MONITORING ENTITY-LEVEL

CONTROLS AUDIT WORK PROGRAM

 Table of Contents
MONITORING ENTITY-LEVEL CONTROLS AUDIT WORK PROGRAM: SAMPLE 1.............................................3
MONITORING ENTITY-LEVEL CONTROLS AUDIT WORK PROGRAM: SAMPLE 2.............................................7

2 Source: www.knowledgeleader.com
 MONITORING ENTITY-LEVEL CONTROLS AUDIT WORK
PROGRAM: SAMPLE 1

PROJECT TEAM MEMBERS

Project Timing Date Comments

Planning

Fieldwork

Report Issuance (Local)

Report Issuance (Worldwide)

AUDIT OBJECTIVES
The purpose of this audit work program is to evaluate the operating effectiveness of the monitoring component of
COSO as it relates to the attributes of ongoing monitoring, separate evaluations and reporting deficiencies.
• Ongoing Monitoring: This includes procedures built into the company’s normal recurring operating activities.
Monitoring procedures, which are an inherent part of the company, are generally more effective than
procedures performed in connection with separate evaluations (audits). Since separate evaluations take place
after the fact, problems will often be identified more quickly by the ongoing monitoring routines. A company
should focus on ways to enhance its ongoing monitoring activities and emphasize “building in” versus “adding
on” controls.
• Separate Evaluations: The frequency of separate evaluations necessary for management to have reasonable
assurance about the effectiveness of the internal control system is a matter of management’s judgment. When
making that determination, consideration should be given to the following: the nature and degree of changes
occurring and their associated risks, the competence and experience of the people implementing the controls,
and the results of ongoing monitoring.
• Reporting Deficiencies: Deficiencies in a company’s internal control system surface from many sources,
including the company’s ongoing monitoring procedures, separate evaluations of the internal control system,
and external parties. The term “deficiency” is defined broadly as a condition within an internal control system
worthy of attention. A deficiency, therefore, may represent a perceived, potential or real shortcoming, or an
opportunity to strengthen the control system to provide a greater likelihood that the company’s objectives will
be achieved.

Each section of this work program focuses on a specific attribute and the documentation that evidences the
operating effectiveness of entity-level controls. After each attribute, the work program details the steps for
evaluating each entity-level control.

See Company ABC’s entity-level assessment for additional evidence of the operating effectiveness of entity-level
controls.

3 Source: www.knowledgeleader.com
 Time Project Work Step Initial Index

Planning

Obtain and review any prior design issues identified and/or recommendations
made during the Sarbanes-Oxley Section 404 project.

Request documents needed for fieldwork:

• Internal audit charter

• Internal audit job descriptions

• SEC comment letters

• Management letters

• Internal audit organizational chart

• Internal audit training program

Ongoing Monitoring

See the testing of ongoing monitoring procedures in the process-level testing

results.

Separate Evaluations

Obtain the internal audit charter and ensure that the charter adequately describes
the functions and responsibilities of the internal audit group.

Obtain the organizational chart for internal audit and ensure that reporting lines
appear appropriate, ensuring that the VP of internal audit reports to the audit
committee in some capacity.

Obtain the job descriptions for internal audit staff and senior and perform the
following:

• Review the job descriptions to ensure that qualifications are listed.

• Judgmentally select X staff and X senior and review the qualifications to ensure
that they meet the criteria in the job description.

Obtain the training program for the internal audit department and perform the
following:

• Review the training program to determine if it appears reasonable, based on

the types of audits conducted and skill levels of personnel.

• Interview the VP of internal audit to determine the method for tracking and
monitoring the training program.

Reporting Deficiencies

External Party Adjustments and Comments

4 Source: www.knowledgeleader.com
 Time Project Work Step Initial Index

• Obtain any SEC comment letters received by Company ABC and perform the
following:

− Determine the nature of the comments and whether or not they

necessitated the resubmission of filings.

− Ensure that management responded timely and that the responses

adequately addressed the identified issues.

• Obtain the list of proposed adjustments resulting from audits by the external
auditor and perform the following:

− Determine the nature and amount of the proposed adjustments and whether
or not they indicate an internal control weakness.

− Ensure that management took steps to address areas of proposed

adjustments.

• Obtain the management letters resulting from audits by the external auditor
and perform the following:

− Determine the nature of the comments and whether or not they indicate a
significant deficiency or material weakness.

− Ensure that management responded timely and that the responses

adequately addressed the identified issues.

− Ensure that management’s indicated actions were implemented and

determine whether comments appear to recur.

Whistleblower/Ethics Hotline

• Obtain materials regarding the whistleblower/ethics hotline and perform the

following:

− Ensure that the hotline allows for anonymous reporting of unethical

behavior.

− Ensure that the hotline captures adequate information and that the
information is reported to appropriate individuals, including the audit
committee and VP of internal audit.

− Review the minutes from the Q3 audit committee meeting and ensure that
any reports were discussed and that appropriate action and follow-up were
taken.

