GROUP INTERNAL AUDIT

2009 / xx
<Audit Title>





Limited Assurance




Internal Audit Distribution
Auditors Name 1
Name 2
Name 3

Version n.n
Date issued DD Month YYYY

This draft version of the report is only issued to those on the distribution list in bold.
Other names show the distribution for the final report.




<Audit Title> Page 2 of 9
EXECUTIVE SUMMARY

Scope
This Internal Audit review considered the process used to support the following activities:
Take from the ToR


<Any additional information here>


Audit objective Conclusion
Objective 1

No
Assurance
<text here>
Objective 2

Limited
Assurance
<text here>
Objective 3

Substantial
Assurance
<text here>
Objective 4

Full
Assurance
<text here>

<keep to 1 page maximum>



<Audit Title> Page 3 of 9
Summary
<Text here>

Management feedback
<1 paragraph maximum, a few lines of text do not break over a page>
Name
Job Title

<keep to 2 pages maximum>





<Audit Title> Page 4 of 9
DETAILED OBSERVATIONS

1. <Heading>

<Text describing the finding expressed with the background context and the business risk>

Action Who Target date Priority
1.1 <series of actions that address the finding> Name TBA Critical
1.2 <series of actions that address the finding> Name TBA High
1.3 <series of actions that address the finding> Name TBA Medium
1.4 <series of actions that address the finding> Name TBA Low

2. <Heading>

<Text describing the finding expressed with the background context and the business risk>

Action Who Target date Priority
2.1 <series of actions that address the finding> Name TBA Critical
2.2 <series of actions that address the finding> Name TBA High
2.3 <series of actions that address the finding> Name TBA Medium
2.4 <series of actions that address the finding> Name TBA Low

3. <Heading>

<Text describing the finding expressed with the background context and the business risk>

Action Who Target date Priority
3.1 <series of actions that address the finding> Name TBA Critical
3.2 <series of actions that address the finding> Name TBA High
3.3 <series of actions that address the finding> Name TBA Medium
3.4 <series of actions that address the finding> Name TBA Low

4. <Heading>




<Audit Title> Page 5 of 9
<Text describing the finding expressed with the background context and the business risk>

Action Who Target date Priority
4.1 <series of actions that address the finding> Name TBA Critical
4.2 <series of actions that address the finding> Name TBA High
4.3 <series of actions that address the finding> Name TBA Medium
4.4 <series of actions that address the finding> Name TBA Low




MANAGEMENT ACTION SUMMARY

Action Who Target date Priority
1. Observation heading
1.1 Action. Critical
2. Observation heading
2.1 Action. High
2.2 Action. Medium
3. Observation heading
3.1 Action. Low
3.2 Action. Low
3.3 Action. Low

This table will be updated when actions are agreed






<Audit Title> Page 6 of 9
RISK MANAGEMENT
Through this Internal Audit work we have independently assessed the risks and the net risk for the area
under review. These risks and assessment scores are shown below and compared to the risk profile taken
from the Active Risk Manager (ARM) system, using the definitions from the Risk Policy and detailed in an
Appendix to this report.
Risk Exposure Map:
Critical

Material

Significant
OO OOO O

Immaterial


O

Remote Occasional Recurrent Expected
Key: O = Risk; the number refers to risk in table below; the colour refers to level of control assurance for individual risks.
Managements view, where different, is represented as the symbol C (the number referring to the risk below)

# Risk Company
view
Audit
view
1 Risk Description
Not
assessed
at this level
No
Assurance
<Text description>
2 Risk Description
Immaterial
Occasional
(Ref: nnnn)
Limited
Assurance
<Text description>
3 Risk Description
Immaterial
Occasional
(Ref: nnnn)
Substantial
Assurance
<Text description>
4 Risk Description
Immaterial
Occasional
(Ref: nnnn)
Full
Assurance
<Text description>




<Audit Title> Page 7 of 9
SOX AND CONTROL ASSESSMENT

The following table shows the controls on the Active Risk Manager (ARM) system used and is included to
compare the view of the performance of the control with the view from Internal Audit.

Existing control performance SOX
control
Company
view
Audit
view
Comments / Reference to
observations in this report
<Control description> R R
<Control description> A B Observation 1
<Control description> B A Observation 2
<Control description>

G G

The above controls are those that have been included in the ARM system, but Internal Audit would
recommend that the following controls should be considered for inclusion as well.
<Control description>

R
<Control description>

A Observation 1
<Control description> B Observation 2
<Control description> G Observation 2





<Audit Title> Page 8 of 9
APPENDIX RISK GRADINGS

Risk impact Risk probability
Critical
Impairment in capital in excess of the group
layer (over 75m/$150m)
Expected
Every other
year
Material
Overall loss resulting in capital impairment
(25m to 75m/$50m to$150m)
Recurrent
Once every 3
to 4 years
Significant
Loss in one or more accounts but not at
Syndicate level (3 to 25m/$6m to$50m)
Occasional
Once in a
cycle
Immaterial
A minimal effect on forecast results or
business objectives (up to 3m/$6m)
Remote
Once in a
lifetime


Control
performance

R Control is not working
A Control is in place but not working effectively
B Control is operating effectively although it could be improved
G Control is operating effectively






<Audit Title> Page 9 of 9
APPENDIX REPORT AND ACTION GRADINGS

In conducting this review we have assessed the effectiveness and efficiency of the controls in mitigating
the business risks of the area being audited and given our opinion on the overall level of assurance that
can be taken. The possible grading is defined below:

Opinion Definition of audit report and risk grading

No Assurance
A fundamentally flawed system of internal control that is unlikely to achieve
objectives and which is ineffective in managing risk

Limited Assurance
A system of internal control with a number of weaknesses likely to
undermine achievement of objectives and lead to poor management of risk

Substantial Assurance
A sound system of internal control, but where there are a few weaknesses
that could affect management of risk

Full Assurance
A solid system of internal control that is likely to achieve the system
objectives, and which is effective in managing risk

Actions have been assigned a priority, based primarily on the potential impact of the action on improving
business operations or an assessment of the risks associated with the control assessment. The priorities
are defined as follows:

Action priority Definition
CRITICAL
Actions that could lead to material errors in business operations and which
need to be addressed as a high priority
HIGH
Actions with the greatest potential for improving operations, or where the
continued weakness identified could have a serious impact on the company
MEDIUM
Actions that could lead to moderate improvement in business operations or
weaknesses that increase the risk of error and which could have a detrimental
impact on the company
LOW
Actions that could make a contribution to improved business operations
through, for example, greater efficiency