Internal Audit (Outsourced, Co-Sourced, Staff Augmentation
• Operational
• IT Internal Audit
• Regulatory
• Financial
• Quality Assurance Improvement Program (QAIP)
RISK ADVISORY
SOX 404 Compliance
Full Outsourced
Co-Sourced
Staff Augmentation
Third Party Assurance
• SSAE 18
SOC 1
SOC 2
SOC 3
• Cyber Attest
Risk Management
• Enterprise Risk Management
• Operational Resilience
• Business Process / Internal Control
Due Diligence
• Internal Control
• Information Technology
• Cybersecurity
Audit and Professional Services Firm Support
• External and Internal Audit Support Staff
Augmentation
• Advisory and Consulting Staff
Augmentation
• Subject Matter Specialists
Business walks a fine line between risk and reward. Our Risk Advisory services help you manage uncertainty around Risk, Internal Audit, SOX, and Compliance, so you can focus on what counts – your business. Let us help you stay OnTRAC!
citrincooperman.com 1
INTERNAL AUDIT SERVICES
Index
THE SERVICE MODELS
KEY COMPONENTS
Full Outsourced Model
An Internal Audit should be an independent function within your organization that continuously and objectively evaluates your compliance with regulatory standards, your efficiency and effectiveness throughout your operations, and your ability to anticipate risk and respond with agility. 1
Our full outsourced approach provides your organization with exactly that – an independent and objective Internal Audit function with access to the firm’s bench of technical and expert resources while eliminating employee carrying costs.
Co-Sourced Model 2
Our co-sourced approach is a partnership between your existing Internal Audit function and our team, to provide you with technical and expert resources to fill particular skill gaps, without the need to hire full-time resources.
Staff Augmentation 3
Our staff augmentation approach deploys a certain number of our professionals to operate within your existing Internal Audit function, for an agreed-upon length of time, without any long-term commitments.
COMPLIANCE VALUE ADD FORESIGHT
FOCUS AREAS
• Does your organization have an Internal Audit function?
• Is your Internal Audit function perceived to add value to your organization, in excess of the cost of the function itself?
• Does your Internal Audit function have the technical knowledge to successfully execute audits in complex and/or high-risk areas?
• Does your Internal Audit function have the resource capacity to timely execute the audit plan?
Issue Action
• See Action on the left
Impact
• Alignment of the audit plan with strategic business objectives to keep your organization heading in the right direction.
• Cost optimization delivered through an efficient and effective audit methodology that adds back value to your organization.
• Internal audit talent – where and when you need them by tapping into a deep bench of technical and expert resources.
citrincooperman.com 2
Operational Regulatory IT Audit Financial
INTERNAL AUDIT SERVICES DELIVERABLES
THE SERVICE METHODOLOGY
SAMPLE DELIVERABLES
• Does your organization have an Internal Audit function?
• Is your Internal Audit function perceived to add value to your organization, in excess of the cost of the function itself?
• Does your Internal Audit function have the technical knowledge to successfully execute audits in complex and/or high-risk areas?
• Does your Internal Audit function have the resource capacity to timely execute the audit plan?
Issue Action
• See Action on the left
Impact
• Alignment of the audit plan with strategic business objectives to keep your organization heading in the right direction.
• Cost optimization delivered through an efficient and effective audit methodology that adds back value to your organization.
• Internal audit talent – where and when you need them by tapping into a deep bench of technical and expert resources.
citrincooperman.com 3
Index
SOX 404 SERVICES
As required by Section 404(a) of the Sarbanes-Oxley Act of 2002 (SOX 404), companies are required to complete certain annual compliance activities related to their assessment of the operating effectiveness of internal control over financial reporting (ICFR). Such annual compliance activities related to management’s assessment of the operating effectiveness of ICFR generally include the elements outlined below.
Our SOX service models and methodology are customizable to your organization’s exact needs and provide you with access to our deep bench of technical and expert resources, so you can stay OnTRAC.
THE SERVICE MODELS
1
THE SOX METHODOLOGY
• Account Balances
Full Outsourced Model
Our full outsourced approach provides your organization with exactly that – an independent and objective Internal Audit function, with access to the firm’s bench of technical and expert resources, while eliminating employee carrying costs.
Co-Sourced Model 2
Our co-sourced approach is a partnership between your existing Internal Audit function and our team to provide you with technical and expert resources to fill particular skill gaps, without the need to hire full-time resources.
Staff Augmentation 3
Our staff augmentation approach deploys a certain number of our professionals to operate within your existing Internal Audit function for an agreed-upon length of time, without any long-term commitments.
Index
Issue
• Does your organization have an existing SOX function or need to implement a new SOX function?
• Does your SOX function have the technical knowledge to successfully execute testing in complex and/or high-risk areas?
