TSRS_IAS_Sales & Methodology Toolkit

eRI S K SO L U T I O N S

AS S U R A N C E A N D ADV I S O RYBU S I N E S S SE RV I C E S

IT IASTeaming/OutsourcingSales and Methodology Toolkit

Last Updated May, 1999.

FOR INTERNAL USE ONLYNot for distribution outside of the firm.

!@#

ii-i

Table of Contents

TABLE OF CONTENTS ____________________________________________________________I-I

IT INTERNAL AUDIT SERVICES OVERVIEW________________________________________1-1

OVERVIEW ...................................................................................................................................................... 1-1PRACTICE MANAGEMENT POLICIES AND PROCEDURES................................................................................... 1-2INTEGRATED AUDIT CONSIDERATIONS............................................................................................................ 1-2PROGRAM SPONSORS AND RESOURCES........................................................................................................... 1-3

IT INTERNAL AUDIT SERVICES SALES PROCESS __________________________________2-1

OVERVIEW ...................................................................................................................................................... 2-1Service Delivery Methodology................................................................................................................... 2-1

OUR VALUE PROPOSITION...............................................................................................................................2-2TARGET MARKET FOR IT INTERNAL AUDIT SERVICES.................................................................................... 2-3

Identifying Companies to Target ............................................................................................................... 2-3Target Industries........................................................................................................................................ 2-4Targeting Best Practices............................................................................................................................ 2-4Client Targeting......................................................................................................................................... 2-5Triggering Events ...................................................................................................................................... 2-6

MAKING THE SALE.......................................................................................................................................... 2-7Identifying Whom in the Company to Target for IT Teaming Services...................................................... 2-7Buyer Profiles ............................................................................................................................................ 2-7Entry Strategies ....................................................................................................................................... 2-10

SERVICE PRICING GUIDELINES ...................................................................................................................... 2-10IT INTERNAL AUDIT SERVICES SALES PROCESS............................................................................................ 2-12

Overview.................................................................................................................................................. 2-12THE QUALIFYING CALL ................................................................................................................................. 2-12THE EXPANDED CAPABILITIES CALL ............................................................................................................. 2-15THE CO-DEVELOPMENT MEETING: ............................................................................................................... 2-16OTHER STEPS................................................................................................................................................ 2-17

Specific Projects ...................................................................................................................................... 2-17Proposal .................................................................................................................................................. 2-17Letter of Understanding........................................................................................................................... 2-17

COMPETITIVE ASSESSMENT........................................................................................................................... 2-17FREQUENTLY ASKED QUESTIONS AND COMMON OBJECTIONS...................................................................... 2-19SUCCESS STORIES.......................................................................................................................................... 2-21

Aon........................................................................................................................................................... 2-21Novell....................................................................................................................................................... 2-23

ii

able of ContentsT

i-ii

IT INTERNAL AUDIT SERVICES METHODOLOGY __________________________________ 3-1

OVERVIEW.......................................................................................................................................................3-1STAGE 1CO-DEVELOP EXPECTATIONS WITH CLIENT ...................................................................................3-5

Introduction ...............................................................................................................................................3-5SUMMARY OF STAGE 1 ACTIVITIES .................................................................................................................3-6SUMMARY OF STAGE 1 DELIVERABLES...........................................................................................................3-6STAGE L ACTIVITIES ........................................................................................................................................3-6

Activity 1.1 Understand clients needs.......................................................................................................3-6Activity 1.2 Understand clients business ..................................................................................................3-9Activity 1.3 Determine scope of the engagement and risk assessment methodology ...............................3-12Activity1.4 Determine deliverables..........................................................................................................3-14Activity 1.5 Develop fee estimation and define client billing procedures................................................3-15

STAGE 2: CONDUCT RISK ASSESSMENT.........................................................................................................3-16Overview..................................................................................................................................................3-16Our Risk Assessment Framework ............................................................................................................3-16

SUMMARY OF STAGE 2 ACTIVITIES ...............................................................................................................3-17SUMMARY OF STAGE 2 DELIVERABLES.........................................................................................................3-18ACTIVITY 2.1 - PLAN THE RISK ASSESSMENT................................................................................................3-18

Introduction .............................................................................................................................................3-18SUMMARY OF PRINCIPAL WORKSTEPS..........................................................................................................3-18PRINCIPAL WORKSTEPS.................................................................................................................................3-18

2.1.1 Identify and Orient Project Team ...................................................................................................3-182.1.2 Identify Key Client Personnel to be Involved/Interviewed..............................................................3-202.1.3 Develop Risk Assessment Workplan ...............................................................................................3-202.1.4 Determine Timeframe and Budget for Risk Assessment..................................................................3-21

ACTIVITY 2.2UNDERSTANDING THE ENTITYS BUSINESS GOALS, STRATEGIES,OBJECTIVES AND CRITICAL SUCCESS FACTORS...........................................................................................3-22


2.2.1 Identify relevant information held by E&Y .....................................................................................3-222.2.2 Confirm and Build Understanding .................................................................................................3-23

ACTIVITY 2.3UNDERSTAND THE MEGA & M AJOR BUSINESS PROCESSES ANDRELATED IT REQUIREMENTS......................................................................................................................3-24


2.3.1 Identify the mega and major business processes ............................................................................3-242.3.2 Identify the key business processes .................................................................................................3-252.3.3 Understand how IT supports the mega and major business processes and its

potential impact on the business...........................................................................................................3-25ACTIVITY 2.4 IDENTIFY THE IT RESOURCES AND RELATED PROCESSES....................................................3-27


2.4.1 Identify and Document IT Resources..............................................................................................3-282.4.2 IT Processes....................................................................................................................................3-29

ACTIVITY 2.5DOCUMENT RISK ASSESSMENT AND VALIDATE WITH MANAGEMENT ....................................3-312.5.1 Document results/overall risk assessment conclusions...................................................................3-312.5.2 Prioritize risk areas ........................................................................................................................3-312.5.3 Validate with Management .............................................................................................................3-31

iiii-iii

STAGE 3PREPARE ANNUAL IT AUDIT PLAN .............................................................................................. 3-32Introduction ............................................................................................................................................. 3-32

SUMMARY OF STAGE 3 ACTIVITIES ............................................................................................................... 3-32SUMMARY OF STAGE 3 DELIVERABLES......................................................................................................... 3-32STAGE 3 ACTIVITIES...................................................................................................................................... 3-33

Activity 3.1 Understand Managements Expectations Regarding Risk Coverage................................... 3-33Activity 3.2 Prioritize Audits.................................................................................................................... 3-34Activity 3.3 Understand Engagement Economics.................................................................................... 3-35Activity 3.4 Agree Audit Plan .................................................................................................................. 3-35

STAGE 4EXECUTE AUDIT PLAN ................................................................................................................. 3-36Introduction ............................................................................................................................................. 3-36

SUMMARY OF STAGE 4 ACTIVITIES ............................................................................................................... 3-36SUMMARY OF STAGE 4 DELIVERABLES......................................................................................................... 3-36STAGE 4 ACTIVITIES...................................................................................................................................... 3-37

Activity 4.1 Scope the IT audit project..................................................................................................... 3-37Activity 4.2 Understand the IT audit areas.............................................................................................. 3-39Activity 4.3 Identify and Assess Risk........................................................................................................ 3-40Activity 4.4 Control Identification and Evaluation.................................................................................. 3-41Activity 4.5 Design Testing Strategy and Perform Tests .........................................................................3-43Activity 4.6 Conclude and Report............................................................................................................ 3-46

STAGE 5: COMMUNICATE RESULTS............................................................................................................... 3-48Introduction ............................................................................................................................................. 3-48

SUMMARY OF STAGE 5 WORK ACTIVITIES .................................................................................................... 3-48STAGE 5 ACTIVITIES...................................................................................................................................... 3-48

Activity 5.1 Understand Communication Protocols ................................................................................3-48Activity 5.2 Prepare for Executive Management/Audit Committee Meetings.......................................... 3-49Activity 5.3 Communicate Results ........................................................................................................... 3-49Activity 5.4 Complete the Relevant Quality Control Procedures ............................................................ 3-50Activity 5.5 Complete Billing Procedures................................................................................................ 3-50

APPENDIX A __________________________________________________________________ A-1

APPENDIX B __________________________________________________________________ B-1

APPENDIX C __________________________________________________________________ C-1

APPENDIX D __________________________________________________________________ D-1

APPENDIX E____________________________________________________________________E-1

APPENDIX F____________________________________________________________________F-1

APPENDIX G __________________________________________________________________ G-1

ConfidentialAll materials in this document are not to be distributedoutside of Ernst & Young LLP without written approval.

