毕马威的内部审计指南.xls

海量营销管理培训资料下载 海量营销管理培训资料下载 Internal Audit Full question list 12 3 4 CountQuestion Type Question Category Question 1Accounting Any sales that do not achieve target prices to be authorised by the Fleet Manager A monthly review of sales proces vs target prices by salesman for review and action where necessary 97Fleet Fuel all company credit cards are returned all computer accesses have been withdrawn all company property keys and security passes are returned all benefits including staff entitlement to car rental discounts and private health insurance are stopped 147IT IT SecurityHigh Do you have an Information Security Policy which has been approved by Senior Management effectively communicated to staff e g via the intranet and which is subject to regular review and update 148IT IT SecurityHigh Do all staff receive information about the Information Security Policy at induction and periodic training thereafter 海量营销管理培训资料下载 海量营销管理培训资料下载 149IT IT SecurityHigh Is there a formal documented procedure in place for identifying and reporting potential weaknesses actual incidents carrying out and reporting on follow up action and for taking staff disciplinary action 150IT IT SecurityHigh Are users including contractors given guidance on their responsibilities for Information Security within their job descriptions contracts and do they formally acknowledge that they have understood and accepted these responsibilities 151IT IT SecurityHigh Does a Director or equivalent have overall responsibility for information security and have designated staff been given responsibility for specific areas including all relevant legislation 152IT IT SecurityMedium Do staff with specific responsibility for Information Security receive additional training where necessary 153IT IT SecurityMedium Is external advice sought where the necessary expertise on Information Security is not available internally 154IT IT SecurityMedium Is third party access to information subject to senior management approval and information security clauses in contract terms and conditions 155IT IT SecurityMedium Where third party access is unavoidable are appropriate IT security measures in place 156IT IT SecurityHigh Are information security requirements and responsibilities included within contracts with outsourced providers 157IT IT SecurityMedium Are there clear policies and guidelines in place for the classification of information and is responsibility for doing so clearly defined 158IT IT SecurityHigh Do you maintain an inventory of information assets e g application systems software and hardware 海量营销管理培训资料下载 海量营销管理培训资料下载 159IT IT SecurityMedium Is the inventory of software used to periodically check that licences are held for all copies of software as required 160IT IT SecurityMedium Is system capacity monitored and future capacity projected in accordance with the needs of the business 161IT IT SecurityHigh Is a formal anti virus policy in place which includes software on all servers PCs and laptops that is regularly upgraded 162IT IT SecurityHigh Are documented backup procedures in place that include off site storage recovery of data testing of procedures and logs to confirm completion on a daily basis 163IT IT SecurityMedium Are procedures in place to ensure that printing storage and disposal of computer media and systems documentation is carried out securely 164IT IT SecurityHigh Are user access management procedures in place that provide for documented registration of new users with unique user ids deletion of leavers and periodic reviews of user access rights to ensure they are still appropriate 165IT IT SecurityMedium Are there procedures for monitoring the use of information processing facilities and are the results of this process reviewed regularly 166IT IT SecurityMedium Is a regular IT report sent to the Senior Management Team that includes system performance availability and Information System security incidents 167IT IT SecurityHigh Is all key IT equipment appropriately located protected backed up via a UPS and maintained in order to prevent interruption to business activities 168IT IT SecurityLow Is a clear desk policy in operation so that sensitive documents and computer media are locked away when not in use 169IT IT SecurityMedium Are physical security arrangements in place to prevent unauthorised access to secure areas and are visitors to these areas signed in and escorted at all times 海量营销管理培训资料下载 海量营销管理培训资料下载 170IT IT SecurityHigh Have controls been implemented to protect all systems connected to the internet including firewalls access controls and data encryption 171IT IT SecurityHigh Are protective measures in place to ensure the security of e commerce services provided to trading partners or the public i e contract terms and conditions data encryption users authentication measures checks on integrity of published data 172IT IT SecurityMedium Are IT facilities regularly checked for compliance with technical security implementation standards e g firewall penetration tests 173IT IT SecurityHigh Does the Information Security policy include guidelines for authorisation and control of laptops Personal Digital Assistants PDAs and teleworking 174IT IT SecurityMedium Are appropriate physical security arrangements in place to minimise the risk of theft of laptops both on company premisies and at remote locations i e steel cable locking devices 175IT IT SecurityMedium Is the risk of loss of company data controlled by limiting the information permitted to be held on laptops 176IT IT SecurityHigh Are adequate security arrangements in place where dial in facilities are used 177IT IT SecurityHigh Is access to information subject to a formal policy which ensures that access is only granted on a need to know basis 178IT IT SecurityHigh Are critical applications password protected with access restricted to only those staff with a valid reason for doing so 179IT IT SecurityHigh Are user passwords subject to documented guidance