ANNUAL INTERNAL AUDIT
PLAN REPORT
�TABLE OF CONTENTS
03 Annual Internal Audit Plan Report: Sample 1 10 Annual Internal Audit Plan Report: Sample 2
04 (Year) Audit Plan 11 Audit Plan by Division
06 (Year) Audit Plan: Core 12 Audit Plan by Business Risk Area
07 (Year) Audit Plan Hot Spots 13 Plan Highlights
08 Appendix II Hotel Testing Approach 14 Proposed Audit Services Plan
2
�ANNUAL INTERNAL AUDIT PLAN
REPORT: SAMPLE 1
�(YEAR) AUDIT PLAN: OPTION 1
1 2
Core Audits Hot Spots
Company XYZ Annual
Audit Plan • Hot spot audits are top-of-mind
• Core audits are foundational
audits conducted each year, audits that directly relate to risk
focusing on SEC and other areas impacting Company XYZ
regulatory requirements, key-risk business.
areas and hotel-specific • In the past, hot spot audits
processes. included areas in franchise,
• These include the following FCPA/bribery, currency
audits: fluctuations, ROI and reservation
centers.
− Sarbanes-Oxley (SOX),
including the financial
reporting process
and financial systems.
− Hotel audits for the finance,
operations and IT areas.
− Cyber risk and data privacy
across the company.
4
�(YEAR) AUDIT PLAN: OPTION 2
Company XYZ Annual Audit Plan
Core Audits Hot Spots
• Core audits are foundational • Hot spot audits are top-of-mind
audits conducted each year, audits that directly relate to risk
focusing on SEC and other areas impacting Company XYZ
regulatory requirements, key- business.
risk areas and hotel-specific
processes.
• In the past, hot spot audits
• These include the following included areas in franchise,
audits: FCPA/bribery, currency
fluctuations, ROI and
− Sarbanes-Oxley (SOX),
reservation centers.
including the financial
reporting process
and financial systems.
− Hotel audits for the finance,
operations and IT areas.
− Cyber risk and data privacy
across the company.
5
�(YEAR) AUDIT PLAN
Core Audits Hot Spots
Sarbanes-Oxley Hotel Audits Cyber Risk/Data Privacy Hot Spots
Financial Reporting Processes Finance Companywide Hot Spots in (Year)
• Cash and short-term • Balance sheet • Simulated breach testing • FCPA/bribery
investments reconciliations • Segregation of duties • Currency fluctuations
• Receivables • Income journal • Vendor risk and access • ROI
• Investments reconciliations • Vulnerability management • Reservation centers
• Property and equipment • Revenue adjustments and penetration testing • Unify post-go-live
• Goodwill and intangibles • Expenses • Data privacy compliance • Third-party access to IT
• Payable and accrued • Gold passport and security systems
expenses • Leases • Business • Franchise
• Long-term debt • Sales and catering contracts interruption/disaster • Development/acquisition
• Taxes • Cash recovery due diligence and
• Equity Operations underwriting
• Revenues and expenses • Enterprise data warehouse
• Fraud and organizational • Employee status change (GEM)
governance • Vendor management • Construction
• License review • IT sales and use tax
Financial Systems • Data privacy • Global shared services
• Consultant usage risks
IT
• Active directory/FIM (single • Security preparedness
sign-on) • New and terminated user • Joint ventures
• Gold passport access • Management agreement
• Hyperion (reporting) • Physical access and data compliance
• Iscala (int’l GL) centers
• One source (tax) • Password configuration
• Opera (PMS/POS) • Change management
• Oracle (GL) • Backup and recovery
• Opera permissions
6
�(YEAR) AUDIT PLAN: CORE
Core
Sarbanes-Oxley Hotel Cyber Risk Process
• Enforces regulatory • Ensure hotel compliance • Data privacy • Risk council: global and
compliance requirements with financial, operational • Information security ASPAC
• Utilizes key process and and IT policies (risk − Expand to include
• Property
IT controls that support stratified). EAME/SWA council
acquisition/takeover
financial reporting with risk − Increased emphasis on process and related costs • Annual and ongoing risk
collaboratively evaluated owned properties assessment
using the external
auditor’s risk of material − Assessment of hotel
misstatement model cluster effectiveness
• Measure unify post go-live − Increased emphasis on
control effectiveness IT vendor contracts
• Continued refinement of • Shared service centers
entity-level controls that (XXX, YYY, ZZZ) Foundational audits are conducted each year,
support the new COSO − Advisory and support focusing on SEC and other regulatory
framework role for global shared requirements, public company/governance
• Fraud service initiative considerations, key-risk areas and hotel-specific
• MOR alumni program processes.
