlY^gjl`]lYphjgnakagf7

Akl`]j]_dgZYdnakaZadalqaflgl`]hjg[]kk7

Are controls related to compliance designed and operating

]^^][lan]dq7

9j]l`]j]ghhgjlmfala]klgaf[j]Yk]l`]]^[a]f[qg^[gfljgdk7

Af\aj][lLYp:ja]f_2

a review of global indirect tax

developments and issuesIndirect Tap:riengA review of global indirecttap developments and issues

Issue5tAugust *()*

Navigating a complex tax

controversy environment

Inthisissue:

2 Ernst&Youngtaxcontroversysurveyaneweraof taxriskand

mf[]jlYaflq2 \]faf_l ]businessimperative

4 IRSpracticeandprocedures

;à]^ ;gmfk]dakkm]kfgla[]gf

9hh]Ydk]phYjl][geemfa[Ylagfk

AJKoal`\jYok;AHgf[gkl%k`Yjaf_Zmq%afljYfkY[lagfk

AJKj]nakalkj]k]Yj[`[j]\alj]^mf\[dYaek

10 Transferpricing

enforcementtrends

Hjagjala]klg]f`Yf[]l`]EmlmYd9_j]]e]flHjg[]\mj]

13 Penaltycorner

Oà[`h]fYdlqYhhda]k

mf\]jhYqe]flgj]p[]kkan]j]^mf\715 Courts

20 Legislative,regulatoryand

gl ]j_ma\Yf[]F]odqj]d]Yk]\lYf_aZd]

hjgh]jlqj]_mdYlagfk

26 Ernst&YoungLLPaddsnew

taxcontroversytalent

Summer2012

Wearepleasedtopresentthelatest issueofournewsletterdedicatedtotax controversyand

relatedrisks.Asbusinessmodelsgrowincomplexityandgeographicreach,the challengesYf\jakckj]dYl]\lglYp[gfljgn]jkqaf[j]Yk]ka_fa[Yfldq&L`]j]Yj]fYf[aYdYko]dd Yk

j]hmlYlagfYdjakckl`Yl[YfZ][gkldq a^fgleYfY_]\hjgY[lan]dq&L`]klYc]kYj]à_`$l`]

rulesarenotalwaysclear,anditcan bechallengingtokeepup withallofthe changesinIRSprocedures,toolstoresolvedisputes,andthevariousrolesand responsibilitiesoftheteams

Yf\eYfY_]jk&Làkf]okd]ll]jakafl]f\]\lg`]dh qgmc]]hmhlg\Yl] gfl`][`Yf_]kaf AJKinitiativesandenforcementfocus,courtdecisionsandtheir implications,regulatorychanges,

andotherinformationthatcanhelp youmakeinformeddecisionsaboutmanagingtaxcontroversyandrelatedrisk.

L`]AJKj][]fldqj]n]Yd]\l`Yll`]l`j]]lgh Yj]Ykg^mf[]jlYaflYphgkalagfk\ak[dgk]\gf>gje))*(MLHYj]l`]j]k]Yj[`[j]\al$ljYfk^]jhja[af_$Yf\akkm]kj]dYl]\lg AJ;k][lagf

).*$ljY\]gjZmkaf]kk]ph]fk]k&Aflàk]\alagf g^gmjf]okd]ll]j$qgmoaddf\Yjla[d]kj]dYl]\lgl`]k]l`j]]Yj]Yk&9dkgaf[dm\]\ak YkmeeYjqg^l`]f\af_k ^jgegmj*())*()*LYpjakc

andcontroversysurvey.Seehowyourcompanycompareswiththeperspectivesof500tax\aj][lgjkYf\;>Gko`ga\]fla]\l`]ajlgh jakcYj]YkYf\lj]f\kl`Yll`]qgZk]jn]&Qgmoadd

alsoseewhattaxauthorities,taxpolicy makersandauditcommitteemembersconsidertobetheirkeychallenges.

L`]j]Yj]ka_fa[Yfl[`Ydd]f_]kafeYfY_af_lYpjakc Yf\[gfljgn]jkqaflg\Yqk][gfgea[andglobalenvironment.However,withthosechallengescomeopportunitiestodealwithtax

[gfljgn]jkqegj]]^[a]fldqYf\]^^][lan]dqafl`]MKYf\ gfY_dgZYdZYkak& O`]l`]jqgmoYfllgeYc]Yka_fa[Yflkà^l afqgmjj]dYlagfkàhYf\hjg[]kkaf \]Ydaf_oal`lYpYml`gjala]k$gj

justwanttoimprovetheprocessto obtaincertaintysooner,knowledgeofthetoolsavailableYf\`golgfYna_Yl]l`jgm_`l`] gj_YfarYlagfak]kk]flaYd&O]`gh]l`Ylqgm f\làk

informationhelpful.

Ifyouhaveanyquestionsor feedbackrelatedtothisnewsletter,pleasefeelfreeto

[gflY[lgmjLYp;gfljgn]jkqYf\JakcEYfY_]e]fld]Y\]jkj]^]j]f[]\Yll`]]f\ofthispublication.

DeborahNolan9e]ja[YkLYp;gfljgn]jkqD]Y\]j

Tax controversy andrisk management review

Navigating a complex taxcontroversy environment



12/40


Sustainability

Awareness of environmental issues and the increased focus onthe scarcity of natural resources has brought sustainability to theforefront for many organizations. In a recent review of the proxystatements of the Russell 3000, more than 900 shareholderproposals were submitted on environmental and social topics, themost across the four major proposal categories (environmental/social, board-focused, compensation and anti-takeover/strategic

proposals). This shift was attributed to growing support frommainstream investors on environmental/social topics as wellas widespread corporate recognition of the business case forsustainability. Additionally, legislation such as the Dodd-Frank9[lYf\\ak[dgkmj]j]imaj]e]flkgf[gfa[leaf]jYdk`Yn]increased the risk in this area.

As the focus on sustainability grows, key topics continue to emerge:

Managing the global supply chainL`]j]akka_fa[Yflafl]j]klin how organizations are identifying and mitigating risks relatedto sustainability of their supply chain. Stakeholders are focusedon sustainability reporting, environmental impacts and human/labor rights and working conditions. Companies are frequentlybeing asked for disclosure of supply chain practices and/orrelated risks.

Dinking executive compensation to sustainability metrics To drive sustainable change through the organization, theexecutives must be properly incented and measured. Leadinggj_YfarYlagfkYj]af[gjhgjYlaf_fgffYf[aYdh]j^gjeYf[]metrics into their executive compensation programs a trendthat will only increase as sustainability grows in importance.

Including environmental'social considerations in employeeiualication Stakeholders are seeking information on howorganizations link their overall business strategies withenvironmental/social matters.

Conict minerals Section 1502 of the Dodd-Frank Act requires

certain public companies to provide disclosures about the use of[gfa[leaf]jYdk^jgel`]


13/40



Corporate responsibility audit Evaluate the processesfor developing and issuing the corporate responsibility report.Additional focus will be given to the metrics utilized in the report,hjg[]kk^gj[gdd][laf_l`akaf^gjeYlagf$Yf\l`]n]ja[Ylagfg^the completeness and accuracy of this data. The internal auditteam should evaluate the gaps in completeness, accuracy and/oravailability of the data required to issue the report.

