Our organization conducts security audits in order to check the potential hazards of your installed procedures and systems. We do this by investigating each specific area of your business and examining the way in which it works : what it's goals are and how it interacts with other areas. Our main concentration will be on the passage of information and the physical interaction of staff with that information.

A security audit is essentially an assessment of how effectively the organization’s security policy is being implemented. Security audits do not take place in a vacuums. They are part of the on going process of doing and maintaining effective security policies. This is not just a conference room activity. It involves everyone who uses resources throughout the organization.

We detail below our general proposal for your Organization. The details will be worked out once we have full information from your side.

Audit Objectives

PART 1

The purpose of each internal control audit is to gather sufficient evidence to express an opinion on the adequacy of the client's relevant security and security-management systems, and related controls for compliance with applicable laws and regulations and business policy.
 
We will audit your existing systems and procedures to determine the degree of reliance that can be placed on them. This can provide a basis for your information and planning.

In cases where we can rely on the client's systems to record, process, summarize, and report in a manner consistent with client policies and systems, we can minimize substantive testing. In those cases where the systems are inadequate, expanded testing is often needed. However, our emphasis is on strengthening the relevant security and management systems rather than expanded testing during individual attestation audits. 

PART 2

If a system has not been audited or a report on the full system has not been issued within the past four years, control risk should be assessed as "high" and an audit of the system should be scheduled as soon as possible. In the interim, substantive testing should be increased internally to compensate for the inability to rely upon internal controls.

At such client organizations with outstanding internal control deficiencies, we work to correct the deficiencies rather than to perform expanded testing. When the client corrects the deficiencies or changes the system, we give a high priority to the audit of the system change as a basis for placing reliance on the system.

While the discovery of fraud or other unlawful / improper activity is not the primary objective of any audit, we will be attentive to any condition which suggests that such a situation may exist. If such activity is suspected, the circumstances will be reported.

Scope of Audit

1) While the nature and extent of audit effort depends upon client size and the amount and type of business (materiality and sensitivity), the scope of internal control audit should include:

• 1. Gaining an understanding of the client's internal controls, including both manual and automated (IT) activities, which provide reasonable assurance that costs are allowable, allocable, and reasonable in accordance with client policies. Further that material misstatements are prevented or detected and corrected in a timely manner;
• 2. Documenting / studying the understanding of the client's internal controls in working papers and permanent files;
• 3. Testing the operational effectiveness of the system's internal controls;
• 4. Assessing control risk as a basis for designing substantive tests for related audit effort;
• Assessing control risk as a basis for designing substantive tests for related audit effort;
• 5. Reporting on the understanding of the internal controls, the assessment of control risk, and the adequacy of the system.

2) In establishing the scope of audit effort, we will carefully consider the nature and extent of documentation available from prior audits, and permanent files. Once a comprehensive profile of the client's system has been obtained, it will serve as the baseline for establishing the scope of subsequent audits, if required and desired. Subsequent audits could cover major system changes and other areas identified as high risk. They could also include tests of key internal controls over selected transactions to ensure that the controls are in place and operating effectively.

3) The results of prior control and system audits if available, will be evaluated for related deficiencies. The following elements will be considered when auditing internal controls related to individual systems:

• The client's representation of their internal controls should include a description of complete operation and the identification of all related policies, practices, and procedures;
• The number of employees having access to information should be reasonable and based on need and expediency. Adequate security controls and should have been incorporated to limit access to information input, review, and change authorizations;
• Comprehensive operation should be verified to the policies, practices, procedures and flowcharts;

4) Client management has a responsibility to establish and maintain effective internal controls. As part of the preliminary audit effort, the client will be requested to explain how their system operates, what controls are in place to achieve the control objectives, and what methods are used to monitor and evaluate their continued operation. We will rely to the maximum extent possible on the client's self-assessment, monitoring and testing efforts.

Our Methodology

The following points outline our methodology for evaluating client security and related systems. This is our framework for performing an internal control examination. However, this framework is not a substitute for professional judgment. We will adapt the same to respond to unusual or unique situations encountered in our audit circumstances.

1) Our first step in evaluating the client's internal controls is to obtain an understanding of the system being audited. This understanding serves as the foundation for evaluating related internal controls and allows us to recommend more effective and efficient procedures.

2)To acquire the basic understanding of the system being audited, we will:

• Review the control objectives and procedures listed in the appropriate documents supplied by the client;
• Review the client's system explanation and related documentation; e.g., business and security policy and procedure manual;
• Review relevant working papers from the permanent files and prior audits;
• Make inquiries of appropriate client management, supervisory, and staff personnel;
• Inspect relevant documents;
• Observe actual client operations.

3) In addition, we will request that the client explain selected aspects of the system to help confirm our understanding. We will walk through the system - tracing one or more transactions from initiation to conclusion, through the various processing steps. If we already have sufficient understanding of the system as a result of prior audit experience, this procedure may not be necessary.

4)The extent of audit effort expended in gaining an understanding of the client's systems is a matter of auditor judgment. Characteristics that are considered include:

• The size and complexity of the client;
• Level of previous experience with the client;
• Nature and extent of available documentation;
• Materiality judgments for specific accounts and transactions handled by the system.

5) Once we have gained an adequate understanding of the client's systems, the same will be documented in the audit working papers. This documentation will typically take the form of system flowcharts, narrative descriptions, and copies of relevant documents and reports. The methods used and extent of documentation required are a matter of our professional judgment. Conclusively, the documentation will provide sufficient information to communicate our understanding in a clear and summarized manner.