Guidance for Audit Readiness



Similar documents
Table of Contents: Chapter 2 Internal Control

Contracting for Services

Information System Audit Report Office Of The State Comptroller

Mecklenburg County Department of Internal Audit. Park and Recreation Department Contract Management Investigation Report 1401

California Emerging Technology Fund Call for Resumes Bookkeeping, Accounting and Financial Management November 2010

Florida Agricultural & Mechanical University Board of Trustees Policy

Agenda Item: 7.6 Prepared by: Mark Majek, Kathy Thomas, Deborah Bell, Tamara Cowen and Jaye Stepp Meeting Date: October 2014

Office of Public Affairs Business Process Audit Final Report

European Investment Bank. Charter for Internal Audit

Charter of the Audit Committee of the Board of Directors of Woodward, Inc.

FINANCIAL MANAGEMENT POLICIES AND PROCEDURES


MEMORANDUM INTERNAL CONTROL REQUIREMENTS FOR NON-PROFITS

CMS DID NOT ALWAYS MANAGE AND OVERSEE CONTRACTOR PERFORMANCE

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Navy s Contract/Vendor Pay Process Was Not Auditable

1. This bulletin, which contains the Charter of the Office of Internal Oversight Services (IOS) of

IFMIS as a driver of change. Gert van der Linde AFTFM

INTERNAL AUDITING S ROLE IN SECTIONS 302 AND 404

SUBJECT: BUSINESS ETHICS AND REGULATORY COMPLIANCE PROGRAM & PLAN (BERCPP)

Quality Management Plan

Internal Control Guide & Resources

GAO. Standards for Internal Control in the Federal Government. Internal Control. United States General Accounting Office.

Request for Proposals: Digital/Internet Literacy Training for Federal Stimulus Grant

DEPARTMENT OF TAXATION AND FINANCE SECURITY OVER PERSONAL INFORMATION. Report 2007-S-77 OFFICE OF THE NEW YORK STATE COMPTROLLER

Capital Area Council of Governments FY 2015 Cost Allocation Plan

How to set up a people based. accounting system that makes your. small business work for you. Thomas G. Post. Certified Public Accountant

WEB-BASED TIME AND ATTENDANCE & DCAA COMPLIANCE

UNIVERSITY HOSPITAL POLICY

UNIVERSITY COMPLIANCE PLAN

INDEPENDENT CONTRACTOR AGREEMENT - OR -

Develop and maintain systems of internal controls to ensure appropriate spending and to safeguard financial assets of the network.

Domain 1 The Process of Auditing Information Systems

REQUEST FOR PROPOSALS. 403(b) Retirement Plan Investment Analysis and Consulting. July 2012

8.03 Health Insurance Portability and Accountability Act (HIPAA)

Memo. Professional Accounts, LLC. Corporate Compliance Program

Brookhaven Site Office Environment, Safety & Health Management Plan. January 2013

Subsequent Injury Fund

Mecklenburg County Department of Internal Audit. Business Support Services Agency Fuelman Gas Card Investigation Follow-Up Audit Report 1467

Consideration of Laws and Regulations in an Audit of Financial Statements

Silanis E-Signature Solution Automates E-Contracting for a Top 20 Government Contractor

THE FCA INSPECTOR GENERAL: A COMMITMENT TO PUBLIC SERVICE

STATE OF NORTH CAROLINA

PART 10 COMPUTER SYSTEMS

Post Award Accounting System Audit at Nonmajor Contractors

CLERK & COMPTROLLER, PALM BEACH COUNTY CLASS DESCRIPTION CLASSIFICATION TITLE: MANAGER FINANCE SERVICES GENERAL DESCRIPTION OF DUTIES

Department of Veterans Affairs

Comptroller of the Treasury. Central Payroll Bureau

Project Management Procedures

August 2008 Report No

Federal Spending Data Quality Plan

This is a training module for Maximo Asset Management V7.1. In this module, you learn to use the E-Signature user authentication feature.

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget

December 2014 Report No An Audit Report on The Telecommunications Managed Services Contract at the Health and Human Services Commission

Determination of Best Procurement Approach. Assisted Acquisition. [Insert title of the statement of work or requirement.]

WEB-BASED TIME AND ATTENDANCE DCAA COMPLIANCE. White Paper

BOARD CHARTER. Its objectives are to: provide strategic guidance for the Company and effective oversight of management;

Identity and Access. Management Services. HCL Information Security Practice. Terrorist Sabotage. Identity Theft. Credit Card Fraud

Any business relationship between a bank and another entity, by contract or otherwise

PRACTICE ADVISORIES FOR INTERNAL AUDIT

NONPROFIT FINANCIAL MANAGEMENT SELF ASSESSMENT TOOL

PHI Air Medical, L.L.C. Compliance Plan

THE CITY OF NEW YORK OFFICE OF THE COMPTROLLER 1 CENTRE STREET NEW YORK, N.Y

Or download and view an electronic copy by visiting:

Putnam/Northern Westchester BOCES Internal Audit Report on Information Technology

Job Description. Housing Manager

HIPAA Auditing Tool. Department: Site Location: Visit Date:

The University of British Columbia Board of Governors

The policy and procedural guidelines contained in this handbook are designed to:

SUMMER FOOD SERVICE PROGRAM PROGRAM FINANCES

ATTACHMENT A - STATEMENT OF WORK REQUEST FOR PROPOSALS FOR INDEPENDENT BENEFIT CONSULTING, ACTUARIAL AND AUDITING SERVICES DMS-13/14-018

Internal Controls, Fraud Detection and ERP

Transcription:

NYC Department of Information Technology & Telecommunications Guidance for Audit Readiness Risk Management & Compliance Division Linda Mercurio, Director 1

Introduction to Audit Readiness Table of Contents Chapter 1 Project Oversight and Audit Readiness 1) Requirements for all projects 2) Additional areas to be reviewed 3) Access to and use of confidential information 4) Mobile computing and storage devices 5) Access controls 6) Personnel needed to support assessment Chapter 2 Internal Controls 1) Benefits of internal controls 2) Who is responsible for internal control? 3) Internal assessments 4) Benefits of internal assessments 5) What does the Risk Management and Compliance Division do? 6) Risk assessment Chapter 3 Types of Government Audits Sample Internal Assessment Projects What Risk Management and Compliance means to you? 2

Introduction to Audit Readiness Auditors look for documentation of every decision that is made over the course of a project, from project conception to project completion. Auditors want documentation of the big decisions, like whether to go forward with the project in the first place, which vendor to use, whether to pay a vendor s invoice, and whether to accept a vendor s deliverable. Auditors also want documentation of the smallest, day today decisions, like the approval of a subcontractor, the approval of a consultant s time sheet, or the approval of extension of time for contract performance. In examining this documentation, auditors are asking whether the project met its expectations. Did the deliverables comply with contract requirements? Did the cost fall within budgetary and contractual maximums? Perhaps most importantly, does the product work as claimed when the project was proposed? The ideal state of audit readiness is to have complete documentation (digital, paper, or both) for every decision that is made in the course of a project. The documentation is organized and maintained in a way that makes it readily accessible to auditors when the time comes, and the documentation clearly and completely explains the reasons for each project decision. Finally, the documentation demonstrates contract compliance and budgetary compliance. 3

Of course, good audit readiness practices help us avoid embarrassing second guessing by outside auditors. But more importantly, the discipline of audit readiness helps us to ensure that we think through the decisions we make on a project, from project development to project implementation to completion, acceptance, and final payment. If we can t document a decision in a way that is clear to an auditor, we probably shouldn t make that decision in the first place. The purpose of this document is to provide guidance in audit readiness for project managers and support teams, and to inform them about the availability of Risk Management and Compliance Division as a resource. 4

Chapter 1 Oversight of Project and Readiness for an audit 1) Requirements for all projects All projects should have the following: 5

6

7

8

9

2) Access to confidential information Confidential information consists of: a. Confidential project information and other confidential DoITT information b. Confidential personal information 10

3) Mobile Computing and storage devices 4) Access Controls Written procedures for granting, changing, and terminating access. Update rights as necessary (e.g., retirements, terminations). Each user should have his or her own network and application account and password. Assign access based on what users need to complete their jobs. User should set their own passwords. Hold passwords to complexity requirements to make them more difficult to crack or be easily guessed. Periodically compare employee master list to list of network and application user accounts. 5) Personnel needed to support audit Contracts Personnel both on the Project and in the Contracts Unit Legal Counsel on the Project Accounts Payable both on the Project and the Accounts Payable Unit under John Winker Project Manager Risk Management and Compliance Unit (Ensures that all documentation is readily available and performs a random sampling of documentation). 11

Administrative Staff to help ensure that all documentation is readily available and is in order (proper signatures and deliverables in place). Chapter 2 Internal Controls 1) What are internal controls? Internal controls, often referred to as management controls, in the broadest sense include the plan of organization, methods, and procedures adopted by management to meet its missions, goals, and objectives. Internal controls also serve as the first line of defense against fraud and violations of law, regulations and provisions of contracts and grant agreements. 2) Who is responsible for internal control? 12

3) Internal assessments Internal assessments can be performed at the request of executive management. In ternal assessments are an independent, objective assurance and consulting activity designed to add value and improve an organization s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. 4) Benefits of Internal Assessments 13

5) What does the Risk Management and Compliance Division do? 6) Risk assessment Definition of Risk : Risk is the probability that an event or action may adversely affect the organization or activity under audit. Examples of risks are performing work without funding, cost overruns, and lack of city oversight. The purpose of a risk assessment is to enable the organization to: 14

Chapter 3 Types of Government Audits We have been audited by the Federal, State and City governments. The sco pe of government audits may involve multiple objectives, including a review of the efficiency and effectiveness of programs and services, in addition to an examination of traditional matters such as financial statements and fiscal operations. Government Auditing Standards issued by the US General Accountability Office define the different types of government audits as follows and provide a framework to help ensure professional, high quality work. 15

Performance audit objectives may vary significantly and include assessments of program effectiveness, economy and efficiency; internal control; compliance; and prospective analyses Moreover, a performance audit may incorporate one of more of these objectives. Sample Internal Assessment Areas 16

What Risk Management and Compliance means to you? You have, at your fingertips 17

18

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information