1999 Ernst & Young LLP

All rights reserved.Ernst & Young is a registered trademark.

11-1

IT Internal Audit ServicesOverview

Overview

The primary purpose of this sales and methodology toolkit is to describe a consistentframework of procedures that we use to sell and deliver a business process focusedapproach to providing IT internal audit services. It is designed to provide a consistentvalue proposition and facilitate the effective and efficient delivery of high quality ITinternal audit services to clients throughout the world.

This toolkit contains two major components: the Sales Process and the Service DeliveryMethodology. The sales process contains key sales components related to the IT InternalAudit Services market, company targets, key individuals within the company to target,value propositions, critical success factors, key selling points related to our methodology,and single frames. Our Service Delivery Methodology contains five major stages, whichinclude:

Co-develop the clients expectations regarding our relationship. We also begin tounderstand the clients business, goals, objectives and strategies, as well as theirobjectives for the IT internal audit function (Stage 1).

Conduct risk assessment by assisting client management responsible for the ITinternal audit function in developing a risk assessment with respect to thecompanys processes and auditable units (e.g. location, division, etc.Stage 2).

Prepare the annual IT audit plan, which is approved by client managementresponsible for the internal audit function, executive management and the AuditCommittee (Stage 3).

Execute the audit plan, as agreed with client management responsible for the ITinternal audit function. We focus on evaluating the effectiveness of controlsestablished by management to ensure that the selected processes achieve theirfinancial reporting, operating and compliance objectives (Stage 4).

Communicate the results of our work to client management responsible for theinternal audit function, executive management and the Audit Committee (Stage 5).

The stages of our service delivery methodology are the logical framework that we, or ourclients, would perform to deliver any IT Internal Audit Services. However, the nature ofthe engagement determines the extent to which the individual activities and workstepsare implemented. The scope of our IT internal audit services engagements may vary,from limited engagements to perform a single IT internal audit project on a teamingbasis, to more comprehensive IT internal audit outsourcing engagements. Because of the

21-2

O verview

variety in IT internal audit engagements, the procedures described in this document arenot intended to be a one-size-fits-all, prescriptive methodology. These procedures aremost applicable to our on-going teaming and outsourcing engagements. However, ouroverall methodology framework, as outlined in this toolkit, should be followed on a go-forward basis. Maintaining a common language and process will drive consistency,productivity, and an improved knowledge management structure. In situations where weperform smaller engagements, our teams should still consider the value of completingeach stage and activity, even if abbreviated, to ensure high quality and high value to ourclient.

Practice Management Policies and Procedures

While we have a certain amount of flexibility in determining the specific procedures weperform during an IT internal audit services engagement, we must adhere to certainprofessional and firm standards when providing IT internal audit services. The ISAASPolicies and Procedures Workbench and the Internal Audit ServicesPolicies andProcedures Manual describe our practice management policies and procedures forproviding IT internal audit services. The policies and procedures describe, among otherthings, our policies for:

Client and engagement acceptance and engagement letters (Letters of Understanding), Independence matters, Working papers and our documentation requirements, Responsibilities for review of IT internal audit working papers, Communicating the results of our work and providing for appropriate follow-up, and Responsibilities for reviewing IT internal audit reports prior to issuance.

Integrated Audit Considerations

Many of our IT internal audit outsourcing and IAS engagements are part of anIntegrated Audit. In an integrated audit, our internal audit procedures are an extensionof our external audit arrangement. Therefore, portions of the IT internal audit work maybe performed for, and relied on by, those performing the external audit. In thesesituations we, as well as our clients, derive benefits from our coordinating our internaland external audit efforts. When we are performing integrated audits, we discuss internalaudit and external audit integration requirements with the coordinating partner and otherengagement team members, as appropriate, in Stage 1 - Co-Develop Expectations. Wealso refer to applicable portions of the Ernst & Young LLP Audit Process (Audit Process)for additional guidance. See Appendix B-1 for more detailed information on theapplicable portions of the Audit Process.

31-3

Program Sponsors and Resources

For additional information regarding this service, please contact:

ISAAS Sales ISAAS Methodology

Jamie Ross(ISAAS Program Coordinator)Phone (216) 861-2297EY COM 3297677Cleveland

Jamie Ross(ISAAS Program Coordinator)Phone (216) 861-2297EY COM 3297677Cleveland

Scott L. Miller(ISAAS MSE)Phone (216) 583-4915EY COM 2576455Cleveland

Jerry DeVault(National Director of ISAASAssurance Services and ProgramSponsor)Phone (216) 861-2214EY COM 3953308Cleveland

IAS Sales IAS Methodology

Tom Sliwinski(IAS Sales)Phone (216) 583-3865EY COMM 2887549Cleveland

Sam Johnson(IAS Operations)Phone (216) 737-1680EY COMM 2575648Cleveland

12-1

IT Internal Audit ServicesSales Process

Overview

The internal audit environment, especially IT internal audit, is changing. In addition totraditional attest and compliance functions, internal audit departments are beingchallenged to provide more value to the business. Management is demanding an auditfunction that reduces risk, creates cost efficiencies, and continually delivers increasedvalue to the companys stakeholders. A world class audit function is being recognized asa valuable and strategic corporate asset.

However, the investments required to build and maintain an effective audit function aregrowing exponentially, especially in the areas of technology, knowledge, and people. Atthe same time, domestic and international growth, mergers and acquisitions, increasinglycomplicated transactions, and significant information technology changes have createdmore complex companies with different, and in many cases, higher risk profiles than inthe past. Internal audit departments have difficulty keeping pace with these developmentsbecause of staffing and budget constraints.

Insight from the internal audit marketplace indicates that most companies have notinvested in the required IT audit human resources and other critical investments (e.g.,knowledge, technology, training, etc.) to adequately cover their key business andinformation risks. These companies, are also finding it difficult to invest in subjectmatter expertise, audit methodologies, technology, tools and training to cover theorganizations risk areas.

Our E&Y IT Internal Audit Services (IT IAS) are designed to either partially team orfully outsource a companys IT internal audit function by providing:

More effective and efficient IT risk assessment and / or Supplemental IT internal audit testing related to significant information systems

risks not currently being covered.

We can go to market with E&Y Internal Audit Services (IAS) or work the client directchannel (e.g., Director of Internal Audit).

Service Delivery Methodology

Our basic methodology involves a five step process. A high-level overview of thismethodology follows. Additional detail is available in Section 3Service DeliveryMethodology.

2-2

S ales Process

Co-develop Expectations With Client: We listen and learn about our clientsbusiness goals, objectives and strategy. This critical step helps us to understand thebusiness and ensure we apply our resources in the right areas. Also, we co-developexpectations with the client to serve as the foundation for our working relationship.

Conduct Risk Assessment: Our business process oriented IT risk assessment beginswith understanding the key business processes and how IT resources (i.e.,applications, operating systems, hardware, data, people and facilities) and processessupport and enable the business.

Prepare Annual IT Audit Plan , which is responsive to the risk assessment andbusiness needs, for approval by client management responsible for the internal auditfunction, executive management and the audit committee.