• Does your SOX function have the resource capacity to timely execute the testing plan?
• Classes of Transactions
Scoping
• Systems/Applications
Process Walkthrough
• Process documentation (e.g. narrative or flowchart)
• Test of design
Control Testing
• Test of operating effectiveness
• Business process controls
• IT general controls (ITGCs)
Remediation
• Identification of deficiencies
• Monitoring of corrective actions
• Re-testing of controls
Reporting
• Summary of testing results
• Assessment of all deficiencies (e.g. significant, material weakness)
• See Action on the left
Impact
• Alignment of the SOX testing plan with strategic business objectives to keep your organization heading in the right direction.
• Cost optimization delivered through an efficient and effective SOX methodology that adds back value to your organization.
• SOX talent – where and when you need them by tapping into a deep bench of technical and expert resources.
citrincooperman.com 4
Action
SOX 404 DELIVERABLES
SOX READINESS ASSESSMENT
If your organization is aware of an impending requirement to comply with SOX 404, we can perform a SOX readiness assessment prior to the first year of compliance to ensure your organization is ready.
Our SOX readiness assessment follows the same methodology for actual compliance using a preliminary scoping approach but allows our team to assist management with their remediation efforts.
SAMPLE DELIVERABLES
DESIGN
• Does your organization have an existing SOX function or need to implement a new SOX function?
• Does your SOX function have the technical knowledge to successfully execute testing in complex and/or high-risk areas?
• Does your SOX function have the resource capacity to timely execute the testing plan?
Issue Action
• See Action on the left
Impact
• Alignment of the SOX testing plan with strategic business objectives to keep your organization heading in the right direction.
• Cost optimization delivered through an efficient and effective SOX methodology that adds back value to your organization.
• SOX talent – where and when you need them by tapping into a deep bench of technical and expert resources.
citrincooperman.com 5
ASSESS REMEDIATE Index
THIRD-PARTY ASSURANCE SERVICES
As defined by the American Institute of Certified Public Accountants (AICPA), SOC (System and Organization Controls) for Service Organizations are internal control reports on the services provided by a service organization providing valuable information that users need to assess and address the risks associated with an outsourced service. These reports can be provided for a defined period of time or as of a point in time, depending on the needs of user entities.
Our third-party assurance services are provided in accordance with the AICPA’s Statements on Standards for Attestation Engagements (SSAEs), specifically SSAE 18, a clarification and recodification of SSAE 16.
SOC REPORT COMPARISON
security, availability, processing integrity, confidentiality, or privacy
Reports on controls relevant to security, availability, processing integrity, confidentiality, or privacy
Issue
• Are your customers (user entities) and/or their auditors inquiring about your thirdparty assurance reporting?
• Are you unsure of which reporting type would be best for your organization and customers?
• Do you already know that your organization needs a SOC report but are unsure if your organization is “audit-ready”?
Types
A type 2 report includes a description of the CPA’s tests of controls and results Description of service organization’s system
opinion on the fairness of presentation of the
suitability of
and in a type 2 report, the operating effectiveness of controls A type 2 report includes a description of the CPA’s tests of controls and results An unaudited system description used to delineate the boundaries of the system
• An independent, third party report that provides assurance to your customers and/or their auditors regarding your system and organization controls.
• Stronger relationships with customers through anticipation and effective management of risks and compliance.
• A readiness assessment to ensure your organization is “audit-ready” before the audit begins.
citrincooperman.com 6
Action
Impact
SOC 1 SOC 2 SOC 3 Purpose Reports on controls relevant to internal control over financial reporting Reports on controls relevant to
Use Restricted Restricted General (public seal)
Type 1 – As of a
• See Action on the left in time Type 2 – Over a period of time
point
Content Description of service organization’s system
CPA’s opinion on fairness of presentation of the description, suitability of design and in a type 2 report, the operating effectiveness of controls
CPA’s
description,
design
Index
CPA’s opinion on whether the entity maintained effective controls over its system
THIRD-PARTY ASSURANCE DELIVERABLES
THE SERVICE METHODOLOGY
Performed by Citrin Cooperman
SAMPLE DELIVERABLES
Not sure which SOC is right for you? Let us help you decide!
• Are your customers (user entities) and/or their auditors inquiring about your thirdparty assurance reporting?
• Are you unsure of which reporting type would be best for your organization and customers?
• Do you already know that your organization needs a SOC report but are unsure if your organization is “audit-ready”?
Action
• See Action on the left
• An independent, third-party report that provides assurance to your customers and/or their auditors regarding your system and organization controls.
• Stronger relationships with customers through anticipation and effective management of risks and compliance.
• A readiness assessment to ensure your organization is “audit-ready” before the audit begins.
citrincooperman.com 7
Impact
Issue Index
Performed by Citrin Cooperman Implemented by Management