Internal Audit Report (New York)
INTERNAL AUDIT REPORT — STATE OF NEW YORK
Framework for issuance of an internal audit report by a company with operations or incorporation in New York. Addresses New York-specific compliance obligations including the SHIELD Act, NYDFS Part 500 cybersecurity regulation, Martin Act exposure, BCL director duties, and NY Labor Law § 740 whistleblower compliance.
NEW YORK REGULATORY CONTEXT
☐ NYDFS Part 500. Covered Entities under 23 NYCRR Part 500 (banks, insurers, money transmitters, virtual currency businesses) must maintain a cybersecurity program, appoint a CISO, conduct annual risk assessments, and file an annual Certification of Material Compliance (formerly Certification of Compliance) by April 15 each year.
☐ SHIELD Act (GBL §§ 899-aa, 899-bb). Any person or business owning or licensing private information of New York residents must (i) implement reasonable administrative, technical, and physical safeguards; (ii) notify affected residents, the AG, the Department of State, and the Division of State Police following a data breach; and (iii) in the case of breaches affecting more than 5,000 NY residents, notify consumer reporting agencies.
☐ Martin Act. The NY Attorney General has broad jurisdiction under Gen. Bus. Law Art. 23-A to investigate and prosecute securities and commodities fraud, even without proof of scienter. Internal audit findings implicating securities practices warrant immediate escalation and consideration of privileged protection.
☐ BCL § 717 Duty of Care. Directors must discharge duties in good faith and with the care of an ordinarily prudent person in like position, with reliance on audit committee reports generally protected under § 717(b).
☐ N-PCL § 712-a. For not-for-profit corporations with revenue above specified thresholds, annual independent audits and audit committee oversight are mandatory.
☐ Whistleblower Retaliation — NYLL § 740. The report must not recommend or support action that would be retaliatory against whistleblowers, given the 2022 expansion of whistleblower protection (covers independent contractors, former employees, "reasonably believes" standard).
☐ Attorney-Client Privilege. Consider whether the audit should be conducted under the direction of counsel to preserve privilege under Upjohn Co. v. United States, 449 U.S. 383 (1981), and New York's analogous common law.
1. REPORT HEADER
INTERNAL AUDIT REPORT — CONFIDENTIAL
| Field | Detail |
|---|---|
| Company | [________________________________] |
| State of Incorporation | [________________________________] |
| NY Principal Place of Business | [________________________________] |
| Audit Period | [__/__/____] to [__/__/____] |
| Report Date | [__/__/____] |
| Prepared By | [________________________________], Chief Audit Executive |
| Submitted To | Audit Committee of the Board of Directors |
| Privilege Status | ☐ Privileged under counsel direction ☐ Non-privileged |
| Distribution | Board, Audit Committee, CEO, CFO, General Counsel, External Auditors |
2. EXECUTIVE SUMMARY
2.1 Purpose. This Internal Audit Report documents the results of the audit of [________________________________] (the "Audited Function") conducted by the Internal Audit Department (the "IAD") in accordance with the IPPF (International Professional Practices Framework), the COSO Internal Control — Integrated Framework, and applicable New York regulatory requirements.
2.2 Scope. The audit covered:
- [________________________________]
- [________________________________]
- [________________________________]
2.3 Overall Opinion. Based on the audit work performed, IAD rates the control environment of the Audited Function as:
☐ Satisfactory — Controls are designed and operating effectively.
☐ Needs Improvement — Controls require enhancement but key risks are mitigated.
☐ Unsatisfactory — Material control weaknesses exist that require immediate remediation.
2.4 Key New York Regulatory Exposure Identified:
- ☐ NYDFS Part 500 cybersecurity gaps
- ☐ SHIELD Act reasonable safeguards deficiencies
- ☐ Martin Act / Attorney General exposure
- ☐ Sarbanes-Oxley / PCAOB (for SEC registrants)
- ☐ NYLL wage and hour violations (NYLL §§ 191, 195, 198)
- ☐ NYSHRL / NYCHRL discrimination exposure (Exec. Law § 296; NYC Admin. Code § 8-107)
- ☐ NY SHIELD Act data protection deficiencies
- ☐ Other: [________________________________]
3. AUDIT SCOPE AND METHODOLOGY
3.1 Audited Function. [Detailed description of processes, systems, and controls examined]
3.2 Methodology.
a. Walkthroughs and process flowcharts (dates: [__/__/____] to [__/__/____]);
b. Substantive testing (sample size: [____]; population: [____]; method: [________________________________]);
c. Data analytics using [tool];
d. Interviews with [number] personnel, documented in memoranda retained in the audit file;
e. Review of New York-specific regulatory requirements, including NYDFS Part 500 and the SHIELD Act where applicable.