Who is responsible for developing and issuing thej]khgfkaZadalqj]hgjl7

What are the key performance indicators and metricskmhhgjlaf_l`]j]hgjl7

How does the company determine that the informationaf[dm\]\afl`]j]hgjlak[gehd]l]Yf\Y[[mjYl]7

What controls are in place within the business to monitorl`]j]hgjl7

What can be done to improve the accuracy and timelinessg^l`]j]khgfkaZadalqj]hgjlaf_hjg[]kk7

Energy management audit The internal audit teamYkk]kk]kl`][gehYfqk[mjj]fl]f]j_qmkY_]Ylka_fa[Yfllocations, as well as their efforts to reduce energy usage.The internal audit team focuses on the companys energymanagement strategy, how it is implemented, the metrics usedlgljY[cmkY_]Yf\j]\m[lagfk$Yf\l`]jYea[Ylagfkg^gn]jY_]kand missed projections.


14/40


Customer

While customers are clearly some of the most valued stakeholders

of any organization, conversation related to customer risk is often

limited to pricing compliance, sales commissions and rebates/

marketing incentives versus broader operational and strategic

concerns. The areas of customer can be compartmentalized as

follows: customer strategy, customer experience and insight,

and sales and marketing productivity. Below we touch on each of

these areas and provide insight into how to broaden the typical

customer-related audits and add value to the organization.

Customer strategy

Acquiring, maintaining and expanding relationships with customers

are extremely competitive aspects of any business. There are

ka_fa[Yfljakck^jgel`]\][akagflg]fl]jYeYjc]lYf\a\]fla^q

its customers) to the decision to exit a particular product line or

service that organizations must continually evaluate:

Market effectiveness and return%on%investment In a

stagnant economy, there is continued risk related to

unproductive use of funds for marketing purposes and an

inability to effectively measure return on investment. Internalaudit can help manage this risk by assessing ROI and the

organizations processes to allocate marketing spend. This is

in addition to more traditional marketing and advertising

contract audits for potential cost recovery.

Hricing strategy and improvement opportunities The lack of

information to make pricing decisions (primarily total cost data),

a disconnected pricing strategy and poor implementation of

the pricing strategy through sales channels and contracting

[j]Yl]ka_fa[Yfljakcoal`afl`]gj_YfarYlagf&

Hroduct innovation and life cycle management As

organizations focus on improving margin through customer-

based product innovation, the risk that product innovation isdisconnected from the customer or not fully integrated with

the necessary business functions emerges.

Digital marketing strategy Marketing went digital long ago,

but in todays rapidly evolving technological world, failure to

keep the strategy up to date is a key risk. With social media

emerging as a primary way for customers and organizations

to connect, the risks related to customer, HR, legal and IT will

continue to blur.

Customer experience and insight

With growing pressures on product margins, an increasingly diverse

customer base, and rising costs to acquire new customers, more

and more companies are differentiating themselves by gathering

additional customer insight to improve their customer experience.

Companies must be in tune with the real-time experiences and

feedback of their customers, and the value of this informationmust be leveraged and capitalized on.

Based on these focus areas, organizations need to consider the

following risks:

Failure to properly segment and understand customers

Organizations may not truly understand the characteristics

and needs of their customers, thus resulting in poor pricing

Yf\eYjc]laf_kljYl]_a]kYf\Y\jghafhjglYZadalq&

Customer support Poor customer support can quickly

j]\m[][mklge]j[gf\]f[]Yf\]jg\]hjglYZadalq&

Dack of proactive metrics to measure performance

Identifying the right metrics to proactively provide management

with an indication of performance is critical and often an area

organizations struggle with.

Sales and marketing productivity

>gjegklgj_YfarYlagfk$Yka_fa[YflYegmflg^[YhalYdakkh]flgf

sales and marketing to attract, retain and expand relationships

with customers. Organizations must develop the appropriate

metrics and reporting to monitor the effectiveness of their sales

forces and marketing materials. There are a number of focus areas

related to sales and marketing productivity that the internal audit

department should be aware of:

Sales productivity improvement This area includes developing

and sustaining the right account strategy and opportunity

sizing processes. This also includes understanding where and

how members of the sales force utilize their time and how it

aligns to the overall account and opportunity sizing process.

Sales organization structure This relates to having the right

sales force structure and span of control sizing to deliver on

sales goals.

Sales performance management To obtain the most from

the sales organization, its important to have clear roles

\]f]\Yf\Y^gjeYd[Yj]]jhYl`af_hjg[]kk&KYd]ke]lja[k

and incentive compensation must be aligned to the overall

organizational goals to drive the right behavior. This is a

critical risk area for members of the sales organization.


15/40

1+Insights on governance, risk and compliance | May 2013

This time its personal: from

consumer to cocreator

www.ey.com/GL/en Services/Advisory/This-time-its-personal--from-consumer-to-co-creator

Jecommended reading


Marketing effectiveness and ROI review This audit includesreviewing the process to develop key marketing programs andthen assessing managements ability to measure the success.Also included in this audit may be an assessment of keycontracts with marketing and advertising vendors. This portionof the audit would be structured as a more traditional contractcompliance review.

Are marketing programs developed and approved in[gehdaYf[]oal`[gehYfqhgda[a]kYf\hjg[]kk]k7

Do program incentives drive customer behavior that is alignedlg[gjhgjYl]kljYl]_q7

Are marketing and advertising providers delivering on[gfljY[lmYdl]jek7

How effectively does the organization measure ROI associatedoal`ka_fa[YfleYjc]laf_hjg_jYek7

Product innovation audit Evaluate the processes and controlsrelated to the organizations ability to innovate. This audit wouldYkk]kkl`]]^^][lan]f]kkg^l`]klY_]Yf\_Yl]khjg[]kk\]f]\and, most importantly, how well the innovation process isintegrated across business functions.


16/40


Corporate

development

In the ever-changing economic world, the corporate development

function is more crucial than ever. Corporate development serves

as the lifeblood for an organization by providing strategic advice to

the board, actively managing the organizations portfolio, divesting

non-core assets and pursuing acquisitions to deliver increased

nYdm]lgl`]Zmkaf]kk&Afl`ak[gehd]pYj]Y$l`]j]Yj]Yka_fa[Yfl

number of potentially material risks. In the following section, weidentify these risks and the audits that may be performed to deliver

additional value to the business.

Divestitures

As organizations focus on preserving, optimizing and raising

capital, they often use divestitures to strategically manage their

portfolios. Deciding when and how to sell an operating unit can be

]plj]e]dq\a^[mdl&9k[gehYfa]k[gflafm]lgjYlagfYdar]l`]aj

product portfolio based on internal and external factors, internal

audit may play a role in enhancing managements credibility and

preparedness. By focusing on the right areas, the internal audit

team may assist in preserving the deals value and maximizing the

after-tax proceeds for the organization. By remaining an active

participant in the process, audit may help to mitigate the risks to

the organization in the following areas:

Carve-out nancial statements Being able to appropriately

value the carve-out business requires the organization to have

l`]f][]kkYjq\YlYYf\fYf[aYdaf^gjeYlagf&G^l]fl`akakY

ka_fa[Yfl]^^gjl^gjl`]gj_YfarYlagf\m]lg`goalakk]lmh

(e.g., systems, consolidation process).