Completion

• Review this audit program to ensure that all program steps have been
completed, documented and signed off.

• Identify exceptions and document compensating controls. Discuss the

compensating controls with the Section 404 project team and determine if
controls should be tested. If controls are tested, document the testing
performed and test results.

• Document any issues and remediation plans in an issue resolution document

and discuss it with the appropriate individuals.

5 Source: www.knowledgeleader.com
 Time Project Work Step Initial Index

• Communicate all issues to the Section 404 project team.

• Determine the overall operating effectiveness of controls.

6 Source: www.knowledgeleader.com
 MONITORING ENTITY-LEVEL CONTROLS AUDIT WORK
PROGRAM: SAMPLE 2

PROJECT TEAM MEMBERS

Project Timing Date Comments

Planning

Fieldwork

Report Issuance (Local)

Report Issuance (Worldwide)

AUDIT OBJECTIVES
The purpose of this audit work program is to assess, at a high level, and validate key controls in place for the
monitoring process. Inadequate or ineffective controls in this area may give rise to financial and operational risks.

Risks addressed in this audit work program include:

• Internal and/or external audit comments and management responses are not provided to the audit committee
or board of directors.
• Internal audit does not have the authority to review any aspect of the entity's operations.
• Internal audit is not independent of the activity’s IT audits.
• Internal audit is not prohibited from having an operating role in the activities they monitor.
• Management is not required to respond in a timely manner to the internal audit department's findings and
recommendations.
• Management does not monitor relevant external and internal information and does not consider the impact on
the control structure.
• Personnel with the requisite skills do not conduct evaluations of appropriate portions of the internal control
system.
• Supervisory personnel do not perform various random and structured reviews over the functioning of control
procedures.
• The frequency and scope of supervision and monitoring activities are not appropriate to the size and nature of
the entity.

Time Project Work Step Initial Index

Audit Procedures

Authority

Inspect the internal audit charter and verify that the charter stipulates that internal
auditors have no direct operational responsibility or authority over activities
reviewed.

7 Source: www.knowledgeleader.com
 Time Project Work Step Initial Index

Inspect the Company ABC organizational structure and verify that the internal audit
function does not have direct operational responsibility or span of control.

Inquire with internal audit leadership to confirm that internal auditors have no direct
operational responsibility or authority over activities reviewed.

Budget and Forecast

Generate a random sample of two months from the (Insert Date) to (Insert Date)
period selected for testing.

Obtain copies of the X report and verify that it was completed for the months
selected for testing.

Inquire with finance personnel to verify that senior and executive management
review the monthly X report.

IIA Code of Ethics

Inquire with the internal audit leadership to verify that the internal audit group
adheres to the IIA's Code of Ethics and Standards for Professional Practice.

Strategy

Obtain agendas, meeting minutes, documentation and plans resulting from the
(Insert Date) offsite strategy meeting.

Verify that the attendees of the meeting included the top X individuals of the
company.

Through inspection, verify that the company's performance related to the strategic
plan as well as strategic developments and their related benefits and risks were
discussed.

Independence of Committee

Review the audit committee charter to verify that it requires independence and
expertise that is aligned with the listing standards of the (Insert Name of Stock
Exchange).

Confirm that it is composed of members with financial expertise.

Access to Records

Obtain a copy of the internal audit charter.

Through inspection, verify that the charter states, "Authority is granted for full, free,
and unrestricted access to all the organization's records, physical properties and
personnel relevant to any function under review. All employees are requested to
assist internal audit in fulfilling their staff function. Internal audit should also have
free and unrestricted access to the audit committee of the board of directors and
information given to internal audit during a periodic review will be handled in the
same prudent manner as the employees normally accountable for them."

8 Source: www.knowledgeleader.com
 Time Project Work Step Initial Index

Confirm through inquiry with internal audit leadership.

Timetable

Obtain a copy of the internal audit charter.

Through inspection, verify that the charter states, "Management's response (to audit
reports) should include a timetable for anticipated completion of action to be taken
and an explanation for any recommendations not addressed."

Audit Committee

Generate a random sample of two quarters from the (Insert Date) to (Insert Date)
period selected for testing.

Obtain copies of the audit committee meeting minutes and/or agenda from the legal
assistant for the quarters selected for testing.

Inspect the meeting minutes or agenda and verify that internal audit reports and/or
external audit issues were reviewed.

Internal Audit Function

Obtain the audit plan approved by the audit committee of the board of directors for
(Insert Year).

Through inspection, verify that audits are performed/scheduled on various business

units and functions for (Insert Year).

pThrough inspection of the audit committee meeting minutes, verify that internal
audit matters were discussed and that findings and recommendations were
reported to management and the audit committee.

Reporting Procedures

Compile results from this process review into a report for management to review.

Schedule a meeting with management and appropriate process owners to discuss

results.

Receive signoff from management on the report results and document action steps
to address process deficiencies.

9 Source: www.knowledgeleader.com