Execute Audit Plan: We focus on evaluating the effectiveness of controlsestablished by management to ensure that the selected processes achieve theirfinancial reporting, operating and compliance objectives. In addition, we makerecommendations for improvement based on what we learned.

Communicate Results of our work to client management responsible for the internalaudit function, executive management and the audit committee.

Our Value Proposition

As previously noted, expectations of internal audit functions are changing. Enterpriseand IT management expect internal audit functions to provide more consultative, orvalue-added, recommendations while also expanding their risk coverage, particularlyin IT related issues, where even IT management has difficulty keeping up with the paceof technology.

Such dramatic changes in the internal audit functions charter and culture requiresignificant investments in people, knowledge, technology and methodologies. However,internal audit is also expected to make these transformations while maintaining, or evenreducing, costs. Most companies are finding it extremely difficult to meet thesechallenges.

For example, the task of finding and keeping the appropriate resources is, itself,exhausting. Experienced and qualified IT auditors are extremely difficult, and expensive,to recruit and retain. In addition, most companies operate on multiple platforms,applications, locations, etc. Most IT internal functions cannot afford to recruit thenumber of individuals necessary to adequately evaluate risk. Beyond recruitingresources, many organizations do not have the resources to invest in knowledge,technology and methodologies or the infrastructure to support or maintain them.

Our IT Internal Audit Services are designed to assist our clients in better aligning their ITinternal audit coverage with their key business risks. Through our investments in people,knowledge, technology and methodologies, we can assist our clients in accelerating toworld-class expectations. Specifically, we can provide them:

More business insight from the IT perspectivewe leverage the knowledge andexperience of thousands of global IT risk professionals to provide our clients withstrategic and operationally focused recommendations in the areas of IT risk

2-3

management and technology enablement. We help accelerate a comprehensiveimprovement agenda which cuts the time from assessment to solution dramatically.

More comprehensive risk coverageour business process oriented IT RiskAssessment focuses our technology specialists on the areas most important to yourbusiness. We team with the client to develop a risk approach for the key IT areas andassign professionals with appropriate industry experience and deep technology skillsto create an innovative assessment and testing solution.

Operate more efficientlyusing our people, state-of-the-art tools, technology, andknowledge resources your IT risks are assessed, tested and communicated tomanagement in a timely and comprehensive manner. Together with the client, wefocus on the process of designing an efficient and effective world-class internal auditfunction, while meeting managements growing expectations.

Target Market for IT Internal Audit Services

The primary goal for our IT Internal Audit Service offering is to grow to $40 million inrevenue by the year 2002. Much of this revenue is expected to be recurring. Thisincludes both engagements where we team with IAS and engagements where we provideIT internal audit services independent of an IAS relationship.

Our focus is on targeting relatively large internal audit functions that are struggling tobuild world-class IT audit capabilities. A critical success factor is being able to clearlyarticulate current gaps in IT risk coverage and to effectively position E&Y to assist ourclients with improvement opportunities.

Identifying Companies to Target

Because larger engagements tend to be more profitable and we want to focus ourinvestment in the sales process, we concentrate on targets where we think that there ispotential for significant fees on an annual basis. (i.e., at least $250,000 per year) Factorsto consider when identifying IT IAS targets include:

Annual Revenues - although companies have different requirements for an internalaudit function based on size, industry and regulatory requirements, experienceshows that companies start building internal audit functions when they reach $250- $500 million in revenue. Therefore, in order to focus on larger opportunities, aguideline for potential targets would start at $1 billion in annual revenues.

History of Outsourcing - some companies have a history, or pre-disposition, tooutsourcing non-core competencies to third parties, while other companies areextremely opposed to outsourcing any services. In order to optimize our salesefforts, we want to focus on companies that are open to teaming opportunities andavoid targets who we know are opposed to using outside assistance.

Recruiting Difficulties - while many companies recognize the value of an IT auditfunction, or are striving to build a world-class audit function, they experiencesignificant difficulty with recruiting IT internal audit candidates. This may berelated to their industry, geographic location or strategic vision for internal audit.

2-4

S ales Process

Target Industries

Initial considerations for the primary industries to target should include:

An industry that is designated a national priority industry group - the best targetindustries include:

Consumer Products Telecommunications, computers and electronics Energy Financial services Insurance Healthcare

Whether business process models have been developed by the National AssuranceSupport Center and our firmwide practice has industry SMEs,

Industries that have typically made investments in internal audit departments. FSIand Insurance have historically made the largest investments in internal auditfunctions. However, these two industries also present the most significantindependence and regulatory challenges.

Targeting Best Practices

Many areas conduct periodic (e.g., weekly) meetings to review ISAAS and IAS pursuitsand share information. The topics for discussion may include:

Brainstorming on pursuit strategy to determine how to best position E&Y to win Review of IT needs on current pursuits Re-evaluating lost pursuits to discover themes for the future Re-examining stalled or lost IAS pursuits to determine if there is a opportunity for

IT audit services

Replicating winning strategies from other areas

We should be proactively working with IAS to manage our pipeline together. The IASclient pursuit list can be found in the AABS IAS V6 PowerPack on the KnowledgeWeb.See below:

Internal Audit Services PowerPack:

Document Title: United States IAS Client List & Engagement Information

Author/Contact Person: Barbara R. Bandera

Source: National Internal Audit Services

Date Published: May 1999

Keywords: Client References, Engagement Information, Fortune 500

Originating Country: United States

File Attachment: IAS clients May99 with Fortune.xls

2-5

Client Targeting

We have segmented the target market into components: AABS audit clients and non-audit clients versus IAS targets and non-IAS targets.

AABS Audit Client Non-AABS Audit ClientHigh-potential IAS Target Top priority - Hot

Opportunity Leverage IAS and AABS

knowledge and relationships

Warm opportunity Leverage IAS knowledge and

relationships

Low-potential IAS Target -ISAAS-only Target

Warm opportunity forISAAS

Leverage AABS relationships

Cold opportunities START initiatives

AUDIT CLIENT BASEBecause we already have key relationships established with these clients, these clientsshould be our initial targets. The audit client base spends an estimated $3 billionannually on their internal audit functions (IT, financial and compliance). We shouldfocus on clients who are trying to build their IT internal audit capabilities, or clients thatview IT internal audit as strategic to their organizations. Our experience indicates wehave a higher success rate with current AABS clients. Targeting our own AABS clientsalso helps to alleviate the potential threat of our competitors gaining a strategic footholdinto our client base through the internal audit department.

NON-AUDIT CLIENT TARGETSErnst & Young may be at a disadvantage with non-clients because of the incumbentauditor. However, some client boards are not willing to outsource or team with theindependent auditor. Therefore, it is important to understand the competitive situationprior to spending a significant amount of time or resources on non-clients.

Our non-audit client targets should large, strategic targets or companies that have ainterest in significant outsourcing or teaming for IT internal audit services. Again, whereour IAS practice already has a relationship with a target, work closely with them toensure that we are capitalizing on already existing relationships and that we arecoordinating our development efforts.

In addition, our competitive position should be considered. Refer to the competitiveassessment section for additional information.

IAS TARGETSIn many cases, our IAS practice may already be in discussions regarding a teaming oroutsourcing opportunity with a target. Where the IAS practice has built a relationship, weshould work closely with them to ensure that we are capitalizing on the relationship andthat we are coordinating our business development efforts.

Your area should closely link with IAS. Our experience indicates we have the mostsuccess when we work together with IAS.

NON-IAS TARGETSThere are opportunities in this segment, but these opportunities will be for teaming on ITIAS only.

2-6

S ales Process

Triggering Events

In addition to targeting specific companies and industries, we also target based on keytriggering events. The following table highlights some common triggering events thatmay be used to generate leads:

Triggering Events Questions What To Look ForTurnover among key members ofthe buying group (e.g., CFO,Director of Internal Audit)

Do you have a solidunderstanding about youraudit functions ITcapabilities?

