Internal Controls Policies and Procedures

May 8, 2018 | Author: Anonymous | Category: Documents
Share
Report this link


Description

Internal Controls Policies and Procedures Rose Hightower John Wiley & Sons, Inc. ffirs.indd iiiffirs.indd iii 8/25/08 3:09:12 PM8/25/08 3:09:12 PM ffirs.indd iiffirs.indd ii 8/25/08 3:09:12 PM8/25/08 3:09:12 PM Internal Controls Policies and Procedures ffirs.indd iffirs.indd i 8/25/08 3:09:12 PM8/25/08 3:09:12 PM ffirs.indd iiffirs.indd ii 8/25/08 3:09:12 PM8/25/08 3:09:12 PM Internal Controls Policies and Procedures Rose Hightower John Wiley & Sons, Inc. ffirs.indd iiiffirs.indd iii 8/25/08 3:09:12 PM8/25/08 3:09:12 PM This book is printed on acid-free paper. Copyright © 2009 by John Wiley & Sons, Inc. All rights reserved. Published by John Wiley & Sons, Inc., Hoboken, New Jersey. Published simultaneously in Canada. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, elec- tronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, 978-750- 8400, fax 978-646-8600, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, 201-748-6011, fax 201-748-6008, or online at http://www.wiley.com/go/permissions. Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifi cally disclaim any implied warranties of merchantability or fi tness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profi t or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. For general information on our other products and services, or technical support, please contact our Customer Care Depart- ment within the United States at 800-762-2974, outside the United States at 317-572-3993 or fax 317-572-4002. Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. For more information about Wiley products, visit our Web site at http://www.wiley.com. Library of Congress Cataloging-in-Publication Data: Hightower, Rose. Internal controls policies and procedures / Rose Hightower. p. cm. Includes bibliographical references and index. ISBN 978-0-470-28717-0 (paper/website) 1. Auditing, Internal. 2. Corporate governance. 3. Managerial accounting. I. Title. HF5668.25.H54 2009 657'.458—dc22 2008022105 Printed in the United States of America 10 9 8 7 6 5 4 3 2 1 ffirs.indd ivffirs.indd iv 8/25/08 3:09:13 PM8/25/08 3:09:13 PM v About the Author Rose Hightower Rose is an accountant, professor, author and owner of IDEAL Consulting Solutions International, LLC. She earned an Accounting degree while in Canada and a Master’s degree from Syracuse University. Rose has lived and worked in Toronto and New York. As an energetic, proactive program manager with extensive Fortune 500 experience in identifying and resolving challenges in fi nance, process management and organiza- tional development. Her career refl ects results-oriented leadership with strong creative problem solving and analytical skills. Rose has over 30 years of business experience working with small, medium and corporate clients to improve their efforts and direction in leadership development. As an accountant, Rose has participated, managed and had oversight responsibili- ties within various accounting and fi nance departments including twenty years at IBM, identifying and resolving challenges in fi nance, process management and organizational assessment. IDEAL Consulting Solutions International, LLC a business specializing in redesign- ing accounting and fi nance processes, providing tools and skills necessary to improve business operations. The IDEAL™ philosophy is to provide valued added assessments and transfer skill. Current projects include the design and implementation of documen- tation programs improving them to address signifi cant accounting defi ciencies. With a life long interest in learning, Rose has taught the mechanics of accounting and fi nance to college and university students within Canada and the States. Teaching has kept her interest and excitement about the topic fresh and current and combining her real world experience with textbook concepts has provided a additional value to her students. Rose is the author of Accounting and Finance Policies and Procedures also pub- lished by John Wiley and Sons and which serves a prequel and companion to this man- ual. Within these manuals, she packages current research and proven experience in a ready to use solutions. You may contact the author by visiting www.idealpolicy.com. ffirs.indd vffirs.indd v 8/25/08 3:09:18 PM8/25/08 3:09:18 PM ffirs.indd viffirs.indd vi 8/25/08 3:09:18 PM8/25/08 3:09:18 PM vii About the Web Site As a purchaser of this manual, Accounting and Finance Policies and Procedures, you have access to the supporting web site: www.wiley.com/go/icpolices The web site contains everything within the book. This download is an accumulation of Microsoft Word, Excel, and PowerPoint documents. The password to enter this site is: controls ffirs.indd viiffirs.indd vii 8/25/08 3:09:18 PM8/25/08 3:09:18 PM ffirs.indd viiiffirs.indd viii 8/25/08 3:09:18 PM8/25/08 3:09:18 PM ix Contents How to Use this Manual xi Preface xiii Governance Journey 1 A01 Big G to little g governance journey 3 Appendix: Background for COSO, SOX, PCAOB 7 A02 Risk Assessment 10 A03 Oversight 16 A04 Documentation 20 Internal Control Program 25 B01 Internal Control Program 27 B02 Internal Control Process 37 B02a Internal Control Policy and Procedure 52 B02b Internal Control Program Charter 55 B02c Internal Control Plan 57 B03 Authorization and Approval Program 69 B03a Delegation of Authority 73 B03b Authorization – Delegation, SubDelegation of Authority 79 B03c Responsibility, Authority, Support, Counsel, and Inform (RASCI) 83 B04 Information Technology Program 87 B04a End–User Computing—Control of Spreadsheets Policy and Procedure 95 B05 Account Reconciliation Program 97 B05a Account Reconciliation 101 B06 Quarterly Subcertifi cation Program 105 B06a Quarterly Subcertifi cation 120 ftoc.indd ixftoc.indd ix 8/25/08 3:09:39 PM8/25/08 3:09:39 PM x CONTENTS B06b Quarterly Subcertifi cation – Matrix 122 B06c Quarterly Financial Subcertifi cation Training For First-Time Subcertifi ers 124 Control Activity Program Testing Guides 133 C01 Control Activity Program 135 C01a Control Activities Template 147 C01b Result of Control Activity Testing 148 C01c Internal Control – Planning, Testing, and Remediation Worksheet 149 C01d Reporting Scorecard 151 C02 AP – Disbursements 153 C02a AR – Allowance for Doubtful Accounts 158 C02b AR – Cash Applications 162 C02c AR – Collections 166 C02d AR – Credit Administration 169 C02e Cash and Marketable Securities 172 C02f Financial Planning and Analysis 176 C02g Fixed Assets, Long Lived Assets 179 C02h Intercompany Transactions – Cross Charges 183 C02i Raw Materials and Inventory 187 C02j Journal Entries 194 C02k Payroll 197 C02l Procurement 201 C02m Revenue Recognition 205 C02n Retail Sales Orders to Business Partners 209 C02o Income Tax 213 Appendix Internal Control Planning, Testing and Remediation Worksheets 217 Acronyms 263 References 265 Index 267 ftoc.indd xftoc.indd x 8/25/08 3:09:39 PM8/25/08 3:09:39 PM xi How to use this Manual Whether you are a large public for-profi t corporation or a small independent, there is benefi t and value in adopting an internal control program. This manual is structured as the fi nal product and includes everything you need to document your internal controls program. These documents must be customized and adapted to fi t into your company’s culture and environment. Throughout the manual there are exercises that, when complete, will assist by providing input to the internal control program and determining your company’s internal control posture. Using the URL, www.wiley.com/go/icpolicies download the book and customize it. Follow the document layout and adjust the scope and process fl ow using your Company’s language and procedure. Everything contained within the book is contained within the URL download. In addition to considering this manual a reference or a “how to,” use it as a work- book. As you read through the chapters, perform the exercises to deepen your aware- ness, identify and prioritize your strategies, and enable employees to be part of the solution. As you review this manual, complete the exercises as you go and you will have a customized internal control program and plan. In addition to providing some background as to why internal controls are impor- tant, this manual includes internal control program-specifi c policies, procedures, and testing guides—basically everything you need to launch an internal control program. This manual is a companion book to the Accounting and Finance Policy and Procedure manual also offered by John Wiley & Sons and available at www.wiley.com/WileyCDA/ WileyTitle/productCd-0470259620.html. This download is an accumulation of Microsoft word, Excel, and PowerPoint docu- ments and Visio charts named and numbered in accordance with the Table of Contents. The downloadable fi les are distributed on an “as is” basis without warranties. This download is available for your personal use within your company and must not be further distributed or used for resale. Permission to download the manual is achieved by procuring the book. This book and the downloadable version contain general informa- tion and are not intended to address specifi c circumstances or requirements. The author does not give any warranties, representations, or undertakings, expressed or implied, about the content’s quality or fi tness for a particular purpose. For additional program information or support, contact me as the Policyguru via [email protected] or visit www.idealpolicy.com. fbetw.indd xifbetw.indd xi 8/25/08 3:10:00 PM8/25/08 3:10:00 PM fbetw.indd xiifbetw.indd xii 8/25/08 3:10:01 PM8/25/08 3:10:01 PM xiii Preface To: Chief Financial Offi cer, Chief Compliance Offi cer, and Internal Control Program Manager Do you worry about . . . Achieving objectives? Being resilient enough to adapt to change in time? Managing risks intelligently? Recognizing opportunities? Do you know where your risks are and how to prioritize them? Does your staff have the resources and support they need to recognize and mitigate these risks? Could your com- pany benefi t from improved accounting and fi nance processes? Having a strong internal control department enables managements to deal with rapidly changing economic and competitive environments, shifting customer demands and priorities and identifying when and where to restructure for future growth. This manual is brought to internal control, accounting, and fi nance leaders and professionals who are tasked with implementing a program that will: Identify opportunities for effectiveness and effi ciencies and reduce risk Engage the workforce Comply with external governance and reporting requirements such as Securi- ties and Exchange Commission reporting and Sarbanes-Oxley compliance The Internal Controls department is tasked with a role and responsibility that is more than just governance, risk, and oversight. This manual deals with those topics and presents tools and techniques which can address CEO/CFO worries. Internal control is more than a role and responsibility; it is a philosophy, culture, and way of thinking. This manual integrates the governance objectives with internal control basics and provides tools and techniques which when applied provide valuable informa- tion to the executive leadership and other stakeholders. As I began researching and preparing this manual, I realized that most large public companies were using and describing the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework in the same way. That is both good and bad news. The good news is that there is considerable evidence and proof that the COSO framework is the generally accepted standard and that there is a consistent look and feel to customized manuals. Internal control program managers become subject matter experts on implementing the framework. • • • • • • • fpre.indd xiiifpre.indd xiii 8/25/08 3:10:37 PM8/25/08 3:10:37 PM xiv PREFACE The diffi cult news for an author is on how to make this subject matter fresh and new. So, although the lists may seem familiar, I hope I bring a fresh, new commonsense approach to applying the framework. Since my strength is in accounting and fi nance processes and process management, my philosophy is to embed COSO into the very processes we live and work with every day. Whether you are a large public company or a small independent, the philosophy and approach will add value to your bottom line. The approach is based on laws and regula- tions and follows a commonsense approach to applying continuous process improvement techniques. This manual is made up of three parts and includes a discussion of the governance journey, the internal control program, and the internal control testing guides. The man- ual contains exercises, self-assessments, and various other tools and techniques that can and should be adapted to your control environment. Many of the concepts presented have been part of the repertoire of the best process-driven companies with the tools and techniques used in other proven models and approaches. This manual brings these concepts together in a fresh way ready for customization and implementation and aimed to achieve bottom-line results. There will be references to Sarbanes-Oxley and COSO; you may recognize the style of self- assessment tools, process management, and project management techniques. These all come together as a road map to implement or refresh your internal control program. The documents should be used as a starting point for constructing, revitalizing, or documenting your company’s internal control program. The program and the testing guides must be personalized and customized to meet your company’s needs. Replace my company’s (IDEAL, LLP; used only at the beginning of some documents) name with your company’s name. Follow the document layout and adjust the scope and process fl ow using your company’s language and procedure. Welcome to an exciting process. As you work through the process, the outcomes will present you with insights and opportunities about your company that you may not be currently aware of. Use this manual as a starting point to assess the maturity of the internal controls program. As you address each of the processes, if the documentation process comes “easily” (i.e., is currently available, is followed by most if not all of your company’s subsidiaries and locations; is measured and used as a basis for continuous process improvement) then the process is very mature and there should be no surprises. Whether you use this manual as a reference, workbook, or guide, congratulations on taking this step and acquiring this valuable resource. Rose Rose Hightower [email protected] www.idealpolicy.com fpre.indd xivfpre.indd xiv 8/25/08 3:10:38 PM8/25/08 3:10:38 PM 1 GOVERNANCE JOURNEY A01.indd 1A01.indd 1 8/25/08 1:45:20 PM8/25/08 1:45:20 PM A01.indd 2A01.indd 2 8/25/08 1:45:21 PM8/25/08 1:45:21 PM Internal Use Only BIG G TO LITTLE g