Audit Planning/Process

Process-based

Limitations until initiatives
are implemented

e.g. Vendor Management or BCP

Sample across BUs

Code Migration

Ensuring ownership
of functional areas

Vendor mgmt

ETG involvement

understanding per BU

Leverage Call
Program

Running ideas of what is
going on within BU

Scoping

Challenges w/ federal examiners

Potential risk

Understand and document why and what

Value-add - including all areas

committment to org.

Include product overview
during scoping call

Understand product
before audit fieldwork

Ensure testing addresses risks

Client contract risk

no central handle on
contract mgmt or compliance

Central repository

Application audits

Endevor

RMS

ClearQuest

Risk Vision review

categorize

avoid missing areas

Evaluation of common processes

Accurate interdependency matrix

Impact for locations

More like Remedy audit

Platform-based
work programs/audits

More detailed reviews

Mainframe

RXP

Major Gaps?

Ensuring coverage of
compensating controls w/in ERA

E.g. Password reqs

Self-reporting of ERR compliance

Pick critical areas
to cover on audits

Aligning w/
Skillsets and Technical
Knowledge

what falls under
finance team scope?

e.g. vendor mgmt

Fin. team to start taking
on more operational
audit areas in 2012

Joining Projects

Audit team members to
become members of
project teams outside
audit deptartment

Due diligence

Leadership commitments

"Need to do"

SOX

Are commitments definite?

FFIEC governed areas

Ways to change committments

e.g. tiers

Justification

Action items

Ideas on how to carve out
audits to be more manageable
and more in-depth

Justification to rotate
through audit schedule

What areas are too broad?
What made you uncomfortable?