2. (YEAR) AUDIT PLAN
Core Audits
• Core audits are foundational
audits conducted each year,
focusing on SEC and other
regulatory requirements, key-risk
areas and hotel-specific
processes.
• These include the following
audits:
− Sarbanes-Oxley (SOX),
including the financial
reporting process
and financial systems.
− Hotel audits for the finance,
operations and IT areas.
− Cyber risk and data privacy
across the company.
1
Hot Spots
• Hot spot audits are top-of-mind
audits that directly relate to risk
areas impacting Company XYZ
business.
• In the past, hot spot audits
included areas in franchise,
FCPA/bribery, currency
fluctuations, ROI and reservation
centers.
2
Company XYZ Annual
Audit Plan
2
3. (YEAR) AUDIT PLAN
Sarbanes-Oxley
• Cash and short-term
investments
• Receivables
• Investments
• Property and equipment
• Goodwill and intangibles
• Payable and accrued
expenses
• Long-term debt
• Taxes
• Equity
• Revenues and expenses
• Fraud and organizational
governance
Financial Reporting Processes
• Active directory/FIM (single
sign-on)
• Gold passport
• Hyperion (reporting)
• Iscala (int’l GL)
• One source (tax)
• Opera (PMS/POS)
• Oracle (GL)
Financial Systems
Hotel Audits
• Balance sheet
reconciliations
• Income journal
reconciliations
• Revenue adjustments
• Expenses
• Gold passport
• Leases
• Sales and catering contracts
• Cash
Finance
• Employee status change
• Vendor management
• License review
• Data privacy
Operations
• New and terminated user
access
• Physical access and data
centers
• Password configuration
• Change management
• Backup and recovery
• Opera permissions
IT
Cyber Risk/Data Privacy
• Simulated breach testing
• Segregation of duties
• Vendor risk and access
• Vulnerability management
and penetration testing
• Data privacy compliance
and security
• Business
interruption/disaster
recovery
Company-Wide
Hot Spots
• FCPA/bribery
• Currency fluctuations
• ROI
• Reservation centers
• Unify post go-live
• Third-party access to IT
systems
• Franchise
• Development/acquisition
due diligence and
underwriting
• Enterprise data warehouse
(GEM)
• Construction
• IT sales and use tax
• Global shared services
• Consultant usage risks
• Security preparedness
• Joint ventures
• Management agreement
compliance
Hot Spots in (Year)
Core Audits Hot Spots
3
4. (YEAR) AUDIT PLAN: CORE
Sarbanes-Oxley
• Enforces regulatory
compliance requirements
• Utilizes key process and
IT controls that support
financial reporting with risk
collaboratively evaluated
using the external auditor’s
risk of material
misstatement model
• Measure unify post go-live
control effectiveness
• Continued refinement of
entity-level controls that
support the new COSO
framework
• Fraud
Hotel
• Ensure hotel compliance
with financial, operational
and IT policies (risk
stratified)
− Increased emphasis on
owned properties
− Assessment of hotel
cluster effectiveness
− Increased emphasis on
IT vendor contracts
• Shared service centers
(XXX, YYY, ZZZ)
− Advisory and support
role for global shared
service initiative
• MOR alumni program
• Centralized testing
− Integrate data analytics
to support continuous
monitoring
Cyber
• Data privacy
• Information security
• Property
acquisition/takeover
process and related costs
Risk Process
• Risk council: global and
ASPAC
− Expand to include
EAME/SWA council
• Annual and ongoing risk
assessment
Foundational audits are conducted each year,
focusing on SEC and other regulatory
requirements, public company/governance
considerations, key-risk areas and hotel-specific
processes.
Blue = New in (Year)
Core
4
5. (YEAR) AUDIT PLAN HOT SPOTS
Unify Post Go-Live
• Measure control
effectiveness and system
integration
• Perform consolidated
banking
Third-Party Access to IT
Systems
• Review vendor access to
Company XYZ systems to
see that only contractually
required access is granted
and subsequently
terminated
• Ensure that contractually
required rights are secure
Franchise
• Perform a review of
audited financial
statements to validate
revenue and franchise
fees
• Assess compliance with
brand and IT standards by
partnering with brand and
IT teams
Enterprise Data
Warehouse (GEM)
• Identify who has access to
the EDW and for what
purpose.
• Determine the breadth of
data collected and how
data is disseminated
across borders.
Development/Acquisition
Due Diligence and
Underwriting
• Review pro forma process
and assumptions
• Assess compliance with
various internal review
recommendations
Others
• Construction
• IT Sales and use tax
• Global shared services
• Marketing ROI
• Consultant usage risks
• Security preparedness
• Joint ventures
• Management agreement
compliance
Top-of-mind audits that address key-risk areas and
ongoing initiatives are consistently referenced
during risk assessment sessions and risk council
meetings and/or identified during prior year audits.
Hot Spots in (Year)
5
6. APPENDIX II HOTEL TESTING APPROACH
Consistent with 2014, internal audit will perform several types of hotel audits (audit approach is flexible and based on property
type, location and risk profile).
* Refer to following slides for regional locations; includes five international properties.
• Hotel audit: The scope includes financial statement
substantive testing and control testing (operational,
financial and IT) that’s conducted at owned/leased/JV
properties.
• MOR: Evaluate operational, financial and IT controls via the
control self-assessment and core work program. These
reviews are performed by DOFs and MOR leaders, and
reports are reviewed by internal audit.
• Shared service centers: Execute test procedures.
• Centralized audit procedures: Leverage systems and
centralized processes to efficiently assess various scope
areas (centralized testing will provide broader coverage).
• Select service hotels: Central control focus is augmented
by limited procedures at remaining owned properties.
• Limited reviews: Utilize limited procedures to gain controls
comfort and coverage for lower-risk properties where the
leadership committee and operating environment have
remained consistent since the previous audit.
Owned/Leased Managed Total
Hotels 56 187 243
Audits 37 77 114
Audit coverage for
full-service hotels is
47%.
Full-Service Hotels (See Coverage In Table Below) Other Property-Related Testing
6