Tax analysis The structuring of the divestiture transaction

`YkYka_fa[YflaehY[lgfl`]lYpaehda[Ylagfkg^l`]\]Yd&

Most transactions involve businesses with operations in multiple

countries, further complicating the process and enhancing therisk to both the organization and acquiring company.

Buyer diligence After deciding to divest of a portion of its

portfolio, an organization must have an approach to dealing

with the buyer diligence process. Decisions on the amount and

type of information to be shared, and at what point in the

divestiture life cycle it will be shared, must be made prior to the

a\]fla[Ylagfg^hgl]flaYdZmq]jk&

Operational preparedness As a company or business unit is

divested from an organizations portfolio, the remaining business

must have the appropriate processes and controls in place to

ensure that it is prepared to operate post-transaction close.

Mergers and aciuisitions

As the business landscape continues to become more and more

competitive, organizations are looking for ways beyond organic

growth to continue to meet and exceed their goals. In a recent

survey of US companies, 76% believe the global economy shows

no signs of improvement. Mergers and acquisitions are viewed as

one route to help companys meet their targets and continue todeliver value to their shareholders. Organizations must be

actively monitoring the M&A market in emerging markets. For

instance, Brazil has seen year-over-year M&A activity increase

16%. The acquisition and integration of a business or segment

afngdn]kka_fa[Yfljakcl`jgm_`gmll`]hjg[]kkYf\emklZ]

tightly monitored by the organization:

Validate reiuirements and understand the issues for the

transaction As organizations initiate the process to identify

hgkkaZd]Y[imakalagflYj_]lk$l`]j]akka_fa[Yfljakca^l`]

gZb][lan]kYf\_gYdk^gjl`]ljYfkY[lagfYj]fgl[d]Yjdq\]f]\

at a detailed level.

Herform due diligence of potential targets Organizations

emkl`Yn]Y\]f]\YhhjgY[`lgh]j^gjeaf_\m]\ada_]f[]Yf\

fYf[aYdYfYdqkakg^l`]a\]fla]\lYj_]lk&L`]qemkl`Yn]

hj]nagmkdqa\]fla]\l`]af^gjeYlagfl`Yll`]qf]]\Yf\l`]

process they want to go through in order to successfully

evaluate the target.

Jeview potential compliance and regulatory issues that may

arise from aciuisition When considering a potential target,

the company should be aware of and actively managing the

compliance and regulatory issues that may arise as a result of

the transaction.

Continue ongoing support of the business and its integrationstrategy For the transaction to be truly successful, the

gj_YfarYlagff]]\klg`Yn]Y\]f]\hdYf$hjg[]kkYf\[gfljgdk

in place to assist with the transitioning of the target. The

transaction is not truly complete until the target is operating

like other segments of the organization.

Would-be buyers should also perform anti-corruption due diligence

YkYjklkl]haf[gfka\]jaf_\]YdkYZjgY\&L ak\m]\ada_]f[]k`gmd\

Z]h]j^gje]\hjagjlgljY\alagfYdfYf[aYd\m]\ada_]f[]g^Y

potential target. This is especially important given the potential for

successor liability of an acquired organization, and is an area where

afl]jfYdYm\al[YfZ]g^ka_fa[YflnYdm]lgl`]gj_YfarYlagf&


17/40


Jecommended readingwww.ey.com/US/en/Services/Transactions/Corporate-Development


Merger and acquisition process integration review

This audit is focused on evaluating the organizations

process to integrate operations, technologies, services

and product lines after the transaction has closed. The internal

audit team focuses on the policies and procedures in place tomake the transaction as seamless as possible. Additionally,

l`]afl]jfYdYm\all]Yeoaddj]na]ol`]\]f]\c]qh]j^gjeYf[]

indicators (KPI) for the integration, as well as the process

to monitor the KPIs.

O`YlYj]l`]\]f]\[gfljgdhgaflkafl`]afl]_jYlagfhjg[]kk7

Who is involved in the acquisition integration process and what

Yj]l`]ajjgd]k7

What are the KPIs to determine whether the integration is

km[[]kk^md7 How is the acquired organization transitioned to the companys

hgda[a]kYf\hjg[]\mj]kafYlae]dqeYff]j7

Are there any new reporting requirements or disclosures as a

j]kmdlg^l`]Y[imakalagf7

What is the process for assessing the culture of the target

organization and identifying the steps necessary to assimilate

l`]h]ghd]aflggmjZmkaf]kk7

Business development/due diligence assessment The internal

audit team will focus on the process and controls in place to

manage the business development life cycle from the

a\]fla[Ylagfg^lYj_]lgj_YfarYlagfklgl`]imYda[YlagfYf\

offer process. Additional consideration is given to the strategicdecision-making process for the allocation of capital.

What is the process and what are the controls for identifying

Yf\imYda^qaf_Y[imakalagflYj_]lk7

Who is responsible for monitoring the controls and how

]^^][lan]dqYj]l`]qgh]jYlaf_7

O`]j]\gnmdf]jYZadala]kgj_Yhk]pakl7 O`YlakZ]af_\gf]lgj]e]\aYl]l`]k]_Yhk7

Divestiture/carve-out review The internal audit team reviews

the process and controls in the divestiture/carve-out life cycle,

^jgej]na]og ]paklaf_Zmkaf]kkmfalk'k]_e]flklgl`]imYda[Ylagf

of potential buyers and the offer process. The team focuses on

l`]hjg[]kkYf\[gfljgdkafhdY[]\mjaf_l`]a\]fla[Ylagf$YfYdqkak

and potential sale/closing of the operations/business unit. A

focus is placed on the carve-out life cycle, including strategic

analysis, opportunity analysis, transaction development,

negotiation advice and execution, and measuring and monitoring

g^ljYfkY[lagf]^[a]f[qYf\]^^][lan]f]kk&

Akl`][Yjn]%gmlda^][q[d] gjeYddq\]f]\Yf\Y\`]j]\lg7

O`YlYj]l`]\]f]\[gfljgdhgaflkafl`]\an]klalmj]hjg[]kk7

Who is involved in the process and what is their level of

afngdn]e]fl7

O`YlYj]l`]c]qh]j^gjeYf[]af\a[Ylgjklg\]l]jeaf]km[[]kk7

Divesting for value

Fairness opinions:

the company is

about to enter into a

ka_fa[YflljYfkY[lagf

Fairness opinionsAnessentialservice

offeringfromErnst&Young

InvestmentAdvisorsLLP

The company is about to enter

into a significant transaction.

Yourshareholderswanttoknow.

Themarketplacewantstoknow.

Yourboardabsolutelymustknow.

Certainly,youbelieveitmustbe,orelsethetransactionwouldnot

beunderconsiderationormovingforward.

Butwillboardmembers,boardsubcommittees,shareholdersor

otherkeystakeholdersacceptyourexpertiseandobjectivityon

faithandreputationalone?Furthermore,canyouorthecompany

affordtheriskofbeingprovenwrongafterthefact?

Is it fair?