GOVERNANCE JOURNEY Investments in public offerings such as stocks drive the economy. Recent history and current events indicate that stock markets can be unstable for a variety of reasons. In order to protect investors and shareholders, external or public governing organizations have created laws that require companies to provide investors and shareholders with current, accurate, and relevant data and information. Governance is about creating an environment and proc- ess for those laws, rules and regulations. Within this section, there are references to COSO and SOX; if you need a refresher, at the end of this chapter is a summary of these important initiatives. What is governance? According to the International Federation of Accountants (IFAC), governance refers to a set of responsibilities and practices exercised by management with the goal of providing strategic direction and tac- tical guidance to ensure that company goals and objectives are achieved, risks are identifi ed and managed appropri- ately, and resources are assigned responsibly. The key message is that governance is a process that, when practiced, reinforces integrity and accountability and demonstrates leadership. Notice that the defi nition is not limited to publicly owned companies and is not limited to laws and regulations. There are lessons to be learned from the public companies that have had to deal with the roller coaster impact to their market and asset values. Other “not so public” companies can benefi t and reap the bottom line benefi ts of adopting the tools used on the governance journey. So, if you are a small or private company, there are cautions and benefi ts that you need to pay attention to. What is governance about? Governance is about creating and maintaining an ethical work environment, it is about establishing and following the rules; it is about transparency and disclosure. Governance is about creating and following a process to establish, communicate, implement, and measure the principles, rules and regulations required to conduct business. Where does governance come from? From an accounting and fi nance point of view, external or big G Governance originates from laws and regulatory organizations such as the Securities and Exchange Commission (SEC), the Financial Accounting Standards Board (FASB) and the Public Company Accounting Oversight Board (PCAOB). Externally, these governing organizations propose principles, rules and methodologies that are aimed at increasing integrity in the quantitative and qualitative information presented to potential investors and shareholders. To comply with external governance, leaders must fi nd a way to communicate and integrate these externally driven rules and regulations into internal business practices and processes. Big G Governance originates from sources external to the company while little g governance originates from inside. Some of the forces behind big G Governance include: Market stability, which is driven by investors and those in a position of oversight requiring accurate, complete and transparent information Political and economic stability which is driven by local governments imposing economic principles and rules on specifi c industries Financial stability which is often identifi ed as the measure between stock prices and asset values • • • GOVERNANCE JOURNEY 3 A01.indd 3A01.indd 3 8/25/08 1:45:21 PM8/25/08 1:45:21 PM Internal Use Only 4 PROCEDURE A01 As part of big G Governance, those who are asked to implement the rules are asked to provide input to those regulatory bodies and agencies; for example, public companies satisfy quarterly fi nancial reporting require- ments. Those companies and other interested parties provide comments as to current and future direction. The SEC and PCAOB review and evaluate the submissions and comments to ultimately determine the adequacy of current regulation and how these regulations can and must be improved. The SEC and the PCAOB are ultimately responsible for the oversight of compliance with the big G Governance accounting and fi nance laws and rules. Compliance with external big G Governance is demonstrated by satisfying reporting requirements and for com- pany leaders to attest to the accuracy and completeness of what is reported. Because the leaders cannot oversee every aspect of every transaction, leaders translate and integrate the external laws and rules into internal processes, policies and procedures resulting in a little g governance regulatory environment. The objective of little g governance is simply to integrate big G Governance rules into company processes and comply with reporting and disclosure laws and regulations. Corporate or little g governance is defi ned as a process, initiated by the company’s board of directors, managers, and other personnel to apply a strategy across the company that will achieve: compliance with applicable laws and regulations Transparency and reliability of all public reporting and information dispersed for accurate and timely decision making Proper (i.e., effective and effi cient) functioning of the company’s processes, including positive impact on the community; fair and honest dealings with customers, vendors, and employees; compensation; and evaluation of management Internal or business governance is marked by the review, analysis, and documentation of internal practices and processes required to get work done. Internal business processes defi ne how work is organized and performed; defi ning the touch points for review, approval and escalation. The business process owners are charged with design- ing processes that are compliant and yet operate effi ciently and effectively. For our purposes, the term little g governance is broadly used to indicate the internal adoption of the external rules and regulations with corporate governance being the bridge between external requirements and expectations and internal processes and resource constraints. Why governance, why now? It’s the law. Big G and little g governance creation has to be dynamic, that is, it must be able to respond to changing environments with processes incorporating inputs from various constituents, including businesses, investors, c reditors, government, and international sources with the purpose of defi ning and refi ning governance principles and rules. For most companies, the focus is on little g governance and the tasks needed to satisfy compliance and oversight regulations. As for any business, there must be identifi able value in the action. The program to establish and over- see little g governance must be about increasing profi t contribution to the company through improved process management and decision making. Little g governance is about creating an internal environment and culture that satisfi es internal decision making and external fi nancial reporting. Therefore, while big G Governance is about the law, little g governance is about translating and integrating those laws into the fabric of the business. Little g governance: Provides accurate, complete and timely data and information required for informed decision making by customers and other stakeholders • • • • A01.indd 4A01.indd 4 8/25/08 1:45:22 PM8/25/08 1:45:22 PM Internal Use Only GOVERNANCE JOURNEY 5 Provides the workforce with the tools and resources required to act and holding individuals accountable required for a high-performance workforce. Leverages the company’s core competencies and work systems to manage and improve its key processes. It is about knowing what business you are in and creating an environment to succeed. Little g governance is about ensuring that operational processes are defi ned, measured, and reviewed while con- tinuing to achieve the company’s goals and objectives and satisfying big G Governance reporting requirements. As part of oversight, operational processes need to be documented and risk assessed to ensure compliance with inter- nal decision making and external reporting. The journey from Big G to little g governance, to risk and oversight and back to Big G is demonstrated in the following fl owchart. Notice that the role and responsibility of little g governance is to implement big G into the operational side of the business and the evaluation and monitoring side with risk/oversight activities. As business areas within the company execute processes, data and information, reports both formal and informal are escalated to the leadership team. The executive leadership and the board of directors are ultimately responsible for the effective and effi cient operation of these processes and report the company’s outcomes to the big G governance agencies. Flowcharting the Governance Journey External regulatory bodies issue directives and guidance. Companies receive and assess these requirements and develop plans to integrate them into their operations or evaluate the risk of not fully implementing them. Often, it takes time and resources to respond to the directive, and in the meantime, there is risk. The company needs to assess the requirements and determine where within their operations and to what extent they need to make changes to their processes. This assessment requires understanding and evaluating the company’s specifi c processes and risks. When the company decides where and how to implement process changes, a transition plan and project are initiated and integrated within the operational side of the business. During the transi- tion period and thereafter there may be remaining risk to the company that requires monitoring and periodic reassessment. Once implemented and deployed, processes are updated and the impact of the change in regulation is measured via the processing of transactions. The effectiveness and effi ciency of the operational processes is overseen by programs that measure risk and compliance. The company uses risk assessment techniques to assess the risk of not conforming or not fully conforming. If the decision is to not accept the risk, then operational processes are updated. If the decision is to accept a level of risk, then the risk needs to be managed with oversight built into the risk management process. With the results of operational processes confi rmed, and the impact and effect of risks identifi ed, reports are issued to executive leadership and the board of directors. Once approved, they release external reports to satisfy external regulatory reporting requirements. Additions, deletions and changes to the external rules and regulations occur as the external regulatory bodies receive company reports and feedback and as those agencies evaluate other economic environmental indicators. The governance journey is complete. • • A01.indd 5A01.indd 5 8/25/08 1:45:22 PM8/25/08 1:45:22 PM Internal Use Only 6 PROCEDURE A01 Reports and Metrics Narratives Flowcharts In pu t Pr oc es s O ut pu t Big G Governance E.g., SEC FASB PCAOB Translate to Little G Governance Based on Internal Assessment of Environment, Management Discussion Internal Controls Program Oversight and Feedback Assess Risk Roles and Responsibilities: Board of Directors, Executives, Management Process Operational Transition Documentation Executive and External Reporting A A Okay to Integrate? Oversight and Feedback Consolidate and Prepare Operational/ Financial Results Company Submission and Reporting Yes No Policies and Procedures A01.indd 6A01.indd 6 8/25/08 1:45:22 PM8/25/08 1:45:22 PM Internal Use Only GOVERNANCE JOURNEY 7 APPENDIX SOME BACKGROUND INFORMATION ON COSO, SOX AND PCAOB Every internal control manual today, refers to the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Framework and the Sarbanes-Oxley Act (SOX). For those not familiar with these initiatives, following is a brief overview and positioning of these important milestones as they relate to the internal control governance journey. COSO Framework The Committee of Sponsoring Organizations of the Treadway Commission (COSO) in 1992 issued Internal Control–Integrated Framework to help businesses and other entities assess and enhance their internal control systems. This framework has been recognized by executives, board members, regulators, standard setters, profes- sional organizations, and others as an appropriate comprehensive Framework for Internal Controls. For further information on COSO go to www.coso.org. This book neither replaces nor modifi es the framework, but rather provides guidance on how to integrate it within your internal control environment. Volumes have been written to discuss and describe the COSO concepts; rather than emphasizing COSO, this manual uses COSO as a tool and guide to implement your customized program. The internal control process begins with management’s setting fi nancial reporting objectives relevant to the company’s particular business activities and circumstances. Once set, management identifi es and assesses a variety of risks to those objectives, determines which risks could result in a material misstatement in fi nancial reporting and determines how the risks should be managed through a range of control activities. Management implements approaches to capture process and communicate information needed for fi nancial reporting and other components of the internal control system. All this is done in context to the company’s control environment, which is shaped and refi ned as necessary to provide the appropriate tone from the top. These components are monitored to help ensure that controls continue to operate properly over time. The COSO components include: Control Environment which is an indicator of the level of control consciousness of the company. It is the basis for all the other components providing direction, discipline, and structure. Risk Assessment represents the identifi cation and analysis of relevant risks to achieving objectives. This component forms the basis for how risks should be identifi ed, managed, and reported. Control Activities are embedded in the operational and fi nancial processes and ensure that necessary actions are taken. Information and Communication identifi es, captures, and communicates upstream and downstream data and information. Monitor refers to the process that assesses and evaluates process effectiveness, effi ciency and compliance in addressing the internal control objectives. Included within the monitor component of COSO is the responsibility to report on the company’s internal control posture. • • • • • A01.indd 7A01.indd 7 8/25/08 1:45:23 PM8/25/08 1:45:23 PM Internal Use Only 8 PROCEDURE A01 Monitoring Challenges in Attaining Cost-Effective Internal Controls This particularly is the case where managers view control as an administrative burden to be added onto existing business systems, rather than recognizing the business need and benefi t for effective internal control that is integrated with core processes. Among the challenges are: Obtaining suffi cient resources to achieve adequate segregation of duties Management’s ability to dominate