[insert company logo]

INTERNAL AUDIT REPORT

[INSERT SYSTEM NAME] PRE- & POSTSYSTEM IMPLEMENTATION AUDIT

REPORT #[INSERT #]

[INSERT COMPANY ADDRESS]

AUDIT TYPE: INFORMATION TECHNOLOGY

ISSUANCE DATE: [INSERT DATE]

Conducted in Conformance with the International Standards for the Professional Practice of Internal Auditing

TABLE OF CONTENTS
Audit Issuance Letter.......................................................................................................................1
Executive Summary.........................................................................................................................2
Audit Objective and Scope..............................................................................................................3
Objective......................................................................................................................................3
Scope of Audit.............................................................................................................................3
Scope Changes.............................................................................................................................3
General Background........................................................................................................................4
Key Business / Audit Risks..............................................................................................................5
Audit Details & Observations..........................................................................................................6
Findings and Recommendations......................................................................................................8
Action Plan....................................................................................................................................10

[Update table of contents last]

AUDIT ISSUANCE LETTER

Issuance Date: [Insert Date}
Report Distribution
[Insert Addresses]
Action Item Owners
[Insert Action Item Owners]
The [Insert System Name] Pre- and Post- System Implementation Audit, number [Insert Audit Number],
is being released for general distribution as of this date. The objective(s) and scope of this engagement is
noted in the Audit Objective and Scope section of this report. A summary of the audit procedures
performed is noted in the Audit Details and Observations section of this report.
Responses have been obtained from the applicable owner for each recommendation developed from our
examination. All findings, recommendations, and management responses (in their entirety) have been
incorporated in the Findings and Recommendations section of this report.
A follow up review of managements implementation of actions in response to the recommendations will
be performed [Insert Date].
Internal Audit notes that sufficient and appropriate audit procedures have been conducted and evidence
gathered to support the accuracy of the conclusions reached and contained in this report. The conclusions
were based on a comparison of the situations, as they existed at the time against audit criteria. The
conclusions are only applicable for the process examined. The evidence gathered meets professional
audit standards and is sufficient to provide senior management with proof of the conclusions derived from
the internal audit.
Auditor: [Insert Name]

Responsible Manager: [Insert Name]

This report provides management with information about the condition of risks and internal controls at one point in time. Future changes in
environmental factors and actions by personnel will impact these risks and internal controls in ways this report cannot anticipate. This document
is CONFIDENTIAL for internal use by management only and should not be used, relied upon, or distributed to any third party without prior
written approval.

EXECUTIVE SUMMARY
Provide a high level, 1 page summary of what the system is, its impact on the business, and a
summary of the findings noted.
Our overall opinion on the [Insert System Name] Audit is:

Excellent (no findings)

Good (minor findings)
Satisfactory (moderate findings)
Needs Improvement (significant findings)
Unsatisfactory (material findings)

AUDIT OBJECTIVE AND SCOPE

OBJECTIVE
The objective of the pre- and post-implementation review of [Insert System Name] is as follows:
1. Provide management with an independent assessment of the progress, quality and
attainment of project objectives, at defined milestones within the project, based off of
company policies and procedures.
2. Provide management with an assessment of the adequacy of project management
methodologies and that the methodologies are applied consistently across all projects.
3. Provide management with an evaluation of the internal controls of proposed business
processes at a point in the development cycle where enhancements can be easily
implemented and processes adapted.
4. Provide management with an assessment of the adequacy of security controls
implemented.
5. Provide management with an evaluation of the project metrics / KPIs and expected
benefits stated within the project business case report.

SCOPE OF AUDIT
The scope of this audit is:
1. The audit of the SDLC process will review each phase of a system implementation
project. The audit will address the following areas: governance and risk management,
compliance with company procedures and regulation, project management methodology,
budget, internal controls, and business processes.
2. To perform other procedures deemed necessary to achieve the audit objectives.

SCOPE CHANGES
Note any scope changes.