TransactionAdvisoryServices

Divesting for value



18/40


Navigating todays complex

business risks: Europe, Middle

East, India and Africa

Fraud Survey 2013

Fraud and

corruption

Companies must recognize that fraud awareness, prevention and

mitigation are everyday issues that need to be a permanent

plmj]gfl`]gj_YfarYlagfkY_]f\Y&;gehYfa]kemklZ]na_adYfl

in ensuring their compliance with regulatory and legal issues. The

Foreign Corrupt Practices Act (FCPA), enacted in 1977, prohibits US

[gehYfa]kYf\l`]ajkmZka\aYja]k$g^[]jk$\aj][lgjkgj]ehdgq]]k

^jgeZjaZaf_^gj]a_fg^[aYdk\aj][ldqgjaf\aj][ldq!^gjl`]

purpose of obtaining or retaining business. The FCPA has become

an enforcement priority for regulators and a major compliance

issue for US companies with global operations. The US Securities

and Exchange Commission (SEC) and the US Department of Justice

(DOJ) have stepped up their efforts to investigate and prosecute

Zmkaf]kk[gjjmhlagf$ka_fa[YfldqjYakaf_l`]j]hmlYlagfYdYf\

fYf[aYdjakcklg[gehYfa]k&Af*()($l`]K=;Yf\


19/40



Supplier management review Evaluate the process

management has put in place to qualify and accept suppliers,

kh][a[Yddq^g[mk]\gf:JA;:jYrad$JmkkaY$Af\aYYf\;àfY!

countries and other emerging markets (e.g., Africa). The internal

audit team will focus on the controls for ensuring that companypolicies and procedures are in place and being consistently

followed. Additional focus will be on the companys strategy to

track and handle supplier management in the highrisk locations.

This will include a review of supplier acceptance and the periodic

supplier continuance review process.

O`Ylà_`jakceYjc]lk\g]kl`]gj_YfarYlagfgh]jYl]af7

O`Ylakl`]hjg[]kk^gjY[[]hlaf_f]okmhhda]jk7

O`gakafngdn]\afl`]hjg[]kkYf\o`YlYj]l`][gfljgdkafhdY[]7

What is the process for validating continuing relationships

oal`kmhhda]jk7

FCPA program assessment The internal audit team would

review the companys approach to FCPA compliance. A detailed

review of the policy, procedures and internal controls in place to

remain compliant will be a focus of the team. The internal audit

team will review the companys training and education programs

for employees and third parties. Also, the team will focus on the

business approach to remaining up to date on all applicablelaws and regulations.

O`ggofkYf\akj]khgfkaZd]^gj>;H9[gehdaYf[]7

What is the organizations process for riskassessing the

[gmflja]kafoà[àlgh]jYl]k7

What is the process for ensuring the FCPA compliance

program remains up to date with any new legal or

j]_mdYlgjqj]imaj]e]flk7

Whistleblower audit The internal audit team would

focus on the companys compliance program with an emphasis

on the policies, procedures and internal controls of the program.

The internal audit team will review the whistleblower hotline,

managements response to new accusations and the process

lg^gddgohgl]flaYdakkm]ka\]fla]\l`jgm_`lg[gehd]lagf&

Additional focus will be given to the controls in place to ensure

Yfgfqealqgôàkld]Zdgo]jkYk\]f]\Zql`]dYo&

Who owns and is responsible for the companys compliance

hjg_jYe7

What is the process for a whistleblower to provide feedback

lgl`][gehYfq7

What controls are in place to ensure the program promotes

[gf\]flaYdalqg^l`gk]o`g[gflY[ll`]oàkld]Zdgo]j`gldaf]7

What is the process for following up on tips provided through

l`]`gldaf]Yf\gl`]je]\amek7

:mkaf]kkZja]f_2

foreign corrupt practices

act guidance issued

November2012Fraud Investigation &Dispute Services (FIDS)

Business briefing

Foreign Corrupt Practices Act

guidance issued

The fight against corruptionis alawenforcementpriority oftheUnitedStatesandwe willcontinue to make clear thatbribingforeignofficialsisnotanacceptableshortcut.Lanny A. Breuer November 14, 2012Assistant Attorney General, U.S.Department ofJustice Criminal Division

Investorsmust have faiththattheeconomicperformanceofpublic companiesreflectslawfulconsiderationsof markets, priceandproductratherthanamirageresultingfrombriberyandcorruption.Robert Khuzami November 14, 2012Director, U.S. Securities and ExchangeCommission Division of Enforcement

OnNovember14,2012,theU.S.DepartmentofJustice(DOJ)andtheU.S.SecuritiesandExchangeCommission(SEC)jointlyreleasedAResourceGuidetotheU.S.ForeignCorruptPracticesAct,(Guide).TheGuidedemonstratestheirsharedcommitmenttofightingcorruptionthroughcontinuedvigorousenforcementoftheForeignCorruptPracticesAct(FCPA).

Aftermanyyearsofrequestingadditionalguidance,thebusinessandlegalcommunitiesnowhaveacomprehensivedocumentsummarizingtheapproachandprioritiesoftheDOJandSECinFCPAenforcement.ThiswidelyanticipatedGuidedoesnthavetheforceoflawbutdoesrepresenttheevolvingviewsofDOJandSECfromyearsofenforcementactivityandreviewsofprivateandpubliccompaniesanti-corruptioncomplianceprograms.

TopicsintheGuideinclude:

Globalanti-corruptionandinter-agencyefforts Discussionofkeyanti-briberyelementsand

accountingprovisions Affirmativedefenses Principlesofenforcement Penalties,sanctionsandremedies Hallmarksofaneffectivecorporatecompliance

program

FactpatternsandhypotheticalscontainedintheGuideillustratethegovernmentsinterpretationandapplicationoftheFCPAtocommonlyfacedcorruptionissues.

Perhapsmostsignificantly,theGuideunderscorestheimportanceofacompanyscomplianceprogramto

preventanddetectcorruptactivity.Thisviewisreinforcedthroughapracticalframeworkcompaniesofanysizecanusetoimplementrisk-basedanti-corruptionmeasures.

Corporatecompl ianceprogram sTheGuideprovideshallmarksorelementsofaneffectivecomplianceprogram.Indoingso,itsetsforthprinciplesthatareperhapsmoredetailedbutverysimilartotheAdequateProceduresguidanceissuedundertheUKBriberyActandtheOrganizationforEconomicCo-operationandDevelopmentsGoodPracticeGuidanceonInternalControls,EthicsandCompliance.

ManyprogramelementsintheGuidearesimilartoleadingpracticesadoptedbymanylargeglobalcompanies.TheGuideacknowledgesthatsmallandmedium-sizecompanieswillhavedifferentcomplianceprogramsfromlargemultinationalsandindoingsoimpliesthatcostandsizearefactorsinmeasurescompaniesshouldtaketoachievecompliance.

Itendorsestheconceptofriskassessmentasfundamentaltodevelopingastrongcomplianceprogram,statingthat[o]ne-size-fits-allcomplianceprogramsaregenerallyill-conceivedandineffectivebecauseresourcesinevitablyarespreadtoothin,withtoomuchfocusonlow-riskmarketsandtransactionstothedetrimentofhigh-riskareas.1

TenelementsofaneffectiveprogramaresetforthintheGuide:

1. Commitmentfromseniormanagementanda

clearlyarticulatedpolicyagainstcorruptionoftenreferredtoastoneatthetop,seniormanagementandboarddirectorsalikeareresponsibleforconveyingastrongmessagethatcorruptionwillnotbetolerated.