Are you satisfied withinternal audits performanceand capabilities related to ITrisks?

Willingness to take anon-traditional approach

Interest in changing thestatus-quo

New Technologies - theimplementation of newtechnologies such as ERPapplications, electronic commerce,and enterprise systemsmanagement solutions

How are you considering therisks and designing thecontrols associated with newERP, eC or ESMinvestments?

Difficulty addressing newtechnology risks. (Evenworld-class internal auditfunctions have difficultydeveloping the skill setsand tools necessary toaddress adequately.)

Significant Business Changes -some companies may havedifficulty covering risk wherethere have been significantchanges in the business, such as:acquisitions, global expansion,new business segments,consolidations, etc.

How is the internal auditfunction responding to (orare there any pending) recentchanges in your business?

IT internal auditfunctions may havedifficulty keeping pacewith the risks associatedwith the major businesschanges.

2-7

Making The Sale

Identifying Whom in the Company to Target for IT Teaming Services

In general, we target the Director of Internal Audit or the executive to whom the ITinternal audit function reports.

Where we are pursuing IAS opportunities, we should also target the CFO or theexecutive to whom the internal audit function reports. If we are teaming with IAS andhave a relationship with the internal audit director, we should proactively communicatewith the internal audit director in order to maintain our IT Teaming opportunities if IASoutsourcing is not elected.

Buyer Profiles

We often need to sell to several different stakeholders in order to successfully securean IT audit services win. The significant stakeholders in an IT internal audit pursuit aretypically:

Director of Internal Audit CFO Audit Committee CIO

Each one of these stakeholders should be viewed as potentially requiring a separateprocess that requires the full attention and focus of the pursuit team. Each buyer mayview the benefits of IT audit teaming from a different perspective. As a result, we mayneed to position our value proposition differently depending on the audience.

DIRECTOR OF INTERNAL AUDITPosition Analysis:

Interested in understanding the potential positive and negative implications ontheir department

Wants to know exactly what value E&Y will bring to a team effort and how thiswill make the internal audit function world-class

Depending on the situation, the Director of Internal Audit may feel threatened. Forexample, they may feel the prospect of supplementing or outsourcing the IT auditfunction is an indicator they are not performing well. It is critical to assess thisissue quickly and develop our sales strategy accordingly.

If the DIA is a progressive thinker, understands the need to team to take the companys internal

audit to the next level, and is striving to make continuous improvement in the companys

internal audit function,

then the DIA will play a key role in the sales process. In this situation, thepursuit would initially focus on the DIA and progress to the CFO with theDIA playing the role of advocate and coach.

2-8

S ales Process

If the DIA is supported by company management but is a fairly traditionalthinker and is resistant to the concept of Ernst & Youngteaming/outsourcing, then the DIA should be included in the sales processbut should not be the initial focus of the pursuit. In this case, the pursuitwould focus on the CFO and progress to the DIA with the CFO playingthe role of advocate and coach.

If the internal audit function is considered by company management to besub-par and in need of improvement and the DIA is part of the problem,then the DIA should not be included in the sales process. The pursuitwould focus on the CFO or others as the key buyer.

Sales Profile: Buyer - The director of internal audit is usually the buyer of incremental internal

audit investments. May have the budget to buy without approval, however usuallyrequires approval from the CFO.

Sponsor - if progressive, often sponsors IT IAS services Likely to be an active member in the decision process

CHIEF FINANCIAL OFFICERPosition Analysis:

Wants to be comfortable with the investment and will expect a financial analysisto justify the decision

Wants to understand what additional value our services will deliver Coordination with business strategy is a priority - Wants to know how internal

audit capabilities fit into the execution of the business strategy.

Has access to funding and the authority to spend the funding

Sales Profile: Approver or Buyer - the person usually making the ultimate buy decision May be sponsor if the Director of Internal Audit is not progressive Likely to be an active member in the decision process

It is also useful to understand what the CFOs top IT concerns are. A summary of topCFO IT concerns is presented below:

CFOs Top IT Management Issues Prioritizing technology investments Establishing and maintaining an effective dialog between IS and users Ensuring year 2000 systems compliance Identifying the appropriate level of technology investment Upgrading/replacing legacy systems Identifying how IT can improve or influence business processes Maintaining effective, productive relationships with the IS function Using technology to drive business change Determining when and how to adopt emerging technologies Educating top management on the value of technology Evaluating/measuring the return on technology investments

Source: IT and the Bottom Line, CIO Magazine, June 15, 1998

2-9

AUDIT COMMITTEEPosition Analysis:

In general, we have less frequent opportunity to interact with audit committeemembers. When we do, its important to recognize their interests lie in threefundamental areas:

Assessing the processes related to the companys risks and controlenvironment

Overseeing financial reporting Evaluating the internal and external audit processes

Any contact with the audit committee should focus on addressing one of the threeareas above. IT internal audit services can address all three and should bediscussed within this context.

Sales Profile:

Approver - based on the recommendation of the CFO and/or DIA. Not likely to be active members of the decision process.

CHIEF INFORMATION OFFICERPosition Analysis:

This may be our most difficult buyer. CIOs may not be as interested in internalaudit capabilities.

The CIO may not want to be audited. They have access to funding

Sales Profile:

Influencer - Should not be left out of the process because they can influence theoutcome

Co-developer - they will often need to be active in developing our IT riskassessment plans and providing access to resources to carry out these plans.

2-10

S ales Process

Entry Strategies

Once we identify the key buyer(s), our entry strategy may vary, as discussed below.

When Initial Contact E&Y Resource EmphasizeAABS Client (orCS, Tax)(Hot Opportunity)

Director of IA orCFO via ISAASand/orEngagementPartner to ClientISAAS SE

AABS PartnerArea AS LeaderArea IT InternalAudit Champion

RelationshipQuality of workIT internal audit teaming valuepropositionOur investments in IT internalaudit people, technology,methodology and knowledge

Non-clientIAS Target(Warm

Opportunity)

Leverage IASknowledge andrelationshipISAAS SE

IAS PursuitPartner

Area AS LeaderArea IT InternalAudit Champion

IT internal audit teaming valuepropositionOur investments in IT internalaudit people, technology,methodology and knowledge

No priorrelationship(ColdOpportunity)

START CenterISAAS SE

Area AS LeaderArea IT InternalAudit Champion

IT internal audit teaming valuepropositionOur investments in IT internalaudit people, technology,methodology and knowledge

Service Pricing Guidelines

Fees for our IT internal audit teaming service will vary based on several variables:

Relative complexity of environment Skill of client employees Number of client locations Number of business processes In cases where we are part of a larger IAS engagement, the mix of IT to traditional

audit should be considered

Other factors

An objective of our sales program is to establish IT internal audit teaming as acomplementary offering to IAS offerings and as a stand-alone service offering. Not as aloss-leader or an add-on service to be discounted to our clients. We believe the marketfor these services is very large and there is great demand for those capable of deliveringthe highest quality service. Our typical fees are outlined below:

Risk Assessment Execute Audit Plan

Fee Range: $50,000 - $250,000 $100,000 - $2,000,000

Typical Fee: $100,000 $300,000

2-11

These fees are based on our experience to date and vary widely within this range. Ourgoal is to build these engagements into larger, profitable annuity projects. Because weare able to leverage the skill sets and resources that our clients cannot, or do not, want toinvest in, we should be basing our fees on the value we deliver, not on the number ofhours or rate per hour. Therefore, when proposing fees, we should avoid quoting orcommitting to a certain number of hours for a fixed fee.

Best practice is to quote a fixed fee for a level of risk coverage or a percentage ofstandard based on the actual effort to complete the co-development audit plan. Generally,our target realization should be 70%. This realization, combined with our standard ratesresults in a business that is very profitable. Recent wins and current pursuits confirm thisstrategy.