on selection and use compulsory change during initial log on minimum lengths enforced regular changes and the ability for users to change them at any time 180IT IT SecurityMedium Are users provided with instructions to lock their workstation when it is unattended and are terminal time outs enforced 海量营销管理培训资料下载 海量营销管理培训资料下载 181IT IT SecurityHigh Do all application systems provide data validation checks to ensure that all input and output is correct 182IT IT SecurityHigh Do Operating System access controls ensure that user ids cannot have more than1 concurrent session and that log in ids are frozen after a specified number of unsuccesful log ons 183IT IT SecurityHigh Are application systems tested whenever changes to the operating system are made 184IT IT SecurityHigh Are IT projects led with project sponsors from the business side of the organisation 185IT IT SecurityMedium Is a formal system development methodology applied to all IT system changes in accordance with a recognised quality standard e g ISO9000 3 ISO9001 186IT IT SecurityHigh Is the assigned Project Manager for new systems and changes enhancements to existing systems responsible for ensuring that specified requirements for controls and information security are included in the development 187IT IT SecurityMedium Are the security requirements for proposed systems determined following a risk assessment 188IT IT SecurityMedium Is strict access control maintained over access to program source libraries 189IT IT SecurityHigh Is test data strictly segregated from live data and access to it appropriately protected and controlled 190IT IT SecurityHigh Are formal configuration management procedures used to enforce and govern how programs are moved from development into production 191IT IT SecurityHigh Are regular status reports made to the Board Senior Management on the progress of all local IT projects 海量营销管理培训资料下载 海量营销管理培训资料下载 192IT IT SecurityHigh Are IT Sevices which are outsourced to an external third party e g payroll bureau Internet Service Provider Application Service Provider Facilities Management Managed Security Organisation etc subject to a Service Level Agreement with measurable performance objectives 193IT IT SecurityHigh Where the IT Department makes use of consultancy or contract staff in the delivery of IT services is transfer of skills planned prior to completion of the contract 194IT IT SecurityHigh Is a documented IT and IT procurement strategy in place which is aligned to the organisation s IT strategy 195Purchasing and PayablesHigh Is a formal Procurement Policy in place that sets clear authorisation limits for all elements of purchasing activity 196Purchasing and PayablesMedium Is responsibility for vendor selection cash disbursement and accounting activities segregated where possible 197Purchasing and PayablesMedium Are related party transactions regarding contractors temps identified and reported to management on a timely basis 198Purchasing and PayablesMedium Are written guidelines in place which specify an amount above which purchases must be competitively tendered 199Purchasing and PayablesHigh Are pre printed sequentially numbered POs showing required delivery location raised and formally approved for all purchasing activity 201Purchasing and PayablesMedium Are purchase orders forwarded to the finance department and open items periodically identified and investigated 202Purchasing and PayablesMedium Are copies of all Purchase Orders forwarded to the Finance Department and used as the basis for accruals 海量营销管理培训资料下载 海量营销管理培训资料下载 203Purchasing and PayablesMedium Are regular checks undertaken to ensure that any POs not accounted for have not been used for inappropriate purposes 204Purchasing and PayablesHigh Once the goods have been received is the goods receipt note or equivalent sent to the Accounts Department for matching with the PO and invoice before payment is made 205Purchasing and PayablesLow Are all cheques pre numbered issued numerically and accounted for on a periodic basis 206Purchasing and PayablesMedium Do all cheque payments require dual signatories 207Purchasing and PayablesHigh Are breaks in sequence of cheque books reported and investigated promptly 208Purchasing and PayablesMedium Is information provided to senior management in the Finance Department on a regular basis including creditor ageing list accounts in dispute supplier performance and a standing file of creditors including when they were last used 209Receipts ReceivablesHigh Are all accounts subject to satisfactory completion of an application form which provides all relevant information required to open and administer accounts 210Receipts ReceivablesHigh Is a satisfactory credit reference received and retained before new customer accounts are accepted for opening 211Receipts ReceivablesHigh Are discounts given to customers subject to a contribution calculation which is regularly reviewed to take account of factors such as timeliness of payments 212Receipts ReceivablesMedium Are formal contracts in place for all customer accounts with payment terms 213Receipts ReceivablesMedium Are exception reports generated to identify changes to customers masterfile and any unusual changes investigated 214Receipts ReceivablesMedium Are new and existing customers actively encouraged to use Direct Debit payments through the use of incentive schemes for both customers and sales staff 海量营销管理培训资料下载 海量营销管理培训资料下载 215Receipts ReceivablesMedium Can rate amendments only be made by authorised personnel 216Receipts ReceivablesMedium Are rate amendments subject to independent review to ensure that changes additions are accurate and properly authorised 217Receipts ReceivablesMedium Is competitor activity monitored within national marketplace with timely rate comparisons made and reported to senior management 218Receipts ReceivablesLow Is the business able to provide a basic analysis of customer mix for receivables and is there a policy for defining different