activities with signifi cant opportunities for management override control Recruiting individuals with requisite fi nancial reporting and other expertise to serve effectively on the board of directors and audit committees Recruiting and retaining personnel with suffi cient experience and skill in accounting and fi nancial reporting Taking management attention from running the business in order to provide suffi cient focus on accounting and fi nancial reporting Maintaining appropriate control over computer information systems with limited technical resources The COSO framework recognizes that an entity must fi rst have in place an appropriate set of fi nancial report- ing objectives. At a high level, the objective of fi nancial reporting is to prepare reliable fi nancial statements, which involves attaining reasonable assurance that the fi nancial statements are free from material misstatement. Flowing from this high-level objective, management establishes supporting objectives related to the company’s business activities and circumstances and their proper refl ection in the company’s fi nancial statement accounts and related disclosures. Effi ciencies are gained by focusing on only those objectives directly applicable to the business and related to its activities and circumstances that are material to the fi nancial statements. Sarbanes-Oxley The Public Accounting Reform and Investor Protection Act of 2002 is commonly referred to as the Sarbanes-Oxley Act, named after its sponsors, U.S. Senator Paul Sarbanes and U.S. Representative Michael Oxley. The Sarbanes- Oxley Act (SOX) requires that all public companies do something that they probably should have been doing all along: assign the chief executive offi cer (CEO) and the chief fi nancial offi cer (CFO) authority over the company’s internal controls and the opportunity to demonstrate competent and transparent governance. The major sections of SOX that affect this topic include: Section 301, which relates to accounting and auditing complaints Section 302, which addresses disclosure procedures and controls, including the quarterly CEO/CFO certifi cation Section 404, which addresses internal controls over fi nancial reporting certifi cation and attestation Section 409, which requires the rapid disclosure of material events SOX requirements are based on fundamental principles of good business. Every business whether required to comply with SOX or not, benefi ts from implementing and paying attention to internal controls. The benefi ts of a strong internal control structure and program are that it delivers business value far beyond the mandatory compli- ance with SOX regulations. There are two sections within SOX that require mention here: sections 302 and 404. Section 302 focuses on management’s responsibility. CEOs and CFOs must personally certify that they are responsible for disclosure controls and procedures. Each quarterly fi ling must contain an evaluation of the design and effectiveness of these controls. • • • • • • • • • • A01.indd 8A01.indd 8 8/25/08 1:45:23 PM8/25/08 1:45:23 PM Internal Use Only GOVERNANCE JOURNEY 9 Section 404 mandates an annual evaluation of the company’s internal controls program. The rule requires management to base its evaluation on a recognized framework such as COSO. Executive management is directed to support its evaluation with suffi cient evidence, including documentation. Section 404 additionally places respon- sibilities on the external auditors, who must audit management’s assessment and issue a related audit opinion. Together, SOX and COSO have provided the mandate and defi ned the approach that internal control departments are to use. Companies that focus merely on legal compliance with the act will miss the potential benefi ts of using the act’s provisions as a catalyst for company-wide change. Companies can leverage the SOX provisions to improve employee effi ciency and productivity, streamline operations, and make better fi nancial decisions through timelier, more transparent fi nancial information. The act represents an opportunity to elevate corporate integrity, restore investor confi dence, and move the economy forward. There is additional information on the Sarbanes-Oxley Act and how it is integrated within the internal control program in the chapter “Quarterly Subcertifi cation Program.” For additional information on the Sarbanes-Oxley Act, go to www.sec.gov/about/laws/soa2002.pdf. PCAOB The Public Company Accounting Oversight Board (PCAOB) receives its mandate from section 102 of the Sarbanes-Oxley Act of 2002, which requires accounting fi rms to be registered with the board if they prepare or issue audit reports on U.S. public companies. The PCAOB is a private-sector nonprofi t organization created by SOX to oversee the auditors of public companies to order to protect the interests of investors and further the public interest in the preparation of informative, fair and independent audit reports. The PCAOB audits the auditors and provides reports to the public. The PCAOB is mandated to provide, communicate and test compliance with generally accepted auditing standards. Additional information for the PCAOB can be found at http://www.pcaobus.org/. A01.indd 9A01.indd 9 8/25/08 1:45:24 PM8/25/08 1:45:24 PM Internal Use Only 10 PROCEDURE A02 RISK ASSESSMENT We live in unstable and volatile times, where a company’s ability to conduct business or its very life can be denied by forces seemingly outside its control. There seems to be a never-ending list of factors that require a company to always be diligent. These factors include but are not limited to impacts from events that involve: Corruption, fraud Economic cycles Globalization Increasing regulation Litigation Piracy of intellectual property • • • • • • Natural disasters Supply chain constraints, restraints Geopolitical unrest Competitive or industry consolidation Consumer demand Cyber crime • • • • • • Assessing or not assessing these risks brings its own price tag in the form of missed opportunities, information and program overload, growing risk aversion and a high cost for failure. The result is a renewed scope and focus for risk, including the company’s preparedness for recognizing and managing risk when it presents itself. Well-run and successful companies know how to use risk to their advantage. Within their organization they have those who monitor and even seek risky opportunities with the purpose of driving innovation and seeking commercial advantage. These same companies also know that resources are drained and wasted when there are inappropriate levels of risk. Understanding the difference is vital. Innovation and thrill-seeking opportunities may become the domain of sales, marketing, and research and development. There is disproportionate fi nancial risk when innovation and thrill-seeking are not aligned with the company’s long-term goals and objectives or when appropriate levels of due fi nancial, technical and operational diligence are not performed before investment in these pursuits occurs. Operational risk occurs when there are unacceptable levels of waste identifi ed by effectiveness and effi ciency measures. Financial risk presents itself when budget or plan objectives are not met and when there are gaps within internal control procedure that indicate an opportunity for fraud or misuse may occur. Our focus in this manual is on the type of risk that compromises your internal controls posture. This includes operational and fi nancial risk. What is risk? Risk is about being prepared for the unexpected; whether fortuitous or perilous. Risk is about anticipating what is not planned and being confi dent and able to apply critical thinking faster than the competition. Risk management involves a process of planning, organizing, leading, controlling, and communicating in order to minimize the effects of risk on an organization’s capital and earnings. Using a total company or total enterprise view, management expands the depth and breadth of processes to include not just risks associated with accidental losses but also with fi nancial, strategic and operational situations. What is risk about? Risk is about understanding its nature and adopting a respectful watchful approach. Companies that understand risk and its place in running a business use it to mitigate unnecessary threats and may even be able to win and make money by taking intelligent risks. Risk management adds value to the bottom line when it provides opportunities for cost savings through identifying and correcting operational ineffi ciencies, when it promotes “out of the box” thinking, when it opens opportunities to leapfrog the competition. Risk is about being confi dent and prepared for action. A02.indd 10A02.indd 10 8/25/08 1:46:18 PM8/25/08 1:46:18 PM Internal Use Only GOVERNANCE JOURNEY 11 Not all risk needs to be avoided. For instance, refer back to the Governance fl owchart. When big G Governance rules and regulations are received, an assessment needs to be conducted to determine what, if any process is affected. Once the affected processes are identifi ed analysis is required to determine the best approach to comply with the regulation including a cost-versus -benefi t analysis. The decision may be to: Accept the regulation and integrate it within the current process Accept the regulation and integrate it within a redesigned process developing a transition process plan Accept the regulation and determine a top level management approach to meet the regulatory reporting requirements and not integrate it within the process Partially accept the regulation and integrate it within the current or redesigned process. The part of the regulation not adopted is also considered risk and must be managed. Those areas not adopted must be fully documented including rationale as to why it cannot be adopted at this time. Where possible, mitigating controls must be adopted and monitored collecting evidence to demonstrate a “good faith” effort when regulators call on the company. Even with documentation and mitigating controls, regulators may still consider anything less than full adoption a nonconformation to the law. Consider the cost of potential penalties and risk to the company’s reputation if nonconformance is the decision. Why risk management, why now? It’s the environment we live and work in. Opportunities for risk permeate every aspect of the organization including those points where the external environ- ment imposes specifi c constraints and/or demands specifi c information. The following table lists and describes the various types of risks we, as accounting and fi nance professionals often encounter. Type of Risk Description Business continuity Assurance that systems and business activities are redundant and recoverable in the event of natural disaster or operational failure. Business environment and governance Is an indicator of the company’s culture; sets the tone of the organization, business unit, or function; infl uences the control consciousness of its people; and is the foundation of risk management and internal control, providing discipline and structure. Change management Company leaders and employees are unable or unwilling to implement process / product / service improvements quickly enough to keep pace with the changing marketplace. Compliance A measure of conformity with applicable laws and regulations, as well as internal policies and procedures. Customer satisfaction/reputation The risk that the company’s goods and/or services do not consistently meet or exceed customer expectations because of lack of focus on customer needs. Data security The protection and safeguarding of sensitive and critical information and the physical assets that support information technology. Employee health and safety Health and safety risks are signifi cant due to lack of controls which exposes the company to potentially signifi cant workers’ compensation liabilities. Financial reporting The risk that fi nancial reports issued to regulatory bodies, existing and prospective investors and lenders include material misstatements or omissions of material facts. • • • • A02.indd 11A02.indd 11 8/25/08 1:46:18 PM8/25/08 1:46:18 PM Internal Use Only 12 PROCEDURE A02 Type of Risk Description Human resources The ability of personnel to effectively manage operating activities, including staff acquisition, staff retention, communication skills, empowerment, accountability, delegation, authority, integrity, judgment, and training. Legal Risk that laws and litigation possibilities are not adequately factored into the management decision-making process. Operational and processing Ongoing business operations including internal (e.g., culture, people, and process) and external (e.g., competitive, political, and social environment) factors. Planning The company’s business strategies are not responsible to environmental change, are not driven by appropriate inputs or an effective planning process and are not communicated consistently throughout the organization. Pricing/contractual commitments Fluctuations in prices of commodity based materials or products result in a shortfall from budgeted or projected earnings. Regulatory/industry environment Regulators impose changes to the industry regulatory environment that result in increased competitive pressures or changes to operational processes. Reporting Relates to internal and external reporting and are affected by the preparer’s knowledge of generally accepted accounting principles (GAAP), as well as additional regulatory and internal accounting principles. Risk management Addresses the company’s exposure to loss if market and credit conditions change or if sales, credit, and fi nancing limits are not properly established, updated, or monitored. Technology Infrastructure failure (e.g., information systems and telecommunications and/or processing limitations), including failure to properly assess impact of rapidly changing technologies. Risk and fraud are not the same and fraud deserves a few words. There are generally three requirements for fraud to occur: motivation, opportunity and personality. The degree of motivation is usually dependent on situational pressures and may present itself in the form of a need for money or personal satisfaction or to alleviate a fear of failure. Opportunity refers to having access to a situation where fraud can be perpetrated, such as weaknesses in internal controls, or by necessity or proximity within the operating environment, management styles and corporate culture. Personalities include a personal or behavioral characteristic that demonstrates a willingness to commit fraud. Personal integrity and moral standards need to be “fl exible” enough to justify the fraud, perhaps out of a need to feed their children or pay for a family illness. It is more diffi cult to mitigate fraud than to mitigate risk. It is diffi cult to have an effect on an individual’s moti- vation for fraud, since