3.3 Standards Followed.
- IPPF (IIA Standards)
- COSO 2013 Internal Control — Integrated Framework
- COSO ERM 2017 (where risk management is in scope)
- Applicable New York statutes and regulations identified herein
3.4 Limitations. [Describe any scope limitations, data unavailability, or timing constraints that may affect the report]
4. FINDINGS
4.1 Summary Table
| Finding # | Description | Risk Rating | NY Regulation Implicated | Owner | Target Date |
|---|---|---|---|---|---|
| F-01 | [____] | High / Moderate / Low | [____] | [____] | [__/__/____] |
| F-02 | [____] | High / Moderate / Low | [____] | [____] | [__/__/____] |
| F-03 | [____] | High / Moderate / Low | [____] | [____] | [__/__/____] |
4.2 Detailed Finding Template (Repeat per finding)
Finding Number: F-[____]
Title: [________________________________]
Risk Rating: ☐ High ☐ Moderate ☐ Low
Condition: [What was found]
Criteria: [What should be — e.g., 23 NYCRR § 500.03 requires a written cybersecurity policy / GBL § 899-aa requires breach notification within specified timeframes / Company Policy XX-YY]
Cause: [Root cause]
Consequence: [Actual and potential impact, including regulatory, financial, reputational, and operational]
Recommendation: [Specific, measurable, time-bound corrective action]
Management Response: [Agreed / Partially Agreed / Not Agreed — with explanation]
Target Remediation Date: [__/__/____]
Owner: [________________________________]
5. NEW YORK-SPECIFIC REGULATORY ASSESSMENT
5.1 NYDFS Cybersecurity Regulation (23 NYCRR Part 500) — If Covered Entity
☐ Written cybersecurity policy approved by senior officer or board (§ 500.03)
☐ CISO designated and annual report to the board (§ 500.04)
☐ Annual risk assessment (§ 500.09)
☐ Multi-factor authentication in place (§ 500.12)
☐ Audit trail systems for five years (§ 500.06)
☐ Encryption of nonpublic information (§ 500.15)
☐ Incident response plan tested (§ 500.16)
☐ Notice of Cybersecurity Event filed within 72 hours of determination (§ 500.17(a))
☐ Annual Certification of Material Compliance filed by April 15 (§ 500.17(b))
5.2 NY SHIELD Act (GBL §§ 899-aa, 899-bb)
☐ Reasonable administrative, technical, and physical safeguards in place
☐ Written information security program (or Small Business safe harbor compliance)
☐ Designated individual coordinating security program
☐ Third-party service provider diligence and contractual safeguards
☐ Breach notification procedures (with AG, Department of State, Division of State Police)
☐ Capacity to notify within time "most expedient possible and without unreasonable delay"
5.3 NY Labor Law Compliance
☐ § 195 Wage Theft Prevention Act wage notices in employee's primary language
☐ § 191 frequency of payments compliance (weekly for manual workers)
☐ § 162 meal period compliance
☐ § 740 whistleblower posting and protection practices
☐ NYSHRL § 296 sexual harassment prevention policy and training (annual, all employees)
5.4 NY Corporate Governance
☐ BCL § 717 director reliance on audit committee reports documented
☐ BCL § 713 interested director transaction disclosures current
☐ D&O insurance in force
☐ Audit Committee charter and independence (NYSE/NASDAQ listing standards where applicable)
5.5 Martin Act and AG Exposure
☐ Securities representations to investors reviewed for accuracy
☐ Disclosures to New York investors consistent with Art. 23-A
☐ No "fraudulent practice" as broadly defined under § 352
5.6 Consumer-Facing Deceptive Practices
☐ Advertising and marketing reviewed for GBL §§ 349, 350 compliance (materially misleading, consumer-oriented)
☐ New York-specific disclosure requirements honored (FAIR Business Practices Act 2025 where applicable)
6. MANAGEMENT ACTION PLAN
6.1 Management shall submit a written Corrective Action Plan ("CAP") within 30 calendar days of the Report Date, in the format of Appendix B.
6.2 For High-Risk findings, remediation shall be completed within [90] days and verified by IAD.
6.3 Quarterly status reports to the Audit Committee until all findings are closed.
6.4 IAD shall perform follow-up testing within [6 to 12] months after the CAP completion date.
7. WHISTLEBLOWER PROTECTION STATEMENT
7.1 This Report and any related investigation are conducted in compliance with N.Y. Labor Law § 740, as amended effective January 26, 2022. No recommendation in this Report may be interpreted as authorizing or directing retaliatory action against any employee or former employee (including independent contractors) who disclosed or threatened to disclose activity reasonably believed to violate law, rule, or regulation, or to pose a substantial and specific danger to the public.