2. Codeofconductandcompliancepoliciesand

proceduresacodeofconductprovidesethicalguidelinesforthoseconductingbusinessonthecompanysbehalf.Acompanymayalsohavespecificanti-corruptionpoliciesandproceduresthataddressitsmostsignificantrisksandoutlineproperinternalcontrolsandmonitoringprocedures.

3. Oversight,autonomyandresources

responsibilityforthecomplianceprogramshouldbeassignedtoanappropriateseniorindividualorgrouptoprovidetheauthorityandautonomytooverseetheprogramandreporttothecompanysgoverningbody.

4. Risk a ssessmentacompanyscomplianceprogramshouldbedesignedaroundandcommensuratewithitsuniqueriskprofile,takingintoaccountfactorssuchasitssize,structure,industry,geography,interactionswithforeigngovernmentsandinvolvementofbusinesspartners.Athoroughriskassessmentaddsefficiencyandcredibilitytoanti-corruptioncomplianceefforts.

5. Trainingandcontinuingadvice acompanyshouldtakestepstoensurethatallemployeesareawareofthecompanysanti-corruptionpoliciesandprocedures,whichisoftenaccomplishedthroughperiodictraining.Certainkeyroles,suchasmanagement,sales,financeandbusinessdevelopmentpersonnel,mayreceiveenhancedtraining.

6. Incentivesanddisciplinaryactionstoavoidtheappearanceofapaperprogram,thecorporatecomplianceprogrammustbeenforcedunequivocallythroughouttheorganizationwithcleardisciplinaryproceduresforviolatorsappliedtimelyandconsistently.Also,positiveincentives,bothfinancialandothermerit-basedrewards,mayreinforceacultureofcompliance.

T

FraudInvestigation&DisputeServices

Forfurtherinformationplease contact:

Brian Loughman,

AmericasLeader

+1 212 773 5343 | [email protected]

Richard Sibery,

AmericasFraud&InvestigationsLeader


WilliamHenderson,

AmericasAnti-CorruptionLeader


Patrick OConnor,

AmericasBusinessDevelopment Leader


1AResource Guide to the U.S. Foreign Corrupt PracticesAct,Chapter5: GuidingPrinciples ofEnforcement,p.5.

Audit was frequently mentioned in survey of leading IA organizations


20/40


Information

security

Traditional security models focus on keeping external attackers out. The reality is that

there are as many threats inside an organization as outside. Mobile technology, cloud

computing, social media, employee sabotage these are only a few of the internal

threats organizations face. Externally, its not just about the lone hacker who strikes for

kicks. Overall, the risk environment is changing. Often, security professionals complain

that they are too busy reacting to immediate issues and have no time to anticipate what

may be lurking around the corner. To have any hope of protecting your organizations

critical assets, the business and security teams need to understand where youraf^gjeYlagfdan]k$afka\]gjgmlka\]&A\]fla^qaf_o`Ylqgmjgj_YfarYlagf[dYkka]kYkalk

most important information and applications, where they reside and who has or may

need access to them will enable the business to understand which areas of the security

program are most vulnerable to attack.

Although organizations have been dealing with opportunistic cyber attacks for years,

eYfqfgof\l`]ek]dn]kl`]lYj_]lg^egj]kgh`akla[Yl]\Yf\h]jkakl]fl]^^gjlk&L`]k]

attacks are focused on a single objective, often lasting over a long period of time and

until the desired target is obtained. They leave few signs of disturbance because they are

designed to remain hidden to acquire as much sensitive information as possible. In our

experience, those at the greatest risk are information-intensive entities or organizations

with intellectual property that is most attractive in emerging economies. Unfortunately,

many organizations have no idea they are compromised until it is too late.

In considering the audits below, IT internal audit can play a critical role in evaluating the

organizations information security strategy and supporting program and partnering to

improve the level of control.


Information security program assessment Evaluate the

organizations information security program, including strategy,

awareness and training, vulnerability assessments, predictive

threat models, monitoring, detection and response, technologies

and reporting.

@go[gehj]`]fkan]g^Yfaf^gjeYlagfk][mjalqhjg_jYe]paklk7

Is information security embedded within the organization, or is

alYfALgfdqj]khgfkaZadalq7

How well does the organization self-assess threats and mitigate

l`]l`j]Ylk7

Threat and vulnerability management program assessment

Evaluate the organizations threat and vulnerability management

(TVM) program, including threat intelligence, vulnerability

a\]fla[Ylagf$j]e]\aYlagf$\]l][lagf$j]khgfk]Yf\

countermeasure planning.

@go[gehj]`]fkan]g^YLNEhjg_jYe]paklk7

Is the TVM program aligned with business strategy and the risk

Yhh]lal]g^l`]gj_YfarYlagf7

Are the components of TVM integrated with one another, as

o]ddYkoal`gl`]jk][mjalqYf\AL^mf[lagfk7


21/40


Business

continuity

management

As organizations grow in size and complexity within the world of the extended

]fl]jhjak]$l`]aehY[lg^fgf%YnYadYZadalqg^Yfqj]kgmj[]k`YkeY_fa]\&@a_`%hjgd]

events caused by natural disasters and technology infrastructure failures have increased

awareness of the need to develop, maintain and sustain business continuity programs.

Although these large-scale events such as the March 2012 Japanese earthquake and

tsunami dramatically challenge the existence of some companies, there are smaller,

less impactful but more frequent disruptions that cause many executives to question

their organizations ability to react and recover. The big disasters, as well as these smaller

disruptions, have prompted leading executives to hope for the best but prepare for the

worst by investing in effective business continuity management (BCM).

Effective BCM is rising in importance on the corporate agenda. Volatile global economies

have shrunk margins for error. Companies that previously would have survived a

ka_fa[Yfl\akYkl]jgj\akjmhlagfeYqfgof\l`]kYe]]n]flhmk`af_l`]aj[gjhgjYl]

existence to the brink. Executives are realizing that effective BCM may be the only buffer

between a small disruption and bankruptcy. Ernst & Youngs 2012 Global Information

Security Survey found that BCM was once again viewed as the top priority in the next

12 months by survey respondents.

While BCM should be viewed as an enterprise-wide risk and effort, the reality is that it

is often IT that is asked to lead critical planning activities and serve as lead facilitator. ITsystems and disaster recovery procedures are a cornerstone of the broader BCM plan,

and thus, IT audit is well positioned to evaluate broader BCM procedures.


Business continuity program integration and governance

audit Evaluate the organizations overall business continuity

plan, including program governance, policies, risk assessments,

business impact analysis, vendor/third-party assessment,

strategy/plan, testing, maintenance, change management and

training/awareness.

Does a holistic business continuity plan exist for

l`]gj_YfarYlagf7

@go\g]kl`]hdYf[gehYj]lgd]Y\af_hjY[la[]7

Akl`]hdYfl]kl]\7

Disaster recovery audit Assess ITs ability to effectively

recover systems and resume regular system performance in the

event of a disruption or disaster.