few employees share that level. Personality can sometimes be changed through training and awareness programs. Opportunity is the easiest and most effective requirement to address by developing and implementing effective systems of internal controls. While the occasion for fraud cannot be eliminated, with intel- ligent supporting programs, the opportunity for it can be diminished by creating an environment of diligence and taking appropriate action at appropriate levels. A02.indd 12A02.indd 12 8/25/08 1:46:19 PM8/25/08 1:46:19 PM Internal Use Only GOVERNANCE JOURNEY 13 Exercise in Evaluating Process Risk A company’s respect for risk shows itself in the company’s eagerness for or desire to avoid risk. A company’s risk threshold is determined based on the amount of risk exposure or potential adverse impact from an event that the company is willing to accept. As the company reaches its threshold for risk, risk management treatments and busi- ness controls are implemented to bring the exposure level back within acceptable levels. Following is a simple exercise which can be conducted by you or with a select team. Generally the types of things which worry you most attract risk. Without overthinking it, answer the questions with your fi rst impressions, then rate and plot them on the risk matrix. Which processes or areas do you think currently have the most risk exposure? Consider using a top-down approach to identify those areas where the highest impact would occur if an internal control weakness was found. Review your fi nancial statements, profi t-and-loss statement, and balance sheet. List those accounts that have the largest balances (e.g., revenue, inventory, taxes). It would be helpful to identify what you think the risk might be in these areas. Given that you have not conducted any research or investigation, to which of these areas are you prepared to allocate resources? The point being that if these areas worry you and you can name the risk demon and are pre- pared to spend time and money to fi nd out more; then this is something signifi cant that requires your attention. Consider quantitative as well as qualitative fi nancial and operational impacts for the probability and likelihood that the event will occur. What level of risk requires a formal response strategy to mitigate the potentially material impact? In other words, do you want to eliminate all risk, or are you willing to live with certain levels of risk? Map the risks on the grid according to an impact and probability matrix and group the risks as to those you are will- ing to: Accept—retain within the business structure and provide resources to monitor and track Mitigate and control—establish thresholds and controls to ensure that if pursued the risk will be monitored and tracked and if not pursued a transition plan is established to eliminate it from the business structure Share—consider alternatives on how the risk may be shared with customers, vendors, suppliers or others Avoid—eliminate from the business structure and prevent the risk at its source Risk Matrix • • • • • • • High Risk Low Risk Critical Medium Risk Share Accept Avoid Mitigate and Control Low L ow Probability Im pa ct High H ig h A02.indd 13A02.indd 13 8/25/08 1:46:19 PM8/25/08 1:46:19 PM Internal Use Only 14 PROCEDURE A02 Once your responses are plotted on the above grid, identify what you can or are willing to do to mitigate the risk or test the controls. I’ve included a few typical examples in the table below to get you started. To broaden your reach, ask process owners or business area managers to take a few minutes and complete the fol- lowing providing input for the process areas that “keep them up at night.” For about a 20-minute time investment, you could receive input for about 80 percent of the key risks areas. List Processes Select an appropriate level of risk you are willing to accept Accept Avoid Reduce Share A/R—credit administration: Opportunity is to reduce or eliminate customer credit assessments Accept credit sales from any customer listed as part of the Fortune 500 Customers who are assessed as insolvent Reduce risk by performing credit assessment for deals over $50K For “at risk” customers, share the credit risk by asking one-third of the sales price up front A/P—invoice processing Accept three-way match between purchase order, invoice, and receiving report Do not accept invoices without appropriate management-level approval Reduce the risk by accepting a two- way match between the invoice and receiving report on selected preidentifi ed purchases Analyze and prioritize the list to provide a starting point for your risk management process. A02.indd 14A02.indd 14 8/25/08 1:46:20 PM8/25/08 1:46:20 PM Internal Use Only GOVERNANCE JOURNEY 15 Note to reader: The word process is used throughout this text and refers to a defi nable, repeatable, predictable, measurable, integratable series of tasks. For a process to be complete, it must have all these dimensions: Defi nable in that there is a specifi c scope encompassing the series of tasks; there is a beginning and an end. There are defi ned inputs, defi ned work activities and defi ned outputs. There are no tasks which remain undefi ned to the process. Example: G equals E plus F. Repeatable in that there are consistent, recurring tasks which make up the process. To ensure consistent outcomes, each time the tasks are undertaken they are performed in the same way. There is little or no room for variation to the sequence of the tasks. Example: task E always precedes task F. Predictable in that once the tasks begin, consistent, comparable outcomes result. It can be computed so that when the inputs are known the outputs are expected and if the outputs are known the inputs are calculable. Example: E plus F equals G. Measurable in that performance measures are embedded into the process as an indicator of the predict- ability of the process. Example: If 1E leads to 1F then 1E is a preelection of 1F. Integratable in that processes are dependent on, connected and interact with other processes. Example: C plus D equals E. If the objective of an effective control is to ensure that a defi nable, repeatable, predictable, measurable outcome occurs each time a process is followed, then why not produce documentation in support of the process? Note that you could have a defi nable process and still not have control, if you haven’t designed the appropriate control elements into the process. Therefore, it is a myth that a defi ned process equals control or that documentation equals control. • • • • • A02.indd 15A02.indd 15 8/25/08 1:46:21 PM8/25/08 1:46:21 PM Internal Use Only 16 PROCEDURE A03 OVERSIGHT Where there are rules and where there is risk, there is opportunity and oversight. For example, there are rules about driving on highways, let’s say 60 miles (100 kilometers) per hour. There are opportunities with high-precision cars, and risks with inadequate drivers to break those rules. It should be no surprise, then, that there is oversight. However, oversight is more than just policing or catching violators; there has to be consequence. Therefore, risk, oversight, and consequence are closely related. Where does oversight come from? Oversight is included within the big G Governance rules and regulations, including but not limited to the Securities and Exchange Commission (SEC), Sarbanes-Oxley Act, and the Public Company Accounting Oversight Board (PCAOB). In addition to providing oversight of others, each of the big G Governance organizations has oversight responsibility for its own rules and regulations. For example, the PCAOB oversees the auditors who provide audits and opinions about a company’s fi nancial position. What is oversight? Oversight is defi ned as watchful care, careful scrutiny, and intervention. An effective oversight approach has the capacity to infl uence business leaders, operations, and organizational cultures. Successful over- sight programs are proven to reveal waste, fraud, and abuse; protect individual rights; ensure compliance with the law; and evaluate a business’s performance. Oversight is designed to look at everything that is done in an objective and independent manner. Oversight pro- grams review, monitor, and supervise the execution and implementation of policies and procedures, to assure that laws are faithfully executed. As with the PCAOB, oversight programs review the processes and programs respon- sible for reviewing, monitoring, and remediation. Therefore, as the PCAOB audits the auditors, internal oversight reviews the effectiveness and effi ciency of internal audit and controls. In order to provide independence and objec- tivity, a primary principle of oversight is to separate those within the oversight function from executive and opera- tional management. What is oversight about? Oversight is about establishing a program for addressing questions of potential risk and providing a check and balance to ensure compliance with principles, rules, policies, and procedures. As with gov- ernance and risk, oversight is a process, part of a program used to improve the integrity, credibility, and account- ability of the information presented for decision making. As a program, governance and oversight must apply program and process disciplines to monitoring themselves. Oversight is about assigning the policing role to auditors and those who audit the auditors. One aspect of the audit- ing role is to provide watchful care and scrutiny that the company is complying with external rules and regulations. The consequences for noncompliance may be signifi cant and include: Fines imposed on the company, the executive, and/or the board of directors Loss of stock market value Public humiliation and loss to company image and reputation, including a loss of customers, employees, and vendors Disbarment of business licenses, which means that the company is no longer able to conduct business One of the functions of internal control is to provide a preventive or early warning signal when weaknesses are present. The internal control program identifi es the governance issues requiring monitoring and the internal proc- esses that have the greatest opportunity for risk. As the PCAOB does with external auditors, the internal control function must monitor those processes that oversee compliance within the company, including the effectiveness of the internal audit process. • • • • A03.indd 16A03.indd 16 8/25/08 1:49:09 PM8/25/08 1:49:09 PM Internal Use Only GOVERNANCE JOURNEY 17 However, the program is not limited to just providing company oversight; to be effective there must be oversight of the program itself. That is, internal controls must monitor and measure how effective its program is in providing and monitoring governance. As part of the COSO guidance, the internal control program must also be evaluated. Why oversight, why now? To hold leaders accountable. The challenge of accountability is to demonstrate that governance policies and procedures are implemented throughout the company. The power of using oversight as a process is to encourage leaders to venture out of the offi ce, review operations, change policies, reallocate resources, and test audit controls. The role of internal controls as a best practice is to provide data and information that will assist the company in implementing effective and effi cient processes and hold responsible leaders accountable. Use the following table as a starting point to identify where oversight is needed. The exercise is to recognize and rate the importance and performance of the oversight principles. Next to each statement, rate how important the principle is within your company and rate how well you think you are doing in satisfying that principle. Use a high, medium, and low rating, and as with the other exercises in this unit, go with your fi rst impression. As a company leader, you should have insight and judgment as to what is impor- tant and how well it is operating. Importance refers to how important these principles and practices are to you in running your business, and per- formance refers to the degree these practices are embedded into your corporate culture and environment. Be honest—the results will help you improve. Oversight Principles Practices for Oversight Importance Performance Strategy, mission, planning The governing body (i.e., board of directors and senior executives) shall: Provide strategic direction and monitor management to achieve company goals and objectives. Ensure that the entity complies with all relevant laws and regulations. Communicate between the company and stakeholders. Identify and monitor key areas of risk and the tolerance appetite for risk; key performance indicators. • • • • Oversight bodies The governing body shall name subordinate committees and/or departments to aid in discharging its oversight responsibilities. These committees and/or departments shall have: Resources and independence needed to execute their duties. Committee members shall have the necessary skills, knowledge, and competencies to ensure effectiveness. A clear mandate to identify their membership, responsibilities, and accountability. A defi ned process to access, monitor, and test appropriate and relevant processes and information. A schedule of regular meetings with defi ned agendas and minutes to keep track of actions taken or to be taken. Defi ned procedures for the early reporting of signifi cant events. • • • • • A03.indd 17A03.indd 17 8/25/08 1:49:09 PM8/25/08 1:49:09 PM Internal Use Only 18 PROCEDURE A03 Oversight Principles Practices for Oversight Importance Performance Transparency and disclosure Management shall demonstrate principles of integrity, accuracy, completeness, and timely disclosure to the governing subcommittees and/or departments. Governing subcommittees and department members shall: Satisfy themselves that they have received objective, accurate, complete, and timely information before rendering an opinion or making a decision. Be subject to evaluation by the governing body in regard to their performance and effectiveness. • • Ethical environment The governing body shall: Develop, communicate, and test the company code of conduct. Provide a confi dential (i.e., whistleblowing) process covering fraud, corruption, and other risks. • • Audit, risk, and compliance Executive management shall be responsible: For the design, implementation, monitoring, and integration of big G Governance into little g governance policies, procedures, practices, and activities. To establish an effective internal audit and internal control function to provide independent feedback as to management’s ability to mange the company. • • For those items rated: High in importance and high in performance—congratulations, you have achieved best- practice status. High in importance and low in performance—consider developing an action plan to close the gap. Low in importance and high in performance—consider whether you are spending