2-12

S ales Process

IT Internal Audit Services Sales Process

Overview

The sales process is a multi-step methodology that begins with a brief qualifying call andends with a letter of understanding. The steps in between may vary from client to client,but typically include an expanded meeting on Ernst & Youngs IT internal audit and IAScapabilities and either a co-development session, or a discussion regarding a specificproject. Detailed goals for each of these meetings along with a description of toolsavailable to support these meetings are described in the section below.

IT Internal Audit ServicesSales Process

QualifyingQualifyingCallCall

ExpandedExpandedCapabilities CallCapabilities Call

Co-DevelopCo-DevelopVision & NeedsVision & Needs

SpecificSpecificProjectsProjects

Proposal Proposal (If Necessary)(If Necessary) L.O.U.L.O.U.

The Qualifying Call

Goals/Objective of MeetingThere are three main goals for this meeting:

Qualify: Qualify the lead by answering several questions: Does the client opportunity warrant the effort of a pursuit? What is the potential for success? Is the client contact the appropriate buyer? Are they adequately addressing IT risks? Do they view internal audit as a strategic function? Have they worked with consultants, third parties, outsourcers in the

past?

What is internal audits mission (e.g., compliance/value add/leadership development focus)?

2-13

Credentialize: Demonstrate some of our potential value to familiarize the prospectwith our capabilities.

Next Step Commitment: Get another meeting to discuss our capabilities in detailor start with a co-development session. The next step will often involve additionalpeople from the client and E&Y. Determine the appropriate attendees, content tocover and aggressively set a date for the meeting.

The initial call is typically no longer than 30-60 minutes, but will vary depending on therelationship with the target. For example, for an AABS client we might have a longermeeting which combines elements of the extended capabilities call or a co-developmentsession. We do not share all our information with the client at this initial meetingor wewont have a legitimate reason to follow up. Remember, the goals are to qualify,credentialize and determine next steps. We will typically not close on the first call.

Pre-Meeting Preparation: You will want to perform research on the company andindustry prior to making contact. You should use, at minimum, the resources of the ASCand the CBK and contact the appropriate coordinating or client partner. Other resourcesinclude the targets annual report, website, D&B reports, etc.

Agenda/Structure: There are three major segments to cover:

Introduction and qualifying Credentialize - Briefly review E&Y capabilities Determine next steps

Introduction and Qualifying Script and probing questions(customize and use as appropriate)

We appreciate the opportunity to share our investments and capabilities in IT internal auditing, but beforewe get into that would you spend a few moments to..........give me an understanding the current internal audit capabilities - number of staff and key skills.....give me a quick overview of your IT internal audit function today - capabilities and skill sets.

Current organizational changes - How have industry / company changes affected / impacted yourdepartment - what challenges have they presented? (need to have done research to demonstrate that youhave a high level understanding and insight of the company and its industry)

Is the company implementing any new technologies? (e.g., eC, ERP, ESM) How are you addressing theassociated risk? What have been your challenges?

What is internal audits charter? What does management expect of you? What is the focus / priorities ofinternal audit ?(compliance, value, leadership development)

How are you performing against your charter? How do you measure success? What are you most significant challenges? How do you currently assess your business risks? How do you determine and assess IT risks as they relate to your business? What is your current risk assessment framework? How do you prioritize your areas for review? What are your priorities and projects for this year? Are you going to achieve your targets?

2-14

S ales Process

CredentializeBrief review of E&Y capabilities.

Use a maximum of 5-7 slides. The goal of the IT Internal Audit Services presentation is tocreate a dialogue between Ernst & Young and the potential project sponsor to solicit andidentify needs and issues. We intend this discuss to provide the client with an opportunity todiscuss some of the issues and concerns they have with how their IT internal auditors areassessing risks for the business.

An example of Qualifying Call singleframes is included in the appendix. We should not expect the client to be able to understand the single frames without our talking

points. We should use the singleframes as discussion guides. We should walk the clientthrough the ideas that are illustrated in the single frames to solicit their feedback and hear themtalk about their concerns. Our ability to listen and learn the organizations needs will enhanceour ability to deliver on expectations.

Use the Expectations are Changing slide which can be customized for their businessenvironment

Challenges & Investments - customize for IT internal audit Qualifications slide - key points to sell about E&Y IT internal audit services Client list Service & Support Capabilities Global Capabilities

Determine Next Steps

Assess interest - We have had a chance to discuss some of your needs and our capabilities.Based on this information, would you be interested in continuing these discussions? Perhapswith a larger audience?

Determine the next logical step. Our goal is a co-development session. What we have found towork well is to have the key stakeholders participate in co-development of the solution. Thistypically includes the Director of Internal Audit, CFO, CIO (potentially), key existing IT internalaudit managers (for teaming scenarios).

Alternatively, we can suggest the Expanded Capabilities Call (see below) if they want moreinformation.

Discuss the possibility of a test drive or SMEs for specific projects highlighted by the client.

2-15

The Expanded Capabilities Call

Goals/Objective of MeetingOur goal is to demonstrate our skill sets and value propositions and to get agreement tomove on to next steps: co-development session or special project assistance.

Pre-Meeting Preparation: Based on what you have learned from the Qualifying Call,structure a meeting to address the clients primary concerns and interests. You will wantto customize the singleframe presentation and talking points to highlight client issues.

Agenda / Structure:

Script

Recap information from previous discussion, what we learned about client needs / concerns fromthe previous meeting, updating new players in meeting on previous meeting This is what weheard, is that valid? Have we missed anything? This is what we are going to cover. Does thismeet your expectation for this meeting? (Note: This is not a co-development session - this issetting the stage for why we are having the expanded capabilities call). This should be onlyconfirming the expectations we developed with the meeting sponsor beforehand.

Go through the Agenda for the meeting. Include key slides from the 30 minute qualifying call to bring any additional participants to a

common level of understanding.

An example of The Expanded Capabilities Call along with talking points is included in theappendix.

Use Barrier slide as lead in, but customize for client specific issues and terminology. You mayconsider using the gap slide to summarize our investments, however, need to make thebarrier and the gap slides consistent.

Stress our flexible approach to developing solutions. Highlight IT risk assessment approach, people, tools, methodologies, knowledge.

Determine Next Steps

Assess interest - We have had a chance to discuss some of your needs, our capabilities andsolutions. Based on this information, would you be interested in moving closer to a solution?Who should be involved in these decision?

Determine the next logical step. The goal is a co-development session. What we have found towork well is to have the key stakeholders participate in the co-development of solution - Directorof Internal Audit, CFO, CIO (potentially), key IT internal audit managers (for teaming scenarios).

2-16

S ales Process

The Co-Development Meeting:

Goals/Objective of MeetingGoal is to discover and define client expectations for arelationship and to align E&Y service delivery with these client needs. When you get tothis step in the sales process, you will have a well qualified prospect that is far along thesales cycle. This step in the sales methodology actually overlaps with the servicedelivery process. When conducting a co-development session, you are actually startingthe first step of service delivery and providing value to the client.

Pre-Meeting Preparation: A productive co-development session requires a half dayand involves several hard to reach client personnel including the Director of InternalAudit, CFO, CIO and other key client members. Because of the time commitment on thepart of the client, a commitment to hold the session should be viewed as a serious buyingsignal.

Prepare for the co-development meeting as though this is the beginning of ourengagement. E&Y attendees should include the coordinating partner, the relationshipmanager, the sales executive and other key members of the pursuit team/futureengagement team.

Rules of Thumb for Co-Development

Not a presentation Share rather than tell Demonstrate teamwork Never contradict each other Let the client talk Arrive on time and stay until the end Do not appear to check-out after your component is complete Be careful of references Challenge, do not confront Have fun

For additional information on client co-development sessions, refer to the IT IASDelivery Methodology section of this document.

Agenda/Structure

The basic agenda for the meeting is as follows:

Co-develop relationship Objectives Establish relationship protocols Understand business goals and objectives Understanding your business strategies and risks Develop action plan

2-17

Presentation and Talking Points

The singleframes presentation for this is included in the appendix.