Are disaster recovery plans aligned with broader business

[gflafmalqhdYfk7


22/40


Mobile

Mobile computing devices (e.g., laptops, tablet PCs, smartphones) are in widespread use,

allowing individuals to access and distribute business information from anywhere and

at any time. With the increase in mobile device capabilities and subsequent consumer

adoption, these devices have become an integral part of how people accomplish tasks,

both at work and in their personal lives. The increasing demand for information from the

mobile workforce is driving changes in the way organizations support and protect the

gogâf^gjeYlagf&Oal`Yfql][`fgdg_a[YdY\nYf[]e]fl[ge]kf]o[`Ydd]f_]k^gjl`]

enterprise, including:

Potential loss or leakage of important business information

K][mjalq[`Ydd]f_]k_an]fl`]jYf_]g^\]na[]k$gh]jYlaf_kqkl]ek$Yf\jeoYj]

limitations and vulnerabilities

Theft of the device due to the small size

Compliance with state, federal and international privacy regulations that vary from one

jurisdiction to another as employees travel with mobile devices

Navigation of the gray line on privacy and monitoring between personal and company

use of the device

IT internal audits knowledge of the organizations mobile strategy needs to evolve as

quickly as the mobile landscape. Evaluating these risks and considering the audits below

oadd`]dhYm\alY\\nYdm]lgl`]gj_YfarYlagfoàd][gfjeaf_c]qjakckYj]o]ddeYfY_]\&


EgZad]\]na[][gf_mjYlagfj]na]o Identify risks in mobile

device settings and vulnerabilities in the current implementation.

This audit would include an evaluation of trusted clients, supporting

network architecture, policy implementation, management of

dgklgjklgd]f\]na[]k$Yf\nmdf]jYZadalqa\]fla[Ylagfl`jgm_`

f]logjcY[[]kkaZadalqYf\hgda[q[gf_mjYlagf&

How has the organization implemented bring your own

\]na[]:QG

9j]l`]ja_`lhgda[a]k'egZad]kljYl]_a]kafhdY[]7

9j]egZad]\]na[]keYfY_]\afY[gfkakl]fleYff]j7

9j][gf_mjYlagfk]llaf_kk][mj]Yf\]f^gj[]\l`jgm_`hgda[q7

@go\go]eYfY_]dgklYf\klgd]f\]na[]k7

O`Ylnmdf]jYZadala]k]pakl$Yf\`go\go]eYfY_]l`]e7

Mobile application black box assessment Perform audit using

different front-end testing strategies: scan for vulnerabilitiesusing various tools, and manually verify scan results. Attempt to

]phdgall`]nmdf]jYZadala]ka\]fla]\afegZad]o]ZYhhk&

O`Ylnmdf]jYZadala]k[YfZ]km[[]kk^mddq]phdgal]\7

How do we respond when exploited, and do we know anafljmkagf`Ykg[[mjj]\7

Mobile application gray box assessment Combine traditional

source code reviews (white box testing) with front-end (black

box) testing techniques to identify critical areas of functionality

and for symptoms of common poor coding practices. Each of

these hot spots in the code should be linked to the live instance

of the application where manual exploit techniques can verify the

existence of a security vulnerability.

How sound is the code associated with the mobile applications

mk]\oalàfl`]gj_YfarYlagf7

O`Ylnmdf]jYZadala]k[YfZ]]phdgal]\oalàfl`][g\]7

Recommended reading

Mobile device security:

understanding vulnerabilities

and managing risk

www.ey.com/GRCinsights


23/40


Cloud

Many organizations are looking to cloud computing to increase the effectiveness of

ALafalaYlan]k$j]\m[][gklg^af%`gmk]gh]jYlagfk$af[j]Yk]gh]jYlagfYd]paZadalqYf\

generate a competitive advantage. This is attained by shifting to a user of IT services, as

organizations no longer need to build and maintain complex internal IT infrastructures.

Cloud computing is evolving at a fast pace, giving companies a variety of choices when

looking to restructure their IT organization. However, like most technology changes,

cloud computing presents its share of risks and challenges, which are too often

overlooked or not fully understood by businesses that are quick to embrace it. Theserisks and challenges include:

Providers not living up to service level agreements (SLAs), resulting in cloud

architecture or deployment challenges

Evolving cloud standards increasing the risk that a companys systems wont work with

the providers

Legal and regulatory risk in how information is handled in the cloud

Af^gjeYlagfk][mjalqYf\hjanY[qjakckYjgmf\l`][gf\]flaYdalq$afl]_jalqYf\

availability of data

Cloud adoption and change management within an organization

IT internal audit needs to understand how the organization is embracing cloud

technologies and the risks the business faces based on the adopted cloud strategy.


Cloud strategy and governance audit Evaluate the organizations

strategy for utilizing cloud technologies. Determine if the

appropriate policies and controls have been developed to

support the deployment of the strategy. Evaluate alignment

of the strategy to overall company objectives and the level of

preparedness to adopt within the organization.

Akl`]j]YkljYl]_qYjgmf\l`]mk]g^[dgm\hjgna\]jk7

Are there supporting policies to follow when using a cloud

hjgna\]j79j]hgda[a]kafl]_jYl]\oal`d]_Yd$hjg[mj]e]flYf\

ALhgda[a]k7

Cloud security and privacy review Assess the information

security practices and procedures of the cloud provider.

This may be a review of their SOC 1, 2 and/or 3 report(s), areview of their security SLAs and/or an on-site vendor audit.

Determine if IT management worked to negotiate security

requirements into their contract with the provider. Review

procedures for periodic security assessments of the cloud

provider(s), and determine what internal security measures

have been taken to protect company information and data.

Has a business impact assessment been conducted for the

k]jna[]kegnaf_lgl`][dgm\7

Does your organization have secure authentication protocols^gjmk]jkogjcaf_afl`][dgm\7

Have the right safeguards been contractually established with

l`]hjgna\]j7

Cloud provider service review Assess the ability of the

cloud provider to meet or exceed the agreed-upon SLAs in the

contract. Areas of consideration should include technology,

legal, governance, compliance, security and privacy. In addition,

internal audit should assess what contingency plans exist in

case of failure, liability agreements, extended support, andthe inclusion of other terms and conditions as part of the

service contracts, as well as availability, incident, and capacity

management and scalability.