• Centralized testing
− Integrate data analytics
to support continuous
monitoring Blue = New in (Year)
7
�(YEAR) AUDIT PLAN HOT SPOTS
Hot Spots in (Year)
Development/Acquisition
Third-Party Access to IT
Unify Post Go-Live Franchise Due Diligence and
Systems
Underwriting
• Measure control • Review vendor access to • Perform a review of • Review pro forma process
effectiveness and system Company XYZ systems to audited financial and assumptions.
integration. see that only contractually statements to validate • Assess compliance with
• Perform consolidated required access is granted revenue and franchise various internal review
banking. and subsequently fees. recommendations.
terminated. • Assess compliance with
• Ensure that contractually brand and IT standards by
required rights are secure. partnering with brand and
IT teams.
Enterprise Data
Others
Warehouse (GEM)
Top-of-mind audits that address key-risk areas and
ongoing initiatives are consistently referenced
• Identify who has access to • Construction
during risk assessment sessions and risk council
the EDW and for what • IT sales and use tax
meetings and/or identified during prior year audits. purpose.
• Global shared services
• Determine the breadth of
• Marketing ROI
data collected and how
data is disseminated • Consultant usage risks
across borders. • Security preparedness
• Joint ventures
• Management agreement
compliance
8
�APPENDIX II HOTEL TESTING APPROACH (1/2)
Consistent with (Insert Year), internal audit will perform several types of hotel audits (audit approach is flexible and based on
property type, location and risk profile).
Full-Service Hotels (See Coverage In Table Below) Other Property-Related Testing
• Hotel audit: The scope includes financial statement • Shared service centers: Execute test procedures.
substantive testing and control testing (operational, • Centralized audit procedures: Leverage systems and
financial and IT) that’s conducted at owned/leased/JV centralized processes to efficiently assess various scope
properties. areas (centralized testing will provide broader coverage).
• MOR: Evaluate operational, financial and IT controls via the • Select service hotels: Central control focus is augmented
control self-assessment and core work program. These by limited procedures at remaining owned properties.
reviews are performed by DOFs and MOR leaders, and
• Limited reviews: Utilize limited procedures to gain controls
reports are reviewed by internal audit.
comfort and coverage for lower-risk properties where the
leadership committee and operating environment have
Owned/Leased Managed Total
remained consistent since the previous audit.
Hotels 56 187 243
Audits 37 77 114
Audit coverage for
full-service hotels is
47%.
* Refer to following slides for regional locations. It includes five international properties.
9
�APPENDIX II HOTEL TESTING APPROACH (2/2)
Americas EAME/SWA ASPAC
10
�ANNUAL INTERNAL AUDIT PLAN
REPORT: SAMPLE 2
�AUDIT PLAN BY DIVISION
Previous Year Plan Proposed Plan
UED UED
29% 28% 26%
UPS UPS
36%
UMS UMS
UER UER
Support Support
9%
Services Services
12%
22% 11%
9% 18%
12
�AUDIT PLAN BY BUSINESS RISK AREA
Previous Year Plan Proposed Plan
3%
6%
Process Process
Information Information
41% 47%
Environment Environment
56%
47%
13
�PLAN HIGHLIGHTS
Company Company Company Support Company
Energy Energy Marketing Services Power
Resources Delivery Services Supply
• Focus on gas risk • Focus on the control • Focus on new • Focus on • Focus on control
management and allocation of systems and disbursements and and allocation costs.
continuously. costs. information flow. cost control. • Conduct a new
• Perform new • Consolidate • Test billing • Review the electricity wholesale
electricity risk customer processes performance processing audit.
management audits. information systems. continuously. management
• Conduct ongoing • Test controls over process.
audits. outside service • Incorporate
costs. telecommunications,
LAN security and
other information
technology reviews.