too much time and resources. Low in importance and low in performance—consider missed opportunity and/or exposures by not meeting or addressing this important principle. Proper execution of an oversight program produces results and improves the profi tability. In my opinion, when companies are not seeing bottom-line results from their oversight program, the role and responsibility for over- sight is misplaced. The oversight program has probably been compromised by lack of a clear mandate, resources, or scope. When the oversight program provides baby-sitting and policing without providing the result of increased accountability, then it has become not only ineffective but powerless. When process owners look to the compliance department, internal audit, or internal controls to determine where and when controls must be “designed into” a process and for defi ning the types of control activities to test schemas or validate data, then the oversight program has lost its independence and objectivity. My advice is to get back to basics, apply project/process management techniques, defi ne roles and responsibilities, and design local control activities and oversight testing activities into each process based on an acceptable level of risk. • • • • A03.indd 18A03.indd 18 8/25/08 1:49:10 PM8/25/08 1:49:10 PM Internal Use Only GOVERNANCE JOURNEY 19 You know you have too much or misplaced oversight when: It gets in the way of innovation and creativity. It does not add value. It exerts political infl uence. No attention is paid to the results. The objective becomes more “gotcha” and destructive versus monitoring for improvement and constructive. Meetings to plan the planning of oversight activities take precedence over and exceed the time and resources it takes to conduct actual oversight activities. Applying a successful oversight program within the organization involves: Independence and objectivity A regular, systematic approach regardless of the scope or functional business area Comprehensive review and analysis addressing all processes Incorporating the use of input from other check-and-balance activities such as key performance indicators Performance by professional individuals knowledgeable in the areas of conducting audits and internal controls as well as the functional areas being audited or tested The functional organization Drawing the line between careful inspection and micromanagement Documentation with action items identifi ed and follow-through Results reported up the hierarchy chain of command and executive leaders According to SOX regulations, the board of directors and executive leadership are responsible for overseeing the effectiveness of the company’s internal control and disclosure control. Oversight is so important that, if the inde- pendent auditors determine that the board is not fulfi lling its oversight responsibilities, this failure would be a “material weakness.” Not only is the board responsible for oversight of internal control, the board is actually a component of internal control. The board’s oversight of the fi nancial reporting function, the internal audit function, the risk management function, and the relationship with the independent auditors is an element of internal control. As described earlier, the board and executive leadership are responsible for providing direction and translating big G Governance to little g governance implementation, and they are responsible for completing the journey by overseeing that the implementation has complied with the big G Governance regulations. • • • • • • • • • • • • • • • A03.indd 19A03.indd 19 8/25/08 1:49:10 PM8/25/08 1:49:10 PM Internal Use Only 20 PROCEDURE A04 DOCUMENTATION Critical to operationally implementing little g governance and linking it to risk and oversight is communication and documentation. Where does documentation come from? Documentation is all around us—some formal such as charters, policies, procedures, and instructions; and some informal such as checklists, forms, and e-mails. Along the governance journey, all documentation is subject to scrutiny and review. Consider recent investigations where seemingly innocent e-mails and memos caused a company’s downfall. Refer to your company’s records and information management and/or information handling policies and proce- dures. In addition to other important topics such as legal hold and destruction, these policies and procedures defi ne what documentation is and is not, how it must be classifi ed, where it must reside, and how long it must be retained. How well employees comply with these rules will have an enormous impact on satisfying governance. These poli- cies and procedures must identify the classifi cation, use, and retention of such documentation. At an organizational level, a best practice is to be a high-level process fl ow linking the company’s processes and locations. This could be achieved simply with an organization chart or using process fl ow, the objective to link sub- processes to higher-level processes and to ensure that the “handoffs” between processes are addressed as control points. As a hint, you will generally fi nd control issues at the process “handoff ” points. What is documentation? Documentation refers to the act of authentication, providing substantive evidence and proof. Documents refer to the formal and informal written audit trail, describing and proving that the fundamental process qualities, elements, and criteria exist, therefore serving as a form of communication, instruction, and due diligence. By establishing a company-wide policy-and-procedure program and using that program as a basis for measuring compliance, leaders set the tone that internal controls are important and must be considered part of everyone’s business. Internal controls must be built into each process, and there must be planned reviews and testing to ensure that those controls are executed as intended. In order to demonstrate that a controlled environment exists, the process must demonstrate that it is defi nable, repeatable, predictable, measurable, and integratable; to prove that the process is all of those things, it must be documented, monitored, and controlled. Management must be careful to distinguish between the documentation of internal control and the internal control itself. Creating a document that describes the controls is not the control. The control must be part of the process used by the people to carry out those documented policies and procedures. It is a myth to think that documentation equals internal controls or that no documents mean no internal controls exist. The process may have controls built in, and documentation itself may be lacking. The documentation process must also be evaluated. Having said that; documentation is the backbone of the internal control framework. There are different acceptable ways to document control procedures, including observation, narratives, and fl owcharts. Software application docu- mentation tools may be used to facilitate this process, and many reputable software companies can be found on the Internet. Since the passage of The Sarbanes-Oxley Act (SOX), many companies have developed computer software products that aid in complying with the internal control provisions of the act. These software tools typically center on help- ing companies automate the documentation of internal control procedures while monitoring schedules for review, testing, and remediation. A04.indd 20A04.indd 20 8/25/08 1:51:08 PM8/25/08 1:51:08 PM Internal Use Only GOVERNANCE JOURNEY 21 The fi rst purpose of an automated tool typically is to serve as a repository for all process instruction and documen- tation. In those instances where the documentation of the control or the control itself either does not exist or is otherwise defi cient, the software may allow the company to effi ciently document existing policies or design and document new ones. Since the control objectives include completeness and accuracy, it is ideal to have this type of complete docu- mentation trail. However, most companies operate between the ideal and an ad hoc documentation basis that is, completing documentation only when it is called for and not worrying about aligning it with other processes. For smaller companies, this approach may be useful in that the owner oversees all the processes. Smaller companies may use memoranda and instructions as a substitute for formal policies and procedures. For larger companies, an ad hoc approach to documentation signals an opportunity for improvement. Determining an appropriate level of documentation is dependent on who will be using the documentation. I rec- ommend taking time to prepare useful documentation, as it can and should be used when training new employees, when base-lining or reengineering the process, and when deciding which parts of the process could be eliminated, transferred, or outsourced. In addition to the higher-level policies and procedures, useful documentation for testing internal controls comes in the form of: Narratives—identifying the step-by-step list of activities or tasks performed to produce the desired output. These are sometimes referred to as desk procedures. These descriptions would typically identify contacts and sources of the input, testing and proving that the source input is correct, complete, and accurate. The narratives would include reference to systems and spreadsheets, types of analysis performed, criteria for decision making, and names of those who are required to review and/or approve steps within the process. Finally, it would iden- tify where (i.e., which system or database), when, and to whom the output is sent. Flowcharts—whether as simple process fl ows or as role-oriented “swim lane” fl owcharts, fl ow charts are a practi- cal visual aid to demonstrate how the process is organized. Process fl owcharts emphasize the fl ow of the pro- cess including data, information, and decision points, while swim lane charts emphasize a person’s role and responsibility. Internal control questionnaires—which aren’t really a description of the process but rather a checklist to iden- tify the likely areas or lack of control activities. These are generally adapted from internal audit work papers, identifying typical monitoring and testing points within the process. In performing internal control reviews and testing, an example of a typical documentation environment might reveal a weakness. The general ledger manager describes a fair refl ection of the actual policy and procedures. A discussion with the monthly accrual accounting employee reveals additional details of the procedural inputs, con- fi rming some of the procedures pointed out by the general ledger manager; however, new details or key changes to the process are disclosed. Finally, when examining the fi nal output, it is discovered that key authorization controls were not included in the procedures, discussed by the general ledger manager or employees performing the task. In this case, there may or may not be a control weakness; however, there is a documentation weakness. In assessing the adequacy of the documentation, management determines whether control objectives have been considered. The testing guides presented in this manual have been structured to identify and consider each of these control objectives: Data and information integrity, which includes completeness, accuracy, and timeliness Authorized and executed in accordance with formal delegation of authority Safeguarding the company’s assets and those assets entrusted to the company • • • • • • A04.indd 21A04.indd 21 8/25/08 1:51:08 PM8/25/08 1:51:08 PM Internal Use Only 22 PROCEDURE A04 Segregation of duties in order to promote operational effectiveness and effi ciency and not compromise the integ- rity of the company through opportunities for error, misstatement, or fraud Automate where and when possible as in the form of information technology controls In testing the control objective, you have to evaluate the control and the documentation separately with the result classifi ed as: Suffi cient controls and documentation. That is, the documentation allows management and the external auditor to authenticate the process and: Determine whether the policy, procedure, and processes are adequately designed. Perform reviews and tests to validate the deployment and operating effectiveness of the controls. Controls exist and documentation is considered informal, communicated verbally, or otherwise not documented. Suitable documentation must be developed to facilitate an evaluation of the effectiveness of the design of the control. Controls do not exist or do not follow the written documentation. The process owner must design, implement, and document new control procedures and/or implement a controlled process. What is documentation about? Documentation is about defi nition and communication providing direction and substance when used for reporting purposes. Using a top-down approach, documentation is about establishing and communicating the principles, rules, and behaviors to the greater employee population. Documentation is used to provide authority and accountability to employees to act within defi ned parameters. Using a bottom-up approach, documentation is about informing management about how work actually gets done, that is, identifying the steps required to process transactions. Regardless of the method used to document new or existing controls, the goal remains the same—to accurately describe the company’s control procedures and internal control posture, as they currently exist. The preparer of this documentation should have an in-depth understanding of: The entity's current operations and existing control procedures Internal control concepts, as described in the COSO framework The fi nancial reporting process The assertions and disclosure requirement represented in the fi nancial statements Once the documentation becomes established as an accurate refl ection of internal control, and standardized updat- ing procedures are in place, actual changes to the processes must be refl ected in the documentation. At least annu- ally, process owners must review and attest that the documentation is current and accurate. Why documentation, why now? According to the Securities and Exchange Commission (SEC), Offi ce of the Chief Accountant, accounting documentation, policy, and/or procedures make up 99 percent of ineffective internal controls over fi nancial reporting issues. That bears repeating: 99 percent of the issues related to internal con- trols over fi nancial reporting are due to a lack of or noncompliance with documentation. In my opinion, this means there is a disconnection or risk between the top-down management intent and the bot- tom-up management review of what is actually being performed. Having an effective and effi cient documentation program mitigates the risk. It sounds like a simple fi x— providing instructions that are in compliance