What SLAs are in place for uptime, issue management and

gn]jYddk]jna[]7

@Ykl`][dgm\hjgna\]jZ]]fe]]laf_gj]p[]]\af_l`]KD9k7

O`Ylakkm]k`Yn]l`]j]Z]]f7

Does the organization have an inventory of uses of external

cloud service providers, both sponsored within IT or direct byl`]Zmkaf]kkmfalk7

Recommended reading

Ready for takeoff:

preparing for your

journey into the cloud



24/40


9kl`]ALjakchjgd]Yf\l`j]YldYf\k[Yh]jYha\dq[`Yf_]kYf\jakckaf[j]Yk]$[gehYfa]k

need to change their mindset and approach toward IT risk to address a new normal. Now

more than ever, IT issues are issues of importance to the C-suite. Boards of directors,

Ym\al[geeall]]k$_]f]jYd[gmfk]dkYf\[`a]^jakcg^[]jkf]]\lgogjcYdgf_ka\]AL

d]Y\]jkYf\af^gjeYlagfk][mjalqYf\hjanY[qg^[]jklg^mddqY\\j]kkl`]ajgj_YfarYlagfk

risk management level of due care, approach and preparedness and to implement an IT

risk management program that is adequate and effective in managing cyber risks. It iscritical that IT functions are able to effectively address the following questions:

Can you articulate your strategy to identify, mitigate and monitor IT risks to the

Ym\al[geeall]]7

@go\gqgmcfgol`Ylqgm`Yn]a\]fla]\Yddc]qALjakckl`Ylogmd\hj]n]fll`]

[gehYfq^jgeY[`a]naf_[gjhgjYl]kljYl]_a]k$gZb][lan]kYf\afalaYlan]k7

How do you make sure your risk framework continues to be relevant and continues

lga\]fla^qh]jlaf]fljakcklgc]]hl`][gehYfqgmlg^ljgmZd]7

The Securities and Exchange Commission, other regulators and the audit committee have

increased their focus on companies managing risks holistically. Company stakeholders/

shareholders expect the company to focus risk management activities and resources on

areas with the greatest impact. Internal audit is uniquely positioned to help drive growthand create value to the company through reviewing IT risk management activities.

IT risk

management

Recommended reading

The evolving IT risk landscape:

the why and how of IT risk

management today


Afka_`lk gj]p][mlan]k-Use governance, risk andcompliance technology to

turn risk into resultsImproveyourriskmanagementprogramandnancialperformance

Economicvolatility,shareholderdemandsandanincreasinglycompetitive

marketlandscapeareforcingorganizationstorethinktheirapproachto

risk.Moreandmore,companiesarerealizingthattheabilityto managerisk

hasaveryreal impactontheirbottomline.Infact,arecentErnst& Young

globalsurveyofmorethan250leadingorganizationsfoundadirectlink

betweeneffectiveriskmanagementpracticesandimprovednancialperformance.

However,forbusinessestoimplementeffectiveriskmanagement

practicesandreapthenancialbenets,theyllneedacomprehensiveandsustainablegovernance,riskandcompliance(GRC)processandtechnology

solution.

ArobustGRCtechnologysolutioncanhelpembedriskmanagement

requirementsandpracticesintodailybusinessactivities.Thiscanimprove

thecompanysabilityto: Identifyandrespondtorisk

Providegovernanceandoversight

Coordinateriskfunctionsandrequirements

Optimizeprocessesandcontrols

Ofspecialinterestto

Chiefexecutiveoffic ers

Chieffinancial officersHeadofin ternalaudit

Use governance, risk and

compliance technology to

turn risk into results

www.ey.com/5


25/40

2+Insights on governance, risk and compliance | May 2013


IT risk management strategy assessment Assess the

framework and process IT has embedded within the function to

assess and manage risks. Evaluate the actions taken to mitigate

risks and the level of accountability within the process.

@goo]dd\g]kALa\]fla^qjakck7

O`Ylak\gf]gf[]Yjakcaka\]fla]\7

9j]ALjakceYfY_]e]flhjg[]kk]k^gddgo]\7


26/40


InsightsonITriskBusinessbrieng

September2011

Building condencein IT programsFacilitating success through

program risk management

Program complexity is increasing at a faster rate than companies can adapt. While

companies have been cautious with investments over the last few years, investment

portfolios are now being expanded to keep up with emerging trends (e.g., shared service

centers, system implementations). As organizations continue to look for ways to take

[gklkgmlg^l`]Zmkaf]kk$l`]qYj]mf\]jlYcaf_ka_fa[YflafalaYlan]klgj]\]ka_fYf\

standardize business processes.

Kh][a[lgAL$?Yjlf]jhj]\a[lkkh]f\af_oaddaf[j]Yk]YlYfYn]jY_]jYl]g -&+h]jq]Yjthrough 2015. Gartner also indicates that approximately 20% to 50% of a companys

IT spending will be focused on programs and projects depending on an organizations

initiatives. However, organizations continue to fail to deliver on their large IT programs.

Approximately two out of three programs are not on budget, delivered too late and/or do

fgl\]dan]jl`]]ph][l]\Z]f]lk&DYkldq$/(g^l`]eYbgj]fl]jhjak]j]kgmj[]hdYffaf_

=JH!hjg_jYek^Yadlgj]Ydar]Yld]Ykl-(g Zmkaf]kkZ]f]lk&

O`ad][gehYfa]k`Yn]afn]kl]\ka_fa[Yfldqafaf[j]Ykaf_l`]ajcfgod]\_]Yf\

capabilities in program and project management, this is not visible in the success

rates. In our opinion, the lack of improvement is mainly due to increased complexity

in business processes and the emerging technology landscape. Organizations are still

failing to properly adapt their program approaches to this increased complexity. Research

indicates a strong link between program maturity capabilities and program execution and

eYjc]l[geh]lalan]f]kk&Afl]jfYdYm\al[YfhdYqYf]^^][lan]jgd]af[gfjeaf_l`]ja_`l

processes are in place to manage programs and those processes and controls are being

executed appropriately.

Strategy deployment

through portfolio

management: a risk-

based approach


Hrogrammanagement

Recommended reading

:mad\af_[gf\]f[]af

IT programs: facilitating

success through program

risk management



27/40



Project management methodology audit Assess the design

of processes and controls in place to manage projects against

leading practices.

Are the right processes and controls in place to provide

that projects are delivered on time, on budget and with the

ja_`lj]kgmj[]k7

9j][gfljgdkafhdY[]lge]Ykmj]Y[`a]n]\Z]f]lkY_Yafkl

afl]f\]\Z]f]lkY^l]jhjgb][l[gehd]lagf7

Project and program execution audit Evaluate common

areas of high risk on programs (e.g., third-party contracting,

business change, test strategy, data migration). Outputs provide

[gf\]f[]lgeYfY_]e]fll`Yl`a_`%jakcYj]Yk`Yn]Z]]f

af\]h]f\]fldq[`][c]\Yf\n]ja]\lgd]Y\af_hjY[la[]&

Is project/program management methodology being

^gddgo]\[gjj][ldq7

O`Ylak\gf]o`]fhjgb][lkYj]mf\]jh]j^gjeaf_7

@goakhjgb][ljakcYkk]kk]\Yf\eYfY_]\7

Portfolio risk review Review strategy, projects and

programs to assess alignment. This review focuses on

assessing the prioritization of the project portfolio in support of

increasing value and reducing the risk that the transformation

portfolio exposes.

Do the right governance processes exist to provide that

hjgb][lk'hjg_jYekYda_flg[gehYfqkljYl]_q7

@goakl`]hgjl^gdageYfY_]\Yk[gjhgjYl]gZb][lan]k[`Yf_]7

Shared service center review Evaluate the processes and

controls related to a shared service center implementation.

In-scope processes are assessed to verify that control points are

in place and have also been optimized to leverage available

technology (e.g., automated controls).