• Facilitate ongoing
reviews of re-
engineered
processes.
• Focus on gas supply
purchases,
allocations,
reporting and
margin generation
activities.
14
�PROPOSED AUDIT SERVICES PLAN (1/8)
Last Audit
Audit Name Audit Description
Date
Energy Resources
Gas Risk Management
Test risk management controls, transactions and reporting on a quarterly basis.
Reviews
Gas Risk Management Determine that parameters, procedures and controls continue to operate
Monitoring effectively.
Gas Physical Contract Test compliance and opportunities with delivery commitments on physical gas
Compliance contracts.
Evaluate procedures and controls sufficiency related to electricity trading
Electricity Risk Management
activities.
Electricity Trading Test the accuracy and completeness of physical and financial trade data.
Actualization Procedures Review actualization and physical gas disbursement procedures.
Gas Management System Review controls and data integrity within this system.
(Insert Company)
Test for propriety of costs allocated to ABC when constructing this pipeline.
Construction Costs
ABC Gas Pipeline Balancing Review volumetric and exchange balancing controls and procedures.
Evaluate controls and the interface between the human resources and payroll
Human Resources/Payroll
process.
Platinum System Controls Review general data processing controls.
LAN Security: (Location) Test the security surrounding local area networks residing in a city.
15
�PROPOSED AUDIT SERVICES PLAN (2/8)
Last Audit
Audit Name Audit Description
Date
Energy Resources (Continued)
DEF Operations Review gas trading operations.
XXX Follow-Up Activities Follow up on significant opportunities from previously issued audit reports.
External Audit Participation Participate with financial audit teams in annual audit.
Energy Delivery
Purchasing/O&M Cost Review major contracts, POs and purchasing practices, and for propriety of costs
Control incurred.
X System Billing Controls Review the recently implemented X System.
Assist in the Iowa cost allocation audit report for allocations to nonregulated
Iowa Cost Allocation
operations.
Review controls over cash, time allocation, inventory, security, policy compliance,
Field Office Reviews
etc.
Process map customer, billing, receipt, etc. processes to evaluate consolidation of
CIS Process Flows
CIS systems.
CIS Consolidation Testing Test data and processes in consolidated CIS systems.
CIS Implementation Review CIS consolidation implementation, rollout and training.
Collection Activities Test the effectiveness of collecting past due accounts through collection agencies.
Gas Safety Compliance Review compliance prior to public service commission (PSC) audits.
16
�PROPOSED AUDIT SERVICES PLAN (3/8)
Last Audit
Audit Name Audit Description
Date
Energy Delivery (Continued)
Plant (Location) Test overhead allocation compliance at this nonoperated plant.
System Conversions Test to ensure that systems being processed are operating effectively.
LAN Security Test security surrounding local area networks.
LAN Security Test security surrounding local area networks.
Test fixed asset records and update processes to ensure validity of data for tax
Fixed Asset Tax Reporting
purposes.
Follow-Up Activities Follow up on significant opportunities from previously issued audit reports.
External Audit Participation Participate with financial audit teams in the annual audit.
17
�PROPOSED AUDIT SERVICES PLAN (4/8)
Last Audit
Audit Name Audit Description
Date
Power Supply
Purchasing/O&M Cost Review major contracts, POs and purchasing practices, and for propriety of costs
Control incurred.
Environmental Compliance Evaluate the sufficiency of the environmental compliance program.
Electricity Wholesale
Review billing and accounting procedures for electricity wholesale transactions.
Processing
Economic Change
Review the accuracy of ECAs in Colorado and Kansas.