with the rules and then measuring compliance to those instructions. • • • • • • • • • • • A04.indd 22A04.indd 22 8/25/08 1:51:09 PM8/25/08 1:51:09 PM Internal Use Only GOVERNANCE JOURNEY 23 Developing an adequate understanding of the processing environment is critical to performing internal reviews and testing. Documenting an understanding of the process, related controls, and key roles and responsibilities can be achieved through process narratives and fl owcharts. Once these documentations are confi rmed as accurate, they provide a baseline for performing risk analysis, internal control testing, and implementing process improvements as necessary. Notice that documentation is required regardless of the outcome of monitoring and testing. Documentation becomes a due diligence function required to execute the internal control plan, rather than just part of an audit trail for the fi ndings. The degree to which the external auditors may rely on tests performed by the company to evaluate the effective- ness of internal control is a matter that is addressed in the Public Company Accounting Oversight Board (PCAOB) Auditing Standard No. 2, “An Audit of Internal Control over Financial Reporting Conducted in Conjunction with an Audit of Financial Statements.” Basically, if your internal control program has integrity and depth, the external auditors may rely on the results of the company’s internal control program to reduce the amount of on-site testing and audits required, bottom line, saving the company external auditor fees. Then why is it so diffi cult to correct and implement? The documentation process is tedious work, requiring coordination and decisions between different functional departments and management. Typically, creating docu- mentation is an iterative process that involves individuals at various levels of responsibility discussing processing steps, related responsibilities, and process metrics or outputs. For more information on establishing a successful accounting and fi nance policy-and-procedure program, refer to the Accounting and Finance Policy and Procedure text produced by John Wiley and Sons and located at http://www.wiley.com/WileyCDA/WileyTitle/productCd- 0470259620.html. Questions arise as to the extent of documentation needed to deem internal controls effective. The answer, of course, is: it depends. Documentation of business processes, procedures, and other elements of internal control systems is developed and maintained by companies for a number of reasons. One reason is to promote consistency in adhering to desired practices, while other reasons indicate that documentation assists communication, creates expectations of performance, assists in education and training, and, of course, provides evidence supporting trans- actional process. Documentation is reviewed and tested for its consistency, completeness, and accuracy. The level and nature of documentation varies widely by company. Larger companies usually have more opera- tions to document or greater complexity in fi nancial reporting processes, and therefore fi nd it necessary to have more extensive formal documentation. Smaller companies often fi nd less need for formal documentation such as in-depth policy manuals, system fl owcharts of processes, organization charts, or job descriptions. They might docu- ment human resources, procurement, or customer credit policies with memoranda and supplement the memo- randa with guidance provided by management in meetings. Determining the level and complexity of the documentation is a matter of judgment and needs to be decided based on the value and use that a documentation program would contribute to the company’s success. Remember to document and test the internal control process itself. Since the internal control program is a critical business process, it, too, shall be documented, monitored, and tested as to its effectiveness and effi ciency. What type of internal control indicators do you collect to support your internal control posture? A04.indd 23A04.indd 23 8/25/08 1:51:09 PM8/25/08 1:51:09 PM Internal Use Only 24 PROCEDURE A04 READINESS CHECKLIST FOR DOCUMENTATION To evaluate the effectiveness of documentation, consider the following self-assessment or internal control readiness checklist. Answer Yes or No to the following questions. A No response indicates an opportunity for improvement. Question Yes No Process Descriptions: A) Does the process narrative summary have the preparer’s name? B) Does the process narrative summary have the approver’s name (where applicable)? C) Are the relevant policies and procedures noted on the summary? D) Are the policies and procedures retained in the company-approved documentation repository? Process Maps: A) Do the maps indicate inputs and outputs for each activity? B) Are there any estimates or assumptions in the process? Is the methodology explained/documented in the narrative? C) Have risks and controls been documented where the risk and control occurs? D) Does every risk identifi ed on a process step have a control and vice versa? Information Technology: A) Is the specifi c database referenced where process information exists? B) Does the narrative indicate which database? Risk Checklist: A) Are there any risks/controls that apply to the whole process? B) Is the risk defi ned adequately enough to explain what could go wrong? C) Does every risk link to at least one control? D) Does every risk statement contain the cause and effect? A04.indd 24A04.indd 24 8/25/08 1:51:09 PM8/25/08 1:51:09 PM 25 INTERNAL CONTROL PROGRAM B01.indd 25B01.indd 25 8/25/08 1:51:55 PM8/25/08 1:51:55 PM B01.indd 26B01.indd 26 8/25/08 1:51:55 PM8/25/08 1:51:55 PM Internal Use Only INTERNAL CONTROLS PROGRAM Internal controls are more than rules; they embody a company’s principles, trust, values, and culture. Internal control activities are more than walking a process to see if it matches to the documentation. Internal control is much more than standardizing processes; it includes demonstrating that decisions are made based on applying principles and documenting the assumptions, criteria, and evidence used to make decisions. Internal controls is the part of the governance journey that has responsibility to assess, test, monitor, evaluate, and report on the status of implementing big G Governance. What are internal controls? Control refers to a set of activities used to guide, manage, and regulate toward a directive. Internal control refers to a skill developed and applied within a company, which uses judgment to assess and determine compliance. Those who exercise internal control must have the power and authority to actuate and remediate fi ndings. Internal controls refers to a program of activities established to catch and monitor a potential exposure that could result in a signifi cant error, omission, misstatement, or fraud. An internal controls program (Program) is the core where big G and little g governance, risk, oversight, documentation, and assessment come together. The internal control program provides reasonable assurance and oversight for processes that: Establish parameters to delegate power or authority to guide and regulate economic activities such as those demanded by external regulations and identifi ed within internal policies and procedures. Test and report on compliance with those established parameters. Evaluate operational effectiveness and effi ciency. Assess the reliability of fi nancial reporting. Report on compliance with applicable laws and regulations. Supports the remediation effort by examining the limits of authority as defi ned in the fi rst step. The program consists of a specifi c set of policies, procedures, and activities designed to address opportunity, risk, and uncertainty. What is internal controls about? Internal controls is about assessing risk, providing oversight, and reporting on the company’s control posture. Often confused with internal audit, in many companies’ internal controls has become subordinate to internal audit. Internal controls and internal audit are the same in that their purpose is to add value and improve an organization’s operations. They both use auditing techniques and analytical tools to assess and evaluate the business environment. Internal controls differs from internal audit in that it is not just about assessing and evaluating a company’s compliance posture in an oversight capacity, but the internal control function needs to be a proactive participant in defi ning, documenting, communicating, educating, testing, and supporting the company’s operational and fi nancial goals and objectives. Many companies use internal controls as a penalty-free audit where department and process managers may render opinions and decisions about business practices and the implementation of big G Governance. Internal auditors are generally interested in validating data and reports at the end of a cycle with the purpose of rendering judgment and an opinion. Internal controls are generally interested in validating the operational and fi nancial process used during a cycle with the purpose of exposing weaknesses and identifying areas for improvement. • • • • • • INTERNAL CONTROL PROGRAM 27 B01.indd 27B01.indd 27 8/25/08 1:51:56 PM8/25/08 1:51:56 PM Internal Use Only 28 PROCEDURE B01 To summarize and use language that we accountant types might better understand, internal auditors evaluate and assess a process “as at” a point in time, while internal controls professionals evaluate and assess transactions over a “period of time.” Where does the model and requirement for internal controls come from? Internal controls are part of the governance cycle that originates from external laws and regulations and is translated into internal strategies policies and procedures that, when deployed, are used to produce data, information, and reports to those same external organizations where the laws originate. Internal controls starts with a strong control environment, is “owned” by management, and is the responsibility of every employee. Internal controls must be designed into and embedded within business processes and not “bolted onto” as oppressive “thou shall not” rules. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) in 1992 issued Internal Control–Integrated Framework to help businesses and other entities assess and enhance their internal control systems. Executives, board members, regulators, standard setters, professional organizations, and others have recognized this framework as an appropriate comprehensive model for internal controls. As a result of addressing and responding to SOX requirements, most internal control departments have experienced resource constraints and unrealistic time demands. As a result, the historic internal control mandate is very different than the present internal control mandate. Historically, internal controls reviewed operational and fi nancial processes and provided resources to research, investigate, and address business practice–type issues (known today as compliance). Today, mainly because of the regulatory workload, internal control testing has generally excluded operations and is focused on validating that appropriate levels of review and authorization are present. Consequently, the internal controls function is generally not a value-add function nor are they invited to the table as a valued member of the team. In too many companies, internal control managers are battle weary from fi ghting the “kill the messenger” wars. Following are the signs that your internal controls program is not working the way it was intended to work: Do employees say “I didn’t know that”? If so, this is a signal that there is inadequate knowledge of the compa- ny’s policies, procedures, or governing regulations. When you ask an employee who performs a specifi c task and they answer with “We trust ‘A,’ who does all of those things,” this could be a sign of inadequate segregation of duties. If there are shared passwords, unlocked offi ces, or cash not secured, then there is inappropriate access to and safeguarding of assets. When you hear, “You mean I’m supposed to do something besides initial it?” there is incomplete form without substance. When the documentation reads “Just get it done, I don’t care how,” that is a sure sign of control override and a strong indicator of other “tone from the top” issues. When the excuse is “People are people and mistakes happen. You can’t foresee or eliminate risk,” then there are inherent limitations and there is a mismatch between the jobs employees are asked to perform and the data and skills made available to them. This manual goes back to the historical roots of internal controls and incorporates process management, fi nancial management, and audit techniques to execute the Program. Why internal controls, why now? To ensure compliance with the law, and to hold the leaders accountable for processes and decisions that make up the environment where we work. • • • • • • B01.indd 28B01.indd 28 8/25/08 1:51:56 PM8/25/08 1:51:56 PM Internal Use Only INTERNAL CONTROL PROGRAM 29 Broken processes often can be remedied through the use of an effective internal control program, and it is not an accident that these indicators of broken processes mirror the COSO framework. 