O`Ylakl`]hjg[]kk gjljYfkalagfaf_lgl`]k`Yj]\k]jna[][]fl]j7

O`Ylhjg[]kk]kYj]af%k[gh]7@Ykl`][gfljgd^jYe]ogjcZ]]f

j]na]o]\YkhYjlg^l`]ljYfkalagfhjg[]kk7

Akl`]j]Y[gfljgdkogjcklj]Ye^gjl`]aehd]e]flYlagf7

O`Yll][`fgdg_qakZ]af_mladar]\YkhYjlg^l`]ljYfkalagf7

Process redesign review Assess the businesss plan for

redesigning its business processes as part of a major initiative

(e.g., system implementation). The internal audit team focuses

on the project plan, management structure and approach to

redesigning the control framework for the in-scope processes.

O`gYj]l`]hjgb][ll]Yee]eZ]jkYf\o`YlYj]l`]ajjgd]k7

Akl`]j]Y\g[me]fl]\[gfljgdkogjcklj]Ye7

What is the process for leveraging automation and system

[gfljgdkafl`]j]\]ka_f]\hjg[]kk7

Opportunities for integrated audits between IT and operational audit


28/40


With increased focus on cost reduction in a global economy struggling to recover, effective

software asset management and IT asset management can have a very positive impact

by helping to reduce license-related expenses, improve IT service management by more

]^[a]fldqeYfY_af_ALYkk]lafn]flgja]k$Z]ll]jeYfY_][gehdaYf[]%j]dYl]\jakcYf\

]n]faehjgn]gn]jYddgh]jYlaf_]^[a]f[a]k&D]Y\af_AL\aj][lgjkYf\l`][`a]^af^gjeYlagf

g^[]jklgo`gel`]qj]hgjlYj]j]Ydaraf_l`Yl]^^][lan]dqeYfY_af_kg^loYj]Ykk]lk[Yf

be a strategic advantage. For example, effective asset management: Potentially reduces liability risk by maintaining license compliance and avoiding

related penalties

Lowers potential costs by helping to avoid license and other IT asset overbuying

@]dhklgegj]]^[a]fldqeYfY_]l`]gl`]joak]j]kgmj[]%\jYafaf_Yf\dYZgj%afl]fkan]

compliance processes

Limits potential reputational risks associated with license violations or compliance-

j]dYl]\[gfa[lkoal`n]f\gjk

Software licenses currently account for about 20% of typical IT costs, and the already

pervasive use of software continues to rise. At the same time, many IT directors are noticing

that their software vendors have become more diligent in ensuring that their customers

remain in compliance. IT leaders, members of the C-suite and shareholders have come to

expect increasingly more from their investments, including those which rely on IT functions.

As IT auditors, it is critical that software and IT asset management processes and controls

are well understood. Its not just about cost management strong IT asset management

processes affect the following, as examples:

IT service management IT asset management is critical to effectively locate and

service assets, replace and retire existing assets, etc.

Information security Without a clear view of existing IT assets and software, its

\a^[mdllghjagjalar]Yf\]nYdmYl]l`]Ykkg[aYl]\k][mjalqjakcg^l`gk]Ykk]lk&

IT contract management It is understandable that without an effective way to manage

Yfgj_YfarYlagfkALYkk]lk$aleYqZ]]imYddq\a^[mdllgmf\]jklYf\o`Yl[gfljY[lk]paklwith vendors for those assets, whether they are managed in a cost-effective manner and

whether any violations from contracts may exist.

Software'IT assetmanagement


29/40



IT and software asset management process and control

audit Assess the design and effectiveness of processes and

controls that IT has deployed related to software and IT asset

management. Review the impact of these processes on related

IT processes such as IT service management, IT contractmanagement and information security.

Do we have a comprehensive approach to IT asset and

kg^loYj]eYfY_]e]fl7

@goo]dd\go]eYfY_]kg^loYj]da[]fk][gklk7

Is there an IT and software asset management technology

kgdmlagfafhdY[]lgkmhhgjll`]k]hjg[]kk]k7A^fgl$k`gmd\l`]j]Z]7

Software license review H]j^gjeYj]na]og^ka_fa[Yfl

software license agreements (e.g., ERPs) and evaluate the

effectiveness of ITs software asset management process in

practice. Assess opportunities for cost reduction from improving

the management of software licenses.

Are there opportunities to renegotiate software licensing

agreements based on the way we actually utilize software

n]jkmkl`]oYqgja_afYd[gfljY[lko]j]f]_glaYl]\7

9j]o]nagdYlaf_Yfq]paklaf_[gfljY[lmYdY_j]]e]flk7

IT contract management assessment Evaluate the IT

organizations ability to manage contracts and how effectively

IT and supply chain coordinate to manage costs and negotiate

effective agreements.

Are IT asset and software contracts planned, executed,

eYfY_]\Yf\egfalgj]\]^^][lan]dq7

Are there shadow IT contractual agreements executed in

gl`]jhYjlkg^l`]gj_YfarYlagf7

Effective software asset

management: how to

j]YhalkZ]f]lk


Recommended reading

Opportunities for integrated audits between IT and operational audit


30/40


The social media elements that generate business opportunity for companies to extend

their brands are often the same elements that have created IT-related risk. Like the

borderless nature of social media itself, the various risks surrounding social media can

be borne by multiple enterprise functions at the same time, challenging companies to

understand how, when and where to engage their IT functions or plug risk coverage

gaps. Legal, compliance, regulatory, operational and public relations issues are at the top

of the list of potential IT-related social media risks that can ultimately cause erosion of

customers, market share and revenue. For example, on most of the popular sites (Twitter,

>Y[]ZggcYf\Dafc]\Af!$mk]jkYj]YZd]lg[j]Yl][gehYfqhjgd]kYf\[geemfa[Yl]gf

behalf of the organization through social media channels. This can create marketplace

confusion because of multiple messages and different audiences, policies and practices.

Gl`]jegj]kh][a[`]Y\daf]%_jYZZaf_]pYehd]kg^kg[aYd%e]\aY%j]dYl]\jakckaf[dm\]2

Employees involved in social media inadvertently leaking sensitive company information

;jaeafYd`Y[c]jkj]%]f_af]]jaf_[gf\]flaYdaf^gjeYlagf]&_&$dg_%afkYf\hYkkogj\k!

based on information obtained from employee post

Employee misuse of social applications while at work

Hacked, faked or compromised corporate or executive Twitter or Facebook fan page

or individual accounts Multiple platforms creating more access for viruses, malware, cross-site scripting

and phishing

Damage to a brand or company reputation from negative, embarrassing or even

incriminating employee or customer posts, even those that are well-intended

Failure to establish complete and fully compliant archiving and record-retention

processes for corporate information shared on social media, especially in the health

[Yj]$fYf[aYdk]jna[]kYf\ZYfcaf_af\mklja]k

IT is heavily relied on to enable social media strategies in coordination with marketing

strategies. It is critical that IT audit has an understanding of the organizations social

media strategy and the related IT risk and adds value by providing leading practice

enhancements and assurance that key risks are mitigated.

Social media

risk management


31/40



Social media risk assessment Collaborate with the IT

organization to assess the social media activities that would

create the highest level of risk to the organization. Evaluate the

threats to the organizations information security through the

use of social media. This audit may be combined with a sociale]\aY_gn]jfYf[]Ym\allgl`]f[gfjehgda[a]k`Yn]Z]]f

design

Key Considerations for Your Internal Audit Plan AU1607

Documents

Transcript of Key Considerations for Your Internal Audit Plan AU1607