Internal Audit Report (Florida)

INTERNAL AUDIT REPORT - FLORIDA

Internal audit report drafted under Florida corporate governance and compliance standards, with attention to Florida's specific limitations on self-critical analysis privilege, mandatory breach notification under FIPA (Fla. Stat. § 501.171), whistleblower protection under Fla. Stat. §§ 112.3187 and 448.102, and Florida-specific governance obligations.

PRIVILEGED AND CONFIDENTIAL - ATTORNEY WORK PRODUCT

PREPARED AT THE DIRECTION OF COUNSEL IN ANTICIPATION OF LITIGATION

This Report is prepared at the direction and under the supervision of [Law Firm Name or In-House Counsel], Florida Bar No. [________________], in anticipation of potential litigation or regulatory inquiry. It is intended to be protected by the attorney-client privilege (Fla. Stat. § 90.502) and work-product doctrine. Distribution must be strictly limited to preserve protection.

Important Florida Note: Unlike some other jurisdictions, Florida courts have not recognized a broad "self-critical analysis" privilege. Univ. of Pa. v. EEOC, 493 U.S. 182 (1990); Syposs v. United States, 179 F.R.D. 406 (W.D.N.Y. 1998). Internal audit reports should therefore be structured to maximize attorney-client and work-product protections. The Report must be (i) prepared at counsel's direction, (ii) for the primary purpose of providing legal advice, and (iii) maintained in confidence.

1. REPORT HEADER

Report Title: Internal Audit Report - [Audit Subject]
Entity: [COMPANY LEGAL NAME], a [Florida / Delaware / Other-jurisdiction] [corporation / LLC / not-for-profit] with principal place of business in [________________________________] County, Florida
Florida Registration No.: [________________] (Florida Department of State, Division of Corporations)
Federal EIN: [________________________________]
Report Date: [__/__/____]
Audit Period: [__/__/____] through [__/__/____]
Audit Subject: [________________________________]
Audit Type:
☐ Operational
☐ Financial
☐ Compliance
☐ IT / Cybersecurity (including FIPA § 501.171 compliance)
☐ Fraud Investigation
☐ Third-Party / Vendor Risk
☐ Florida-Specific Regulatory (e.g., Ch. 517 securities, Ch. 624 insurance, Ch. 440 workers' compensation)

Prepared By: [Internal Audit Department / Independent Auditor]
Lead Auditor: [________________________________], [Credentials: CPA, CIA, CISA, CFE]
Reviewed By (Counsel): [________________________________], Florida Bar No. [________________]
Submitted To: [Audit Committee / Board of Directors / Compliance Officer] of [COMPANY NAME]

2. EXECUTIVE SUMMARY

[Provide 1-2 paragraph overview of audit scope, principal findings, aggregate risk rating, and high-priority recommendations. Avoid legal conclusions; use factual/operational language.]

Overall Risk Rating:
☐ Low
☐ Moderate
☐ High
☐ Critical

Number of Findings: [____] total ([____] Critical, [____] High, [____] Medium, [____] Low)

3. AUDIT OBJECTIVES

The objectives of this audit were to:

1. Evaluate the design and operating effectiveness of controls relating to [subject matter];
2. Assess compliance with applicable Florida statutes, federal law, company policies, and contractual obligations;
3. Identify risks of financial misstatement, regulatory non-compliance, fraud, or operational inefficiency;
4. Evaluate compliance with the Florida Information Protection Act (FIPA), Fla. Stat. § 501.171, regarding safeguarding of personal information;
5. Assess compliance with the Florida Digital Bill of Rights, Fla. Stat. § 501.701 et seq. (effective July 1, 2024), regarding consumer personal data; and
6. Recommend corrective actions prioritized by risk.

4. SCOPE AND METHODOLOGY

A. Scope

The audit covered the following areas:

• [Business unit/department]
• [Process/system]
• [Geographic locations - including Florida operations in [counties]]
• [Time period: [__/__/____] to [__/__/____]]

Excluded from Scope: [Areas not covered and rationale]

B. Methodology

The audit was conducted in accordance with:

• The International Standards for the Professional Practice of Internal Auditing (IIA IPPF);
• COSO Internal Control - Integrated Framework (2013);
• COSO Enterprise Risk Management - Integrating with Strategy and Performance (2017);
• Applicable Florida statutes and regulations;
• Generally Accepted Auditing Standards (GAAS) / PCAOB standards where applicable; and
• Company policies and procedures.