types of accounts i e major other NAPS etc 219Receipts ReceivablesLow Are all functions within the receivables cycle fully documented with responsibilities allocated and appropriate segregation of duties in place 220Receipts ReceivablesHigh Are all sales promptly and accurately invoiced 221Receipts ReceivablesMedium Are return to HQ exceptions for central mailing regularly reviewed so that they are reduced as far as possible and invoices sent directly to customers unless there is a valid reason 222Receipts ReceivablesHigh Are monthly and annual DSO target levels set for all types of business 223Receipts ReceivablesHigh Is achievement against DSO targets monitored and action plans formulated where necessary to enable them to be achieved 224Receipts ReceivablesHigh Is a monthly aged debt report produced and reviewed which provides details of all overdue debts 225Receipts ReceivablesHigh Are all overdue amounts identified on the aged debt report promptly chased either by telephone or by a Dunning Letter 226Receipts ReceivablesHigh Does the Dunning Letter provide details all overdue invoices including invoice number amount date due and the contact details including e mail address and direct line number of a specific collector in case of queries 海量营销管理培训资料下载 海量营销管理培训资料下载 227Receipts ReceivablesLow Is all chasing action for overdue debts recorded and retained for use in the event of legal action being required 228Receipts ReceivablesMedium Are customer accounts continuously monitored to identify any where credit limits have been exceeded and follow up action taken and documented 229Receipts ReceivablesMedium Are periodic credit checks undertaken on existing accounts so that changes in financial circumstances can be identified 230Receipts ReceivablesMedium When customers fail to honour agreements for corrective action where they are in excess of credit limits exceeding payment terms are the acounts put on hold so that no further rentals can take place 231Receipts ReceivablesMedium Are customers with poor credit history specifically identified so that accounts can be stopped and any further sales subject to approval by the Receivables Department 232Receipts ReceivablesMedium When recovery action is unsuccessful is a prompt decision made to refer the case to either a collection agency or a lawyer for action 233Receipts ReceivablesMedium Where cases have been referred to a collection agency or lawyer is a log maintained so that progress can be tracked and chased where necessary 234Receipts ReceivablesMedium Is major account status regularly updated and reported to Group 235Receipts ReceivablesLow Is there a procedure in place for the authorisation and processing of bad debts write offs 236Receipts ReceivablesMedium Has bad debt provision been compared with group guidelines with any exceptions and the reasons for them notified immediately to Group 237Receipts ReceivablesMedium Are all on account payments applied within 1 month of receipt 238Receipts ReceivablesLow Is a target in place to minimise the use of a Receivables Suspense Account and a monthly review conducted to clear balances wherever possible 海量营销管理培训资料下载 海量营销管理培训资料下载 239Receipts ReceivablesHigh Is the volume age value and average resolution time of customer complaints reported to Senior Management at both country and group level with action plans developed where problem areas are identified 240Receipts ReceivablesHigh Do the Sales and Receivables Departments hold regular meetings with senior representation agendas meetings and action points to identify and resolve issues that are holding up payment of accounts 241Receipts ReceivablesMedium Are customer complaints and disputes investigated and resolved by individuals independent to the billing and sales function 242Receipts ReceivablesMedium Are regular local customer satisfaction surveys undertaken and results reported to management with action plans created as necessary to address areas where customers have highlighted deficient areas 243Receipts ReceivablesMedium Are all credit notes and refunds subject to appropriate independent review and authorisation in accordance with a Delegation of Authority and the reasons fully documented 244Receipts ReceivablesHigh Are systems in place to ensure that credit card refunds can only be processed to the same credit card that the the rental was originally paid with 245Station ControlsHigh Are all vehicles checked for damage at check out and check in 246Station ControlsMedium Have all rental sales agents been provided with adequate training information to allow them to correctly follow cash qualification procedures for cash rentals 247Station ControlsMedium Are all cash qualification F15 forms properly completed filed and renewed in accordance with Group policy 248Station ControlsHigh Is an incident report form completed for all damage noted and signed by both rental sales agent and customer 海量营销管理培训资料下载 海量营销管理培训资料下载 249Station ControlsHigh Are vehicles on hand including keys counted on a daily basis and compared to Wizard record with any discrepancies immediately investigated and action taken and documented 250Station ControlsHigh Are inactive vehicle missing mileage open movement overdue vehicle marshall risk and turnback reports reviewed by Station Managers with explanations documented 251Station ControlsHigh Are VTCs and NRTs used appropriately signed by the driver of the vehicle and authorised by the Station Manager 252Station ControlsHigh Are Wizard Security reports extracted and reviewed on a monthly basis by HQ staff Are reports thoroughly investigated and signed off as evidence of review Is a memo of key findings circulated to Senior Management 253Station ControlsLow Are missing vehicles promptly reported to vehicle control at HQ and the police 254Station ControlsHigh Are standard procedures followed to ensure that all repair costs are recovered from a third party or renter where possible 255Station ControlsHigh Is an effective station contributio