Adjustments (ECAs)
Energy Center Test costs allocated to this nonoperated power plant by the operator.
Follow-Up Activities Follow up on significant opportunities from previously issued audit reports.
External Audit Participation Participate with financial audit teams in the annual audit.
Marketing services
Billings (X System) Test for propriety and accuracy of billings handled by X system.
Review processes to ensure that appropriate sales taxes are collected and
Sales Taxes
remitted.
Information/Reporting Identify business information needs and reporting requirements.
Test for propriety and realization of margins utilized in incentive compensation
Margin Incentives
computations.
18
�PROPOSED AUDIT SERVICES PLAN (5/8)
Last Audit
Audit Name Audit Description
Date
Marketing Services (Continued)
Review the reasonableness of allocations to regulated and nonregulated
Cost Allocation Process
businesses.
Contract Management
Test controls and data integrity built into this newly enhanced business system.
System
Outside Services/Cost Review vendor evaluation and contracting processes and for propriety of related
Control costs.
Ad Agency Contract
Test compliance by significant ad agencies with contract terms.
Compliance
Back Office Review infrastructure for sufficiency and ability to absorb additional operations.
Data Processing Test general data processing controls.
Follow-Up Activities Follow up on significant opportunities from previously issued audit reports.
External Audit Participation Participate with financial audit teams in the annual audit.
19
�PROPOSED AUDIT SERVICES PLAN (6/8)
Last Audit
Audit Name Audit Description
Date
Support Services Corporate
Review with and train accounts payable functions on appropriate processing
Disbursements Processing
controls.
Leased Properties Review lease monitoring procedures and compliance with leasing arrangements.
Performance Management Evaluate goal setting alignment, performance tracking and incentive
Process measurement processes.
Relocation Expenses Test compliance with policies and for propriety of expenses.
Workers’ Compensation Review third-party claims processor procedures for propriety and compliance with
Claims Testing the contract.
Benefits Claims Processing
Business Resumption
Evaluate sufficiency of critical business resumption procedures.
Planning
Information Technology
Data Center General Update the general controls review to ensure integrity of processing in data
Controls center.
Telecommunications Determine and evaluate system dial-in and other telecommunication controls.
Program Change Control Test the adequacy of controls over changes to programs and data files in State A.
LAN Security: Corporate Test security surrounding local area networks.
Application Development Assist in significant development projects of the center.
20
�PROPOSED AUDIT SERVICES PLAN (7/8)
Last Audit
Audit Name Audit Description
Date
Reengineering and Other
Customer Re-Engineering
Review controls and procedures for newly designed customer processes.
Projects
Materials Re-Engineering Review controls and procedures for newly designed material management
Projects processes.
Financial Re-Engineering Review controls and procedures for newly designed financial management
Projects processes.
Risk Evaluation and
Continually assess risk areas and plan audits to address significant risks.
Planning
Follow-Up Activities Follow up on significant opportunities from previously issued audit reports.
External Audit Participation Participate with financial audit teams in the annual audit.
Support Services (continued)
Supply Services
Review 19XX recorded margins to ensure that they were generated in a risk-free
Margin Generation Activities
manner.
Gas Purchases and
Test for propriety of gas purchasing, cost allocations and contract administration.
Allocations
Gas Cost Reporting Evaluate the business needs relative to reporting gas cost information.
Capacity Release/Negative
Review negative reserves in the nomination process to evaluate supply risks.
Reserves
21
�PROPOSED AUDIT SERVICES PLAN (8/8)
Last Audit
Audit Name Audit Description
Date
Support Services (Continued)
Supply Services
Analyze actual cost variances versus plan to determine potential regulatory
Plan Vs. Actual Cost Review
exposures.
Fixed Price Irrigation
Test for propriety of contracts to supply gas to irrigation customers.
Contracts
Enhancements Review controls and procedures integrity in (Insert System) enhancements.
System Review data and procedures integrity in this new, critical business system.
Follow-up Activities Follow up on significant issues from previously issued audit reports.
External Audit Participation Participate with financial audit teams in the annual audit.
22