7.2 Any indication of attempted retaliation uncovered during the audit shall be immediately escalated to the General Counsel, the Audit Committee Chair, and (if appropriate) the Ethics and Compliance Officer.
8. PRIVILEGE AND CONFIDENTIALITY
8.1 Privilege. This Report is issued ☐ under the direction of counsel for purposes of rendering legal advice and is protected by attorney-client privilege and the attorney work-product doctrine. / ☐ as a routine business record without privilege protection.
8.2 Confidentiality. Distribution is strictly limited to the persons identified in Section 1. Unauthorized disclosure may waive privilege and expose the recipient to liability.
8.3 Document Retention. Audit workpapers shall be retained for seven (7) years pursuant to Company policy and applicable statutes of limitations, including the six-year period under CPLR § 213 and any longer period required under Sarbanes-Oxley or industry-specific regulation.
9. CERTIFICATIONS
9.1 IAD Independence and Objectivity. IAD affirms its organizational independence pursuant to IIA Standard 1100 and confirms that no member of the audit team has any conflict of interest with respect to the Audited Function.
9.2 Professional Care. Audit procedures were performed by qualified personnel in conformity with IPPF due-professional-care requirements.
9.3 Management Representations. Management represented to IAD that (a) all material information requested was disclosed; (b) documents and data provided are accurate and complete; (c) no known fraud or material control weaknesses have been withheld; and (d) IAD was given timely access to personnel, records, and systems.
10. SIGNATURES
| Internal Audit Department | Audit Committee |
|---|---|
| [________________________________] | [________________________________] |
| Chief Audit Executive | Audit Committee Chair |
| Date: [__/__/____] | Date: [__/__/____] |
| Acknowledged by Management | |
|---|---|
| [________________________________] | |
| Chief Executive Officer | |
| Date: [__/__/____] |
APPENDIX A — DETAILED FINDINGS MATRIX
[Complete matrix of all findings with condition, criteria, cause, consequence, recommendation, management response, and remediation evidence]
APPENDIX B — CORRECTIVE ACTION PLAN TEMPLATE
| Finding # | Action Item | Owner | Target Date | Status | Verification |
|---|---|---|---|---|---|
| F-01 | [____] | [____] | [__/__/____] | Open/In-Progress/Closed | [____] |
APPENDIX C — NEW YORK REGULATORY CROSS-REFERENCE
| Regulation | Applicable | Compliance Status | Notes |
|---|---|---|---|
| 23 NYCRR Part 500 (NYDFS Cyber) | Yes/No | [____] | [____] |
| GBL § 899-aa (SHIELD breach) | Yes/No | [____] | [____] |
| GBL § 899-bb (SHIELD safeguards) | Yes/No | [____] | [____] |
| NYLL § 195 (Wage Notices) | Yes/No | [____] | [____] |
| NYLL § 740 (Whistleblower) | Yes/No | [____] | [____] |
| NYSHRL § 296 | Yes/No | [____] | [____] |
| Martin Act Art. 23-A | Yes/No | [____] | [____] |
| GBL § 349 (Deceptive Practices) | Yes/No | [____] | [____] |
| BCL § 717 (Director Duties) | Yes/No | [____] | [____] |
Sources and References
- 23 NYCRR Part 500 — https://www.dfs.ny.gov/industry_guidance/cybersecurity
- N.Y. Gen. Bus. Law §§ 899-aa, 899-bb (SHIELD Act)
- N.Y. Labor Law § 740 (Whistleblower)
- N.Y. Bus. Corp. Law § 717
- N.Y. Martin Act, Gen. Bus. Law Art. 23-A
- IIA IPPF, COSO ICIF (2013), COSO ERM (2017)
Disclaimer: This template is provided for informational purposes only and does not constitute legal advice. It must be reviewed and customized by a New York-licensed attorney before use.
About This Template
Compliance documents are what regulated businesses use to prove they follow the rules that apply to their industry, whether that is privacy, anti-money-laundering, consumer protection, or sector-specific requirements. Regulators look for consistent policies, up-to-date records, and clear evidence of employee training. The cost of getting compliance paperwork right is almost always smaller than the cost of an enforcement action, fine, or public disclosure.
Important Notice
This template is provided for informational purposes. It is not legal advice. We recommend having an attorney review any legal document before signing, especially for high-value or complex matters.
Last updated: April 2026