Procedures Performed:

• Review of documents and records
• Interviews with personnel (list positions)
• Walkthroughs of key processes
• Testing of transactions [sample size, selection method]
• Data analytics on [datasets]
• Physical inspections
• Third-party confirmations

5. FINDINGS

(For each finding, use this structured format.)

FINDING NO. 1: [Title]

Risk Rating: ☐ Critical ☐ High ☐ Medium ☐ Low

Condition: [Factual description of what was observed, without legal characterization.]

Criteria: [Standards against which condition was evaluated - e.g., Fla. Stat. § [____], COSO principle, Company Policy No. [____]]

Cause: [Root cause analysis]

Effect / Potential Impact:

• Financial exposure: $[____________]
• Regulatory exposure: [e.g., FIPA § 501.171(9) penalties up to $500,000, Florida Office of Financial Regulation enforcement]
• Reputational: [description]
• Operational: [description]

Recommendation: [Specific, actionable, measurable, time-bound]

Management Response: [Include accept/reject, owner, target date, interim measures]

FINDING NO. 2: [Title]

[Same structure.]

FINDING NO. 3: [Title]

[Same structure.]

6. FLORIDA-SPECIFIC COMPLIANCE REVIEW

A. Florida Information Protection Act (FIPA) - Fla. Stat. § 501.171

FIPA requires covered entities that acquire, maintain, store, or use personal information of Florida residents to:

1. Take reasonable measures to protect and secure data in electronic form (§ 501.171(2));
2. Provide notice to affected individuals within 30 days of determination of a breach (§ 501.171(4)(a));
3. Provide notice to the Florida Department of Legal Affairs if the breach affects 500 or more individuals (§ 501.171(3));
4. Provide notice to credit reporting agencies if the breach affects 1,000 or more individuals;
5. Dispose of customer records containing personal information by shredding, erasing, or otherwise modifying (§ 501.171(8)).

Audit Observations:
☐ Adequate data safeguards
☐ Incident response plan in place
☐ Breach notification procedures documented
☐ Records disposal procedures compliant
☐ Deficiencies identified: [________________________________]

Violations subject to enforcement by the Florida Department of Legal Affairs under § 501.171(9) and the Florida Deceptive and Unfair Trade Practices Act (FDUTPA), with penalties up to $1,000 per day (capped at $500,000) for notification violations.

B. Florida Digital Bill of Rights - Fla. Stat. § 501.701 et seq.

Effective July 1, 2024, this act applies to "controllers" meeting certain thresholds (over $1 billion in global gross annual revenue derived from specific activities). Covered controllers must:

1. Honor consumer rights to access, correct, delete, and obtain copies of personal data (§ 501.705);
2. Conduct data protection assessments for high-risk processing (§ 501.706);
3. Obtain consent for processing "sensitive data" (§ 501.704);
4. Provide opt-out for targeted advertising and sale of personal data;
5. Comply with children's data provisions.

Audit Observations: [________________________________]

C. Florida Anti-Corruption / Fraud Statutes

• Florida Communications Fraud Act, Fla. Stat. § 817.034
• Florida Money Laundering Act, Fla. Stat. § 896.101
• Florida False Claims Act, Fla. Stat. §§ 68.081-68.092 (qui tam, applicable to false claims against the state)
• Medicaid Fraud, Fla. Stat. § 409.920, § 817.505 (patient brokering)

Audit Observations: [________________________________]

D. Florida Securities Compliance - Fla. Stat. Ch. 517

If the Company is subject to Florida securities regulation, audit considerations include: registration of securities offerings (§ 517.07) or reliance on exemptions (§ 517.061), broker-dealer and investment adviser registration (§§ 517.12, 517.201), anti-fraud provisions (§ 517.301), and the Florida Office of Financial Regulation's examination authority.

Audit Observations: [________________________________]

E. Florida Workers' Compensation - Fla. Stat. Ch. 440

The Company must maintain workers' compensation coverage under Fla. Stat. § 440.38 (with specific thresholds for construction and non-construction employers). Willful failure to secure coverage is a felony under § 440.105 and carries civil penalties.