Determine Next Steps:

Trial Close - We want to team with you to become your IT internal auditprovider. Based on the co-development action plan, are you interested in havingus submit a letter of understanding (or a proposal) for you to consider?

Our goal is NO PROPOSAL. If the client is not ready for a letter ofunderstanding, set minimum expectations for a proposal document. Determinethe next logical step - Proposal and / or LOU.

Other Steps

Specific Projects

During our discussions, it may become apparent that the client is not interested in a largeteaming engagement or outsourcing their IT internal audit function. However, they maywant help from Ernst & Young with a specific project. In these instances, we shouldrespond appropriately with a targeted LOU or proposal for the work. These proposalsshould be treated seriously - they may be a trial run to consider Ernst & Young forlater work.

Proposal

An example Proposal is included in the appendix

Letter of Understanding

An example LOU is included in the appendix

Competitive Assessment

Ernst & Young:

World-class people, methodology knowledge management, technology and tools Fastest growing internal audit practice Leadership - emerging as the leader in internal audit services

PriceWaterhouseCoopers:

Has become our strongest IT internal audit competitor to date Much of their technology investments have come from Coopers & Lybrand Broad cross-selling with IAS equivalent Global capabilities with a strong FSI practice Focus is on large, blue-chip, global clients Portray Ernst & Young as a loose confederation of franchisees rather than global Willing to price aggressively for strategic targets Solid Growth

2-18

S ales Process

Arthur Andersen:

Solid competitor - Initial market pioneer Initial approach to outsourcing was not favorable to Internal Audit Director Focus on both teaming and outsourcing Integrated risk management framework Global Best Practices Database Highly leveraged staffing model Aggressive pricing in competitive situations Strong market recognition Solid Growth

Deloitte & Touche:

Co-sourcing focus for overall internal audit - has been a losing strategy. D&T is shifting to outsourcing Strong Director of Internal Audit relationships because of co-sourcing strategy Strong Retail industry practice Low Growth

KPMG:

Insignificant competitor - little strategic direction Still in start-up mode Few competitive advantages - they compete primarily on relationships Defensive position, only compete on their clients

2-19

Frequently Asked Questions and Common Objections

What about your Independence?

Independence is an issue for both internal and external auditors. In our teaming approach,management and the Director of Internal Audit remain responsible for approving the riskassessment, audit plan, and internal audit program. We help execute the risk assessmentand audit plan. This separation ensures that independence is preserved.

It is not uncommon for a companys external auditor to also assist in the execution ofinternal audit procedures. Ernst & Young assists many clients, including publicly tradedcompanies, in this area. In fact, approximately 70% of companies who have fullyoutsourced their internal audit function or are teaming have done so with their externalauditor. Acknowledging this trend and the SECs interest in this area, the AICPA issuedan ethics interpretation in May 1996 specifying that these services can be performed by acompanys external auditor without impairing independence. We adhere strictly toAICPA rules governing external auditor independence which state that:

The performance of extended audit services which include assistance in theperformance of the clients internal audit activities would not be considered to impairindependence with respect to a client for which the member also performs a servicerequiring independence, so long as the member or his or her firm does not appear to actin a capacity equivalent to a member of client management or as an employee.

The key requirements of these rules include:

The Company must designate an individual to be responsible for performingmanagement functions (e.g., approving the audit scope, evaluating the auditresults, etc.).

The Company must maintain the internal control structure. The Company must approve the internal audit program and related risk analysis. The Company must evaluate the results of internal audit activities.

To maintain independence, the Ernst & Young internal audit staff will report directly tothe Director of Internal Audit. As a result, any issues that arise as a result of our auditprocedures will be directed to the Director of Internal Audit for follow-up anddisposition.

In some cases, a client may be concerned that E&Y internal audit staff will sharefindings with E&Y external auditors before management has a chance to address them.An appropriate solution is to set up a robust process that ensures the potential issuesaffecting our external audit are discussed with management before being communicatedwith the external audit team. (e.g., a Firewall)

We use Internal Audit as a Training Ground for Leadership. How does that Impactthat Mission?The experience that internal audit provides is invaluable as a skill to help build a solidunderstanding of business. In some pursuit situations, the client may use the internalaudit function as a training ground for future company leaders. This kind of client is notlikely to outsource their entire internal audit function.

2-20

S ales Process

To overcome this objection, do not push for full-outsourcing of the internal auditfunction. Rather, we should stress two important client benefits of working with Ernst &Young:

Teaming opportunities - This is an excellent chance to stress the benefits of ateaming arrangement. By working with Ernst & Young, the future leaders canhelp analyze and understand the clients strengths and weaknesses and team withus to address these weaknesses. This has the effect of making their internal auditan even stronger grooming ground for the clients high potential managers.

Knowledge Transfer - We will transfer our knowledge to the client through hands-on work with our people, methodologies, technology and tools. This also has theeffect of making their internal audit a stronger function and their future leadersmore valuable.

You dont Understand Our Business in Enough DetailIn some pursuits, the client will be concerned that Ernst & Young does not have asufficient detailed understanding of their business. We have several responses to thisobjection including:

ASC - The Ernst & Young Assurance Support Center generates in-depth client andindustry research. Comprised of more than 50 partners and senior managers whoare thought leaders in their particular industries, the ASC works closely with auditteams in the field to build and deploy industry knowledge, business process riskmodels and benchmarking data along with leading-practice IT internal auditapproaches and techniques. Over 50 industry segments are supported by the ASC.

Process Models - Ernst & Young has developed process models for most majorindustry segments. The leading-practice knowledge and understandingincorporated in these models may help provide value to the company byuncovering opportunities for improvement.

Relationship Manager - The client relationship manager is a critical part of ourservice delivery methodology. This individual is the person who is responsible fortransferring business insight from and client needs to the Ernst & Young workteam. The relationship manager is a senior executive who has a strong industrybackground and a thorough understanding of the client business.

Stable Core Team - Our philosophy on staffing is to select a core team to serve ourclients and manage the engagement on an ongoing basis. This allows us todevelop in-depth knowledge of the business and relationships within the company,in addition to bringing them more specialized skill sets on a just-in-time basis.We assemble the best possible team, based on the skills and experience, to conductour engagement in an effective and efficient manner.

Co-Develop Expectations - Finally, one of our strongest responses to this questionis to co-develop expectations with the client. We will assemble the core team andother resources based on the jointly defined expectations. The purpose for thisstep in the process is to make sure the client gets what they expect. If part of theexpectation is that we understand their business, (as typically is the case) Ernst &Young will make certain this expectation is met.

2-21

Success Stories

Aon

Company Background: Our client is a holding company composed of commercialinsurance brokerage and consulting, and consumer underwriting companies. With 1997annual revenue of approximately $5.8 billion and offices in more than 100 countries, theclient is a world leader in insurance and consulting services. The Company is a currentAudit, Tax and Consulting client.

Client Business Issue: The client maintained IT audit staff in Chicago, London andRotterdam. The client experienced rapid turnover in the IT Audit group globally. Theclient has also been relying increasingly on new technologies including PeopleSoft andvarious eCommerce applications. They found it difficult to get proper audit coverage asthey could not attract and retain skilled IT audit staff. Additionally, the IT environmentwas changing so rapidly that it was becoming cost prohibitive to continually retrain theIT audit staff.

Our Service Delivery Approach

1. Co-Developed Client ExpectationsWith the client, we developed anunderstanding of the risks in their industry, business and ongoing projects. Seniormanagement preferred to have a single source responsible for the delivery of theIT audit service and asked us to coordinate IT audit activities globally fromChicago. As such, we worked from Chicago with the client IT Audit staff andappropriate EY ISAAS personnel in the UK and Rotterdam to develop a unifiedglobal IT audit plan.

2. Conduct Risk AssessmentWe interviewed a dozen CIOs and other IT executivesin the US to gain an understanding of projects in process and their areas ofconcern. This information was used as the base for a risk assessment matrix. Asimilar process was followed in the UK and Rotterdam.