1. Lack of adequate management oversight and accountability and failure to develop a strong control culture (links back to COSO’s control environment) 2. Inadequate assessment of the risk of certain activities, whether on or off balance sheet (links back to COSO’s risk assessment) 3. The absence or failure of key control activities, such as segregation of duties, approvals, verifi cations, reconcilia- tions, and reviews of operating performance (links back to COSO’s control activities) 4. Inadequate communication of information between levels of management, especially in the upward communi- cation of problems (links back to COSO’s communicate and remediate) 5. Inadequate or ineffective use of monitoring activities including internal control and audit programs (links back to COSO’s monitor, evaluate, and report) Benefi ts realized from a well-implemented internal control program include: Increased operational effectiveness, reliable fi nancial reporting Increased profi tability Improved documentation of controls and control process evaluation Improved defi nition of controls across the organization, including the crucial relationship between controls and risk Companies with effective controls experience improvements in operational effectiveness, effi ciency, communica- tion, reliability, fl exibility, and resiliency. Companies with effective controls have an ability to execute as planned, allocate resources predictably, and provide consistent and reliable data and information available for decision making and reporting. The resurgence of an emphasis on internal controls has spurred a return to implementing and testing according to its historic mandate. Market leaders know how to leverage the knowledge gained from the internal control program to create measurable value across the entire organization. A following chapter presents the program charter with objectives to provide: Operational effectiveness—to identify and correct defects within processing of transactions, producing products, and/or delivering services Operational effi ciency—to identify and correct delays in processing transactions, producing products, and/or delivering services Oversight of the internal controls over fi nancial reporting (ICOFR)—which includes the data and information submitted externally to satisfy government and reporting regulations Oversight and internal controls for all other applicable laws and regulations—as defi ned by the countries and areas where the company conducts business Program versus Process Why an internal control program and not just an internal control process? A program is more than a process. The program guarantees that there is a process whereby the program’s objectives must be researched, decided and implemented. A program manager is constantly looking to validate the program’s objectives and approaches to • • • • • • • • B01.indd 29B01.indd 29 8/25/08 1:51:56 PM8/25/08 1:51:56 PM Internal Use Only 30 PROCEDURE B01 ensure the best possible fi t for the company. A process manager is looking to execute with consistency, refi ning the execution but not necessarily looking to expand or change the process mandate or scope. Notice that the fi rst objective within the internal control charter is to establish an internal control program. Example: A transactional or operational process is a group of cohesive tasks and activities that, when implemented, produce a product or service. A process begins with defi ned inputs and ends with defi ned outputs. The execution of how input gets converted to output is the process. Each execution of the process requires discrete input and output, and although the process may interact across departments or functions for input and/or output, the process itself is contained within one department or functional group. Accounts receivable (A/R) collections process has the objective of following predefi ned tasks to facilitate the collection of valid outstanding A/R from customers. The process includes: Input: Data and information regarding invoices sent by the billings department Process: Defi ned procedures instructing A/R collectors as to the timing and process they are to use when approaching customers Procedural steps: (1) Running a customer aging report, (2) identifying and selecting those customers whose billings are now due to the company, (3) communicating with those customers to gain remittance or reso- lution of the invoice, (4) escalating procedures for customers who remain in default, (5) record correspon- dence and communication efforts and outcomes with customer, (6) prepare outputs Output: Report on the status of overdue accounts. Note that the application of cash collected is another process and is not a defi ned output of the collections department. A program differs in that it is a series of processes that are linked and require only periodic changes or updates to the base input such as when rules and regulations change. The execution part of the program generally crosses functional lines and includes a cycle that may impact the entire company. An accounts receivable (A/R) program has the objective of optimizing its A/R policies and procedures to maximize sales and reduce company risk. The program includes: Input: (1) Company goals and objectives (e.g., sales and A/R measures such as days’ sales outstanding); (2) sales terms and conditions. Note: Sales plan is optional input in that if there will be a shift to only mar- ket to Fortune 500 customers rather than mass marketing, this could affect the A/R program strategies; (3) sales returns; (4) external input from Dun and Bradstreet, credit agencies, and customers; (5) cash deposit reports from treasury Program scope: Credit administration, collections, cash applications Program procedures: (1) Evaluate and assist with establishing company goals and objectives regarding sales terms and conditions; (2) staff and assign resources to perform the necessary A/R procedures, ensure staff is trained, skilled, and has access to appropriate systems; (3) establish staff hierarchy with delegations of authority; (4) execute credit administration, collection, cash applications; (5) reconcile customer accounts; (6) prepare, review, and analyze customer status reports for sales and management; (7) prepare input for • • • • • • • B01.indd 30B01.indd 30 8/25/08 1:51:57 PM8/25/08 1:51:57 PM Internal Use Only INTERNAL CONTROL PROGRAM 31 journal entries, accounting reporting; (8) prepare, review, and analyze A/R effectiveness and effi ciency reports for management; (9) evaluate A/R program Output: (1) Customer status reports used as input to sales; (2) journal entries and accounting reports used as input to general accounting and external reporting; (3) continuous improvement for A/R program A program and a process are the same in that both are defi nable, repeatable, predictable, and measurable; both are integrated within the fabric of the company and both require documentation. Financial, Operational, and Performance Risk, Controls, and Testing Financial and operational controls exist in assessing risk and are defi ned as follows: Operational risks are transactional or events based and affect the “way” work is designed, executed, monitored, or measured. Operational risks refer to the type of internal opportunities and weaknesses that affect processes and impact achieving the company’s operational goals and objectives. Operational risks occur when processes are not executed in an effective and effi cient manner and assets are not safeguarded or are exposed to abuse by fraud, theft, or other environmental conditions. All inappropriate operational risk has a fi nancial impact. Financial risks are the result of operational risks and represent the fi nancial outcomes of an ineffective, ineffi - cient process. Financial risks may also occur when the accounting treatment is not updated to refl ect changes to fi nancial reporting requirements and are considered noncompliance risks. Performance risks come about when the company and process owners are driven to achieve specifi c key per- formance indicators, regardless of the cost to operational or fi nancial integrity. Performance risks are often designed to bypass operational and fi nancial controls and require deliberate action and collusion. Internal Control over Financial Reporting Big G Governance prescribes the rules and standards for management’s assessment and reporting on the status of internal controls over fi nancial reporting (ICOFR). The Sarbanes-Oxley Act (SOX) directed the Securities and Exchange Commission (SEC) to adopt detailed rules to implement the requirements of the act relating to internal control. Specifi cally, sections 302 and 404 of the act identify the internal control assessments to which management must attest. External auditor standards are defi ned by the Public Company Accounting Oversight Board (PCAOB). These standards describe the approach, required tests, and other guidance that the entity's external auditors are expected to follow when reporting on management's assertion about the effectiveness of internal control. The PCAOB audits the auditors to ensure that these standards are followed. According to SOX and the SEC, management's report on internal control effectiveness is required to disclose the criteria against which management assesses effectiveness. The generally accepted criteria is to follow the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) Internal Control–Integrated Framework. The COSO integrated framework includes fi nancial and operational controls recognizing that operational controls have an indirect effect on the amounts and disclosures reported in the fi nancial statement. The COSO framework identifi es internal controls as relevant to achieving company objectives for operational, fi nancial, and compliance goals. • • • • • • • B01.indd 31B01.indd 31 8/25/08 1:51:57 PM8/25/08 1:51:57 PM Internal Use Only 32 PROCEDURE B01 The internal control testing guides included in this manual address both fi nancial and operational control objectives, recognizing that processes are dependent not only on each other but on the operational aspects, that is, the cause-and-effect relationship between operational data and fi nancial reporting requirements. Therefore, it is recommended that the approach to internal controls take into consideration the historical roots of the internal controls discipline and include operational and fi nancial oversight. The internal control objective is to establish a program that is made up of processes that, when implemented, produce not only internal control outcomes but an assessment of the overall program itself. COSO provides the generally accepted internal control framework, and it is made up of fi ve interrelated components: 1. Control environment 2. Risk assessment 3. Control activities 4. Information and communication 5. Monitor, evaluate, and report Following is a defi nition of the framework components, including a self-assessment to help you measure how well your company has adopted this framework. B01.indd 32B01.indd 32 8/25/08 1:51:57 PM8/25/08 1:51:57 PM Internal Use Only INTERNAL CONTROL PROGRAM 33 APPENDIX SELF-ASSESSMENT FOR THE INTERNAL CONTROL FRAMEWORK ACCORDING TO COSO COSO defi nes the elements and scope of internal control as a framework to be used by those who oversee big G and little g governance. Following each of the COSO elements are some self-assessment questions. As with the previous self-assessment exercises, complete this by youself or with a select group. The reasoning is that, as the executive, you know your business best and what worries you. When considering your response to those questions, apply the scoring matrix that follows to give you a baseline self-assessment score. How well do you think you are doing with incorporating the COSO framework within your company and your internal controls departmental activities? Using the defi nitions and questions listed after each of the COSO sections, rate your company as to the degree that these elements have been incorporated into the operational approach, deployment, and results. Use the following scoring scale to give yourself a grade. You must satisfy earlier grades before proceeding to the next level. Notice that the scale progresses from ad hoc to serving as the benchmarked company and that as you move up the scale, there are more requirements for a deeper, more integrated deployment. Results that demonstrate that the approach and the deployment have caused the improvements are required to achieve ratings in the higher categories. Don’t be discouraged if you score low; follow the scoring road map to improve. The scoring scale is defi ned as: Up to 20 percent—ad hoc, which means: No clear approach; issues are corrected as they arise. Up to 40 percent—awareness, which means: Approach includes strategic, tactical, and operational activities. Resources are assigned to internal control activities. Deployed in some areas of the business. Up to 60 percent—deployed, which means: Approach is deployed in most areas of the business. Internal control measurements are gathered and communicated to management for action. Up to 80 percent—results, which means: There is a direct cause and effect on improved internal control measures due to the deployment of the approach. Over 80 percent—benchmark, which means: Results are sustained and the company’s internal control program is shared with other companies and industries. • • • • • • • • • • • • • B01.indd 33B01.indd 33 8/25/08 1:51:58 PM8/25/08 1:51:58 PM Internal Use Only 34 PROCEDURE B01 Score Sheet Up to Percent (%) Control Environment Risk Assessment Control Activities Information and Communication Monitor Up to 20%—Ad Hoc Up to 40%—Awareness Up to 60%—Deployed Up to 80%—Results Over 80%—Benchmark 1) The control environment establishes the overall tone, or culture, of the organization, which exercises a pervasive infl uence on all control functions. The principles of a controlled environment need to be docu- mented, communicated, and integrated within each of the processes. A company’s overall tone and control objectives might include becoming a process-driven company. In a process-driven company, each process and employee is part of process value chain that is continually monitored and managed for continuous improve- ment with objectives for reaching best-in-class, best-of-breed, or world-class status. Has the executive leadership identifi ed an overall control strategy and assigned appropriate resources to execute the strategy? In support of this overall control strategy, list the types and frequency of communication that demonstrates the tone from the top. Would the general employee population be able to articulate the company’s control strategy and environ- ment? If you are unsure, ask. How is the control strategy managed, monitored, and improved to ensure that it is meeting executive leadership goals and objectives? Does this strategy trickle down to those who execute the process? 2) Risk assessment is a process that identifi es the risks to achieving the internal control objectives. This process forms the basis for designing control activities to mitigate those risks. For example, the risk assessment considers measurements, tools, and job aids that assist employees in evaluating the effi ciency (i.e., number of defects) and effectiveness (i.e., cycle time) of each process. Once the baseline process and measures have been established, risks need to be identifi ed and quantifi ed. Has the company defi ned and identifi ed the operational areas or processes where unacceptable levels of risk may be present? Is there a functional business area identifi ed to assess, monitor, and track these processes? What is the approach used to defi ne, identify, quantify, and report on the status of risk thresholds? Is there a tool that allows any employee to report on transactional events or processes that may have inappropriate levels of risk? Are risk-related issues investigated, tracked, and resolved in a timely manner? Are “band-aid” control fi xes replaced with changes to the process where controls are designed in? How is the risk strategy managed, monitored, and improved to ensure that it is meeting executive leadership goals and objectives? • • • • • • • • • B01.indd 34B01.indd 34 8/25/08 1:51:58 PM8/25/08 1:51:58 PM Internal Use Only INTERNAL CONTROL PROGRAM 35 3) Control activities are policies and procedures designed to identify and mitigate risks to achieve company suc- cess and internal control objectives. Their goal is to optimize performance, proactively prevent control failures (such as errors in fi nancial statements or employee fraud), and reactively detect failures that occur. What is the approach used to defi ne, identify, measure, and report on the status of control activities? How are control activities identifi ed and incorporated into the company’s documentation? Who reviews and approves these control activities as being adequate to meet the company’s goals and objectives? Is there a process to measure, collect, and report on the effectiveness of these control activities? What type of action has occurred to respond to inappropriate levels of control? How is the process of monitoring and reporting on control activities measured, reported, and improved? 