Audit Observations: [________________________________]

F. Corporate Governance - Florida Business Corporation Act / LLC Act

• Annual reports filed with Florida Department of State (§§ 607.1622 / 605.0212);
• Registered agent on file (§§ 607.0501 / 605.0113);
• Director/manager duties under §§ 607.0830 / 605.04091 (good faith, care, loyalty);
• Indemnification within § 607.0850 / § 605.0408 limits;
• Shareholder/member record access under §§ 607.1602 / 605.0410;
• Annual reports to shareholders/members.

Audit Observations: [________________________________]

7. WHISTLEBLOWER AND RETALIATION COMPLIANCE

The Company maintains procedures for whistleblower complaints. Under Fla. Stat. § 448.102 (Florida Private Whistleblower Act), no private employer may take retaliatory personnel action against an employee because the employee (1) disclosed, or threatened to disclose, a violation of a law to an appropriate governmental agency; (2) provided information to or testified before a governmental agency investigating a violation; or (3) objected to or refused to participate in any activity, policy, or practice the employee reasonably believed was in violation of law.

For public-sector whistleblowers, Fla. Stat. § 112.3187 (Florida Public Whistleblower's Act) provides similar protections with different procedures.

Audit Observations:
☐ Whistleblower policy in place and communicated
☐ Anonymous reporting channel available
☐ Whistleblower complaint log maintained
☐ Retaliation prevention training conducted
☐ Deficiencies: [________________________________]

8. PRIOR AUDIT FOLLOW-UP

9. MANAGEMENT REPRESENTATIONS

Management of the Company represented to Internal Audit (in writing, as required by IIA standards) that:

1. All requested documents and records were provided without material omission;
2. Management is aware of no material fraud or illegal acts other than those disclosed to Internal Audit;
3. Personnel have not been instructed to conceal information;
4. All known instances of non-compliance with applicable laws have been disclosed.

Representations signed by [________________________________], [Title], on [__/__/____].

10. DISTRIBUTION AND CONFIDENTIALITY

This Report is privileged and confidential. Distribution is strictly limited to:

• [Audit Committee of the Board of Directors]
• [CEO and CFO]
• [General Counsel / outside Florida counsel]
• [Other authorized recipients]

Recipients must not further distribute the Report without written authorization from the Audit Committee Chair and General Counsel. Any request for production of this Report in discovery should be immediately escalated to General Counsel for privilege review under Fla. Stat. § 90.502 (attorney-client privilege) and Fla. R. Civ. P. 1.280(c) (work-product protection).

Florida Public Records Consideration: If the Company is a "public agency" within the meaning of Fla. Stat. Ch. 119 (Florida Public Records Act), this Report may be subject to public disclosure notwithstanding its "audit" designation, subject to applicable exemptions (e.g., § 119.0713 for active investigations, § 119.071 security systems exemption). Consult with counsel before distribution.

11. CERTIFICATION

I certify under penalty of perjury under Fla. Stat. § 92.525 that the information in this Report accurately reflects the audit procedures performed and the findings identified, to the best of my knowledge.

Lead Auditor:

Signature: [________________________________]
Name: [________________________________]
Title: [________________________________]
Credentials: [________________________________]
Date: [__/__/____]

Counsel Oversight:

[________________________________]
Name: [________________________________]
Florida Bar No. [________________]
Date: [__/__/____]

Sources and References

• Fla. Stat. § 501.171 - Florida Information Protection Act
• Fla. Stat. § 501.701 et seq. - Florida Digital Bill of Rights
• Fla. Stat. Ch. 119 - Florida Public Records Act
• Fla. Stat. § 286.011 - Florida Sunshine Law
• Fla. Stat. § 112.3187 - Public Whistleblower's Act
• Fla. Stat. § 448.102 - Private Whistleblower Act
• Fla. Stat. § 896.101 - Money Laundering Act
• Fla. Stat. §§ 68.081-68.092 - Florida False Claims Act
• Fla. Stat. § 817.034 - Communications Fraud Act
• Fla. Stat. Ch. 517 - Securities and Investor Protection Act
• Fla. Stat. Ch. 440 - Workers' Compensation
• Fla. Stat. Ch. 607 - Business Corporation Act
• Fla. Stat. Ch. 605 - Revised Limited Liability Company Act
• Fla. Stat. § 90.502 - Attorney-client privilege
• Fla. R. Civ. P. 1.280 - Work-product protection
• International Standards for the Professional Practice of Internal Auditing (IIA IPPF)
• COSO Internal Control - Integrated Framework (2013)
• COSO ERM Framework (2017)