3. Developed Annual IT Audit PlanWe developed an annual audit plan defining thedifferent projects to perform during the year. This plan was approved by the VicePresident Internal Audit and included all global projects. We are now completingthe first year of the engagement, and have developed our second year audit planbased on the updated risk assessments, and submitted them to management forapproval.

4. Execute the Annual Audit PlanBecause the engagement was so large, a team wasassembled with an ISAAS manager assigned to each major business line withanother manager acting as the account leader. The account leader is responsiblefor reviewing work programs and for ensuring quality delivery of service. Per theglobal IT audit schedule, individual audits are scheduled and performed by theISAAS manager responsible for that area.

5. Communicate ResultsWe have a standing meeting every month to report US andRotterdam results to the Vice President Internal Audit. We report status by projectincluding hours and fees incurred that month. Additionally, we have a videoconference with the UK every month with the Vice President Internal Audit todiscuss the status of the UK projects. Audit reports are issued in the standardclient Internal Audit report format and are typically distributed to a wide variety ofsenior management.

2-22

S ales Process

Value Received by the Client

The client received higher quality risk coverage with a focus on its IT issues. We provided management with recommendations for improved controls and

enhanced IT process improvements.

We identified several single points of failure (SPFs) that the client had notaddressed as part of a business continuity audit. The major findings in the reviewwere that Business Continuity Planning (BCP) policies or standards did not exist.As the client had been growing through acquisition, and actively mergingoperations where possible, it had unknowingly introduced several SPFs into theenvironment. Our review caused the client to focus on its time critical businessprocesses and realize that it was vulnerable to disruption. Because of the lack ofstandards and policies, it is unlikely that management would have recognized thisweakness without our assistance.

We identified IT security weaknesses in the UNIX, Windows NT, Oracle, LotusNotes and Dial-in environments as part of an IT security infrastructure audit. Themain findings from this audit included weaknesses in the Security Policies,Standards, and Procedures. As these platforms were supporting mission criticalbusiness processes, the client was risking the integrity, availability andconfidentiality of its systems and data.

We provided detailed security enhancement suggestions for PeopleSoft HRMSand Financials implementations. We also provided suggestions for processimprovements related to the business processes associated with theseimplementations. The main findings from this audit were:

Weaknesses in System Security. Weaknesses noted in system securitysettings were so severe as to allow most individuals in the accountingdepartment to modify current and prior period data without leaving anaudit trail. This weakness could potentially lead to an inability to balanceaccounts and close the books in a timely fashion.

Application Development and Change Control. The company was in theprocess of rolling out these applications to various other operating units.In order to support these operating units, additional complex modificationswould be required. Without proper application development and changecontrol procedures, the company created a risk that these modificationswould be erroneous. This situation had the potential to create inaccuratefinancial information.

Re-structure of the Business Processes supported by the application. Thevarious departments using these applications were still learning how thesystem operated. Hence, the lack of specific procedures created the riskthat users would enter inaccurate or incomplete information into thesystem. This could potentially have a significant impact on the Companysability to close the books and produce accurate financial reports.

2-23

Novell

Company Background: Our client is a leading provider of network operating softwareenabled by directory services. Its Internet solutions make networks more manageableand secure, and reduce the total cost of ownership for organizations of every kind andsize. The client also provides group collaboration software that links teams of usersworking on a project as well as software that manages networked PCs from a centrallocation. The company earns more than $1 billion in annual revenue and is an Ernst &Young audit client.

Client Business Issue: The client was performing less well as in earlier years andrealized that it needed to look at every revenue opportunity. Together with the clientsInternal Audit group, we uncovered a potential revenue assurance opportunity bycollecting outstanding software licensing fees. Based on our existing methodology andglobal network, Ernst & Young ISAAS IT IAS was selected to coordinate and executethe software licensing audits.

Our Service Delivery Approach: Using our Royalty Audit methodology (Royalty auditsfor TCE companies located in the national revenue program catalog), we auditedlicensees on behalf of the client using both domestic and International Ernst & Youngresources. So far we have visited licensees in more than 30 different countries. Thereviews were performed to ensure compliance to agreement and reporting requirementsof our client.

Value Received by the Client: To date we have recovered more than $16 million inoutstanding licensing fees, providing a ten to one return on the clients investment. Theclient received increased value and assurance through a successfully managed andcoordinated project that used a consistent methodology that controlled travel expenses byusing our International network of professionals.

Based on our findings and recommendations, we are now involved with the client in abusiness process re-engineering project that will provide the following:

Improved operating efficiencies by reducing administration costs associated withthe license management life-cycle.

Increased profits by identifying and implementing controls to better track revenuefrom active licenses.

Improved customer satisfaction by improving the quality and consistency of thelicense management services.

Improved understanding of license agreements by both licenser and licensee Better structured agreements up front. Better reporting systems and processes to accurately report revenues. Timeliness of cash receipts. Reduced incidence and expense of royalty audits. Improved accurate, timeliness & completeness of reporting.

13-1

IT Internal Audit ServicesMethodology

Overview

Our IT Internal Audit Services methodology provides ISAAS professionals withguidance in performing IT Internal Audit Services. The methodology is intended to guidethe process whereby we evaluate, risk and control processes related to informationsystems.

The methodology is structured around five stages designed to focus on the clients risks,to generate value, and to assist us in performing our IT internal audit procedures in aneffective and efficient manner. The following IT Internal Audit Services ProjectRoutemap gives a description of the major stages and activities in the methodology:

Stag

esAc

tiviti

esD

elive

rabl

es*

Del

ivera

bles

*

IT Internal Audit Services Project Routemap

Privileged and Confidential.No part of this may be reproduced or transmittedwithout permission of Ernst & Young LLP.

Major Stages & Activities with DeliverablesMajor Stages & Activities with DeliverablesMajor Stages & Activities with Deliverables

Co-develop Expectationswith Client

Prepare Annual IT Audit Plan Execute Audit Plan

Strategy Memorandum

Fee estimation for riskassessment

Letter of Understanding Client Assistance Listing Relationship and

communication protocols Value Scorecard

Scope document Detailed project plans Detailed documentation

Detailed findings andrecommendations reports

Client satisfaction feedback

Summary reports toExecutive Managementor Audit Committee

Summary of businessgoals, objectives andmega and majorprocesses

Summary of how ITsupports the business

High-level IT Processdocumentation

Risk Assessment

Plan of resources / skillsets needed

Summary of areas to beaudited

Preliminary budget Preliminary timeline

Communicate ResultsConduct RiskAssessment

Understand the clientsneeds

Understand the client'sbusiness at a high level

Determine the scope ofthe engagement and riskassessmentmethodology

Determine deliverablesand obtain agreementfrom the client

Develop fee estimationand define client billingprocedures

Plan the riskassessment

Understand the clientsbusiness goals,strategies, and criticalsuccess factors

Develop understandingof the mega and majorbusiness processes

Develop understandingof IT resources andrelated IT processes

Validate ourunderstanding of IT andrisk

Understandmanagements auditcoverage expectations

Prioritize audits

Understandengagementeconomics

Agree audit plan withclient

Scope the IT auditproject

Understand the ITaudit areas

Identify and assessrisks

Identify and evaluatecontrols

Design testingstrategy and performtests

Conclude and report

Understandcommunicationprotocols

Prepare for meetingwith ExecutiveManagement or AuditCommittee

Meet with ExecutiveManagement or AuditCommittee

Complete relevantquality controlprocedures

* NOTE: Internal deliverables are in italics; all others are external.

ethodologyM

3-2

The procedures in this document are not necessarily executed in a sequential fashion.While there is a natural order to performing the stages, activities and worksteps, and theyare interdependent, we might not conduct the activities or procedures in a standardsequence. The following summarizes the processes defined in this document:

Stage 1Co-Develop Client Expectations: We co-develop and confirm the basis forour relationship with the client. We develop a mutual understanding of the scope ofour IT internal audit services among client management responsible for the ITinternal audit function, the clients executive management, the Audit Committee ofthe Board of Directors, and the engagement team(s) responsible for our internal and,external audit services as appropriate. We co-develop expectations with the client inorder to understand and document our relationship objectives and our relationshipprotocols. Additionally, we begin to understand the clients business goals,objectives, strategies, and risks.