GENERAL BACKGROUND
Provide a general background, as some of the people the report is being distributed to may not
have a good understanding of the old process and the new process. Things that you may wish to
include are:

Brief description of system and why a new system was needed discuss pain points
Impact of the system on the overall business (e.g. the vendor management system
processes 1,000 invoices a day and issues 1,000 checks a day, totaling $1 million days in
transactions).
Discuss project objectives, budget to actual results (cost, timeline, labor hours), and
results of metrics / KPIs.
Provide dates: start date of project, date of implementation.
Discuss if system is subject to regulation (e.g. SOX, PCI DSS, HIPAA, Privacy laws,
etc.)

KEY BUSINESS / AUDIT RISKS

The key risks related to implementing a system are as follows:

Inadequate project management procedures could lead to scope creep, a poorly designed
system that does not meet the needs of the business or end users, unclear responsibilities,
lack of communication, inadequate monitoring, and undetected deviations from project
scope. All of these have a direct impact on the budgeted dollars and timelines of the
project. It also indicates a lack of management control over capitalizable projects.

Inadequate system implementation procedures resulting from poor planning, poor or

insufficient user testing, system issues not being resolved, inadequate security measures
for both network and application, lack of communication, inadequately designed
automated controls or edit checks. This would have a direct impact on the systems ability
to integrate within the existing infrastructure, the functionality of the system, the
productivity and buy-in of employees, data integrity, completeness and accuracy, the
system being vulnerable to a security compromise. It also indicates a lack of management
control over the project.

Inadequate security controls result in vulnerabilities that may expose data to unauthorized
access, unauthorized disclosure or theft.

Return on investment fails to meet managements expectations; expected benefits are not
realized or not realized timely.

A lack of management control over systems could lead to non-compliance of required

regulations resulting in fines and / or penalties.

AUDIT DETAILS & OBSERVATIONS

IA performed an audit of the [Insert System Name] System Implementation Project (the
Project) based on the system development lifecycle, which consisted of the following phases:
1.
2.
3.
4.
5.
6.
7.
8.
9.

Project Governance
Business Case & Project Planning
System Development Design & Build
Testing
Pre Go-Live & Data Conversion
Training
Support & Maintenance
Project Assessment
Internal Control Assessment

Pre-System Implementation

Post-System Implementation

IA notes the results of each phase, as follows:

1. Project Governance
[Insert a brief summary of the results of each phase.]
2. Business Case & Project Planning Phase
[Insert a brief summary of the results of each phase should summarize audit memorandum.]
3. System Development Design & Build Phase
[Insert a brief summary of the results of each phase should summarize audit memorandum.]
4. Testing Phase
[Insert a brief summary of the results of each phase should summarize audit memorandum.]
5. Pre Go-Live & Data Conversion Phase
[Insert a brief summary of the results of each phase should summarize audit memorandum.]
6. Training Phase
[Insert a brief summary of the results of each phase should summarize audit memorandum.]
7. Support & Maintenance Phase
[Insert a brief summary of the results of each phase.]

8. Project Assessment Phase

[Insert a brief summary of the results of each phase make sure to include the Project Leads
identified lessons learned and Internal Audits assessment of each item noted.]
9. Internal Controls Assessment
[Insert a brief summary of the results of each phase make sure to note any control
deficiencies.]

FINDINGS AND RECOMMENDATIONS

No.
1

Finding & Impact

[Insert Finding]

Recommendation
[Insert Recommendation]

Control Gap

Owners

[Reference Cobit 5 management practice / activity or

other best practice / regulation requirement]

[Insert Owner of Finding]

Management Response
[Insert Managements Response]

Priority
[Insert
low,
medium,
high]

Audit Follow-Up
[If Finding was addressed during the audit, note follow-up procedures performed and whether or not finding has been closed. If not applicable, delete row.]

No.
2

Finding & Impact

Control Gap

Recommendation

Owners

Audit Follow-Up

Management Response

Priority

ACTION PLAN
Finding
No.
1
2
3

Action to be Completed

Responsibility

Est. Completion Date

Date Completed

A follow up review of managements implementation of actions in response to the recommendations will be performed [Insert Audit
Follow-Up date / quarter].

10