Stage 2Conduct Risk Assessment: We assist client management responsible forthe IT internal audit function in developing a risk assessment of the clients ITprocesses and IT components supporting the business processes. The purpose of therisk assessment is to identify where significant IT risks exist, to assess the relativelevels of risk, and to align the IT internal audit approach with the areas of thecompany that will provide an appropriate level of risk coverage. The risk assessmentestablishes risk priorities and forms the primary, but not only, basis for the allocationof resources in the annual IT audit plan. Our risk approach is a flexible, business andIT process focused methodology, see Appendix A for detail methodology blueprint.The risk assessment is reviewed and approved, at least annually, by the clientsexecutive management and the Audit Committee.

Stage 3Develop Annual IT Audit Plan: We work with client managementresponsible for the IT internal audit function to develop the IT annual audit plan. Theannual IT audit plan defines the individual projects to perform during the year alongwith an estimate of the total number of hours required for each project. In assistingwith the development of the plan, we consider the total available hours for theoverall engagement, the need for special management discretionary projects, and thenumber and mix of specialized resources required to perform each audit. The annualIT audit plan, which includes an outlook of projects to be performed on a rotatingbasis over a specified period of time (e.g., three years), is reviewed and approved bythe clients executive management and the Audit Committee. It is updated asrequired, at a minimum yearly, to reflect significant changes in the clients riskprofile that may result from changes in the organization structure, businessoperations, technology infrastructure and/or new products and services.

3-3

Stage 4Execute the Annual Audit Plan: This stage is made up of five activitiesdesigned to guide the execution of individual projects defined in the Annual IT AuditPlan. All or part of certain sub-activities may or may not be performed dependingupon the scope of the particular project determined in Stage 3Annual IT AuditPlan. The activities are:

Activity 4.1Scope the IT Audit Project: This is performed at the outset of eachproject and provides focus and direction for the remainder of the proceduresperformed during the execution of fieldwork. In this activity, we establish theobjectives, scope, and timing of the project and communicate these expectationsto management through a project scoping document.

Activity 4.2Understand the IT Audit Areas: This builds on our initialunderstanding of the processes and/or areas selected for the audit which wasgained in Stage 2Risk Assessment. In this activity, we consider what additionalinformation is required for us to document an understanding of the audit area.We also confirm the team members and agree roles and responsibilities.

Activity 4.3Identify and Assess Risks: This builds on our initial understandingof the related risks, including key performance indicators, gained in Stage 2Risk Assessment. In this activity, we consider where errors could occur in the ITprocess or area (or business process where we are teaming with Internal AuditServices) that would keep the process from achieving its financial reporting,operating, or compliance objectives and walk through the process to confirm ourunderstanding. In this activity we determine the inherent risks as they relate tothe audit project and agree our risk assessment with management.

Activity 4.4Identify and Evaluate Controls: This builds on our initialunderstanding of the related controls gained in Stage 2Risk Assessment. Duringthis activity, we preliminarily evaluate the effectiveness of the process designand the controls in place to address the potential for errors to occur. Thispreliminary evaluation is used in the next activity where the controls are tested,as applicable. We also may provide management with recommendations forimproving the controls and enhancing process performance.

Activity 4.5Design Testing Strategy and Perform Tests: This builds on ourpreliminary evaluation of the selected processes and related controls in theprevious activity. Where appropriate, the controls identified and preliminarilyevaluated as effective in the previous activity, we design and execute tests ofcontrols to determine if the controls were operating as we understood.Exceptions noted in our testing are communicated to management and may resultin recommendations for improvement in our final report.

Activity 4.6Conclude the Audit/Reporting: We conclude the audit project by: Reviewing all working papers, supporting documentation, and the draft

report. Determining whether we have performed work sufficient to satisfy our

objectives and our conclusions are adequately supported. Communicating the results of our work to management. Requesting feedback from management on whether or not we have met

their expectations.

ethodologyM

3-4

Stage 5Communicate Results: Working with client management responsible forthe IT internal audit function, we communicate the results of our internal audit workto executive management and the Audit Committee based on expectations co-developed in Stage 1Co-Develop Client Expectations. At appropriate times duringthe audit year, formal approval of the risk assessment and annual IT audit plan isobtained. We also periodically communicate the results of our IT audit projects,including significant issues, and the value we have provided to the company throughour Value Scorecard.

3-5

Stage 1Co-Develop Expectations with Client

Introduction

The first stage in our IT Internal Audit Services methodology is to co-developexpectations with the client. We develop a mutual understanding of the scope of our ITinternal audit services with key client management and, where applicable, theengagement team responsible for our internal and, in an integrated audit, external auditservices. Co-developing expectations involves key activities, such as determiningexpectations related to our services, deliverables, and basis for measuring the value wedeliver. To help us gain this understanding, we conduct co-develop expectation meetingswith key client and engagement personnel to discuss and document the following:

IT Internal Audit Objectives Scope and timing of procedures Clients Business and IT Goals, Objectives, and Strategies Communication protocols, including measuring and communicating value, as well

as engagement issues and status

The process of co-developing expectations and communicating value begins during thesales process, continues throughout the engagement, and involves periodic discussionswith appropriate management.

Co-developing expectations for integrated audits requires us to understand both theinternal audit and external audit requirements. Appendix B-1 includes a discussion ofnecessary considerations within an integrated audit. As with any engagement, we alsomust ensure that we have followed specific firm guidelines for client and engagementacceptance. For non-audit clients, we follow guidance and perform the procedures setforth in the Policy and Practice Statement, Client and Engagement Acceptance-OtherAABS Manual.

Generally, co-development begins during the Sales Process. We obtain an understandingof client expectations and document them in a letter of understanding (LOU) signed bythe appropriate management personnel of the client. The LOU documents (at a high-level) services to be provided as agreed in Stage 1 - Co-develop Expectations with Client.This letter also documents the billing requirements and must include our standard termsand conditions for ISAAS consulting engagements and the alternative dispute resolutionprovision, which may be applicable in those rare instances when the firm and a clientcannot resolve a matter informally. (See ISAAS Policies and Procedures Workbench forthe standard LOUs, terms and conditions, and alternative dispute resolution provision.)Additional co-development sessions may be necessary to refine our project scope andexpectations or further refine requirements.

ethodologyStage 1M

3-6

Summary of Stage 1 Activities

In order to scope the IT Internal Audit Services engagement properly, we identify severalactivities to guide the team through the initial meetings with the client:

1.1 Understand the clients needs and learn the basis for setting the serviceexpectations.

1.2 Understand the clients business at a high level to establish a basis for a betterunderstanding of how IT is used to support the business.

1.3 Determine the scope of the engagement and risk assessment methodology toprovide the basis for building the workplan.

1.4 Determine the deliverables and obtain agreement from the client.

1.5 Develop fee estimation and define client billing procedures.

Summary of Stage 1 Deliverables

After completing this stage, the following documents should be developed:

Letter of Understanding Strategy/Planning Memorandum Client Assistance Listing Relationship and Communication Protocols Fee Estimate Co-developed Value Scorecard

Examples of these documents are located in Appendix B or within the ISAAS Policiesand Procedures Workbench.

Stage l Activities

Activity 1.1 Understand

TSRS_IAS_Sales & Methodology Toolkit

Documents

s o rybu s i n e s s

teaming services

u t i o n sas s u r

internal use onlynot

n d adv

target industries

service delivery methodology

methodology toolkitlast