4) Information and communication refers to systems that disseminate fi nancial and operational information. Such systems must effectively deliver information both internally and externally, and receive information from both internal and external sources. For example, management must design and develop processes that are appropriate to the way the com- pany is organized and operated. Management must authorize employees to act or execute the processes. Employees must be skilled and trained and have access to the information required to perform their jobs. To control the organization, management must receive timely, accurate, and complete reports. To comply with regulatory requirements, an organization must be able to produce accurate reports on a timely basis. Effective information and communication requires systems to be both well designed and well controlled. Design ensures that the right kind of information is sent and received both internally and externally, with controls to ensure that the information is complete, accurate, and timely. Are there information and communication policies and procedures (e.g., records and information manage- ment and information handling), in place to protect company informational assets? List the types of controls built into information and communication policies and procedures. Who reviews and approves these control activities as being adequate to meet the company’s goals and objectives? Is there a process to measure, collect, and report on the effectiveness of these internal controls? What type of action has occurred to respond to inappropriate levels of control? How is the process of monitoring and reporting on control activities measured, reported, and improved? 5) Monitoring, evaluating, and reporting integrates the four elements of internal control, described above, and is an essential characteristic of an effective system of internal control. Regular and continuous monitoring of the control environment, risk assessment, control activities, and information and communication provides continuous feedback to the effectiveness and effi ciency of these control elements. Monitoring occurs at all levels of the organization, from the board of directors to individual employees. Are monitoring, evaluating, and reporting considered value-add activities? Are the monitoring, evaluating, and reporting functions separated from those functional areas that provide operational support? Are there defi ned tools used for analysis and decision making? Are these tools evaluated for their effectiveness? Is the internal control program itself monitored, evaluated, and reported to validate that the appropriate level of risk, control, and control activity is implemented throughout the company? How has the internal control program been improved over the years? Have the executive and board of directors received training at least annually on governance, compliance, and internal control procedures? • • • • • • • • • • • • B01.indd 35B01.indd 35 8/25/08 1:51:59 PM8/25/08 1:51:59 PM Internal Use Only 36 PROCEDURE B01 Note to Reader: Internal controls have been an important component of successful companies for decades prior to the issuance of the Sarbanes-Oxley Act. Internal controls became an embedded discipline within process controls and process management. Long before Sarbanes-Oxley and long before masters of business admin- istration (MBAs) infl uenced the business world, a solid internal control environment could be used as a tool and technique to meet and accelerate the achievement of business goals, objectives, and profi tability targets. If you have worked through the simple, yet powerful exercises presented in this and previous chapters, you have a good baseline or profi le of your company’s internal control posture. Use this as valuable input in customizing your internal control program. The following chapters are designed to assist your company in the adoption and measurement of a solid internal control program. At strategic points, job aids and tools are introduced to assist with the establish- ment and measurement of internal controls. Following are some quick fi xes you can do right now to improve: Implement segregation of duties where duties are divided or segregated among different peo- ple to reduce risk of error or inappropriate actions. No one person has control over all aspects of any transaction. Make sure a person delegated approval authority authorizes transactions that are consistent with policies and procedures. Ensure that records are routinely reviewed and reconciled by someone other than the preparer or person processing the transaction to determine that transactions have been properly processed. Make certain that equipment, inventories, cash, and other property are secured physically, counted peri- odically, and compared with item descriptions shown on control records. Provide employees with appropriate training and guidance to ensure that they have the knowledge nec- essary to carry out their job duties, are provided with an appropriate level of direction and supervision, and are aware of the proper channels for reporting suspected improprieties. Make sure policies and operating procedures are formalized and communicated to employees. Docu- menting policies and procedures and making them accessible to employees helps provide day-to-day guidance to staff and will promote continuity of activities in the event of prolonged employee absences or turnover. • • • • • • B01.indd 36B01.indd 36 8/25/08 1:51:59 PM8/25/08 1:51:59 PM Internal Use Only INTERNAL CONTROL PROGRAM 37 INTERNAL CONTROL PROCESS In order to create value for the company, an internal control program shall be designed to address the company’s short- and long-term needs. Whether those needs refer to improving process effectiveness and effi ciency, market value, customer, investor, and employee confi dence or just satisfying external reporting requirements, an internal control program is a valued tool. Following is the fl ow of the overall program, process fl ow, and narrative. Since we have decided to use the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework as our model, it is embedded within the process and the phases are referenced as: 1. Control environment 2. Risk assessment 3. Control activities 4. Information and communication 5. Monitor, evaluate, and report In pu t Pr oc es s O ut pu t Information Results Information Metrics Control Environment Operations Control ActivitiesRisk Assessment High Low Medium Sample Test Monitor Consolidate and Report Remediate Transactions Financials Quarterly Financial Sub- Certification Letter Report Communicate Findings Big G Translation to Little g Governance Monitor, Evaluate, Report 5 4 3 1 2 4 5 5 4 4 B02.indd 37B02.indd 37 8/25/08 1:52:27 PM8/25/08 1:52:27 PM Internal Use Only 38 PROCEDURE B02 Narrative for the Process Note to reader: In describing the steps, the word should (i.e., with should meaning “ought to but not necessarily will be”) is used. This is not intended to be a conditional statement but rather to demonstrate that there is a choice to use some or all of the guidance presented. If the guidance is not followed, then an equal alternative must be substi- tuted. I recognize that presenting detail techniques to a broad audience may be too severe for smaller compa- nies and not robust enough for other companies; the use of judgment, common sense, and cost/benefi t analysis must be used in the discussions with the internal control executive sponsors and cross-functional supporters. 1. Control Environment If you refer to the earlier process fl ow from governance, you’ll notice that the input to this process is produced when big G Governance is translated to little g governance. The translation step means that big G rules and requirements have been adopted by the company and embedded into processes. The role and responsibility for implementing a control environment and setting the right tone is with the board of directors, the chief executive offi cer (CEO), and the chief fi nancial offi cer (CFO). The control environment shall include statements to defi ne and/or reinforce the tone from the top expressing: Value to the company. The control environment must state that the ultimate success of all projects is rooted within the company’s values and the company values its culture of integrity, honesty, and high ethical standards. Tone at the top. In addition to senior management’s setting the tone, resources must be made available, includ- ing people with the appropriate skills, time, information technology, and interruption to operations and money. Authority to act. Business area and process owners must have the authority to establish and exercise operational control, allocate resources, and make critical decisions as to when and where controls are needed. The board of directors (BOD) must understand the company’s opportunities and constraints and advise company executives as to organizational structure, levels of acceptable risk and control strategies. The audit committee of the BOD is responsible for interfacing with the internal and external auditors and internal controls for the purpose of overseeing the monitoring, evaluating, and reporting responsibilities of management. Senior leadership is responsible for implementing the strategies approved by the BOD. The senior leadership emphasis for this step is to ensure there are suitable and consistent activities to support the control environ- ment such as communication, providing adequate resources and time to implement, and holding process owners accountable and responsible for process outcomes. Jointly, the BOD and senior leadership are responsible to promote high ethical and integrity standards and to establish a culture within the organization that emphasizes and demonstrates the importance of internal controls. These standards are refl ected in the internal controls strategy and objectives. If you don’t have a BOD, then use your company advisors in a similar manner. It is important to receive an objec- tive review and analysis from independent parties. Regardless of whether you are a public or private company, it is important to take time and consider what levels of risk and controls are strategically important and which control objectives require attention. • • • B02.indd 38B02.indd 38 8/25/08 1:52:28 PM8/25/08 1:52:28 PM Internal Use Only INTERNAL CONTROL PROGRAM 39 Big G Governance guidance to management indicates that the approach management uses must be principles based, direct effort to the highest-risk areas where material misstatements may occur, and be tailored to facts and circumstances. It is important to design an internal control program that is right for your organization. Because of the emphasis Big G Governance places on principles and scope, I’ve discussed these as separated sections. As part of your internal controls program, it will save a lot of time and debate to defi ne the principles and control objectives that are expected to be universally followed; having these agreed up front assists in refi ning the scope to be reviewed and the types of control activities that will validate the objective. Choose and customize the principles that are appropriate to your company. You should fi nd these principles stated in one form or another within the company’s code of ethical conduct or other compliance policies. Hint: Use the principles to develop clear “tone from the top” communication messages in support of the program. Internal Control Principles and Control Objectives Principles are universally accepted standards that signal satisfactory behavior. Internal control prin ciples serve as fundamental assumptions that communicate specifi c characteristics when assessing and evaluating the company’s internal control status. Principles occur to support policies and procedures and represent the due diligence that must be embedded into operational and fi nancial process design and implementation. Each of the internal control testing guides identifi es control objectives and activities designed to test the existence and systemic use of the principles within processes. In designing your internal control program, you must identify and document the principles that are important and how these are defi ned within your organization. Following is a list describing internal control principles and objectives integrated within this program: Compliance with laws and regulations refers to big G Governance and requires that accounting and fi nance professionals are aware of current and future laws and regulations. Although they do not have to be subject matter experts, they must be able to demonstrate that they subscribe to and use resources that provide a level of information appropriate for their role and responsibility. Compliance with company policies and procedures refers to little g governance and requires that accounting and fi nance professionals keep current and participate in cross-functional activities that affect the strategic, tactical, and operational nature of the company’s current and future policies, procedures, processes, and programs. All transactions ultimately affect the fi nancial statements, either quantitatively or qualitatively; accounting and fi nance professionals must be thoroughly familiar with the processes involved. As a control, this requires documentation to support an adequate methodology and a sound approach to address cross- functional needs. Compliance with contract terms and conditions requires that the company honor its authorized and approved commitments. The company has an obligation to customers, partners, vendors, employees, and investors to ensure that contract terms and conditions are clear, understandable, consistently applied, and enforceable. As fi nancial professionals, we attest that assets and liabilities reported on the balance sheet are bona fi de rights and obligations of the company as at that point in time. Authorization is defi ned by the delegation of authority and allows employees to make commitments or rep- resentations on behalf of the company. Management defi nes and communicates the criteria for recognizing economic events and authorizing transactions. Reference the chapter on authorization and approval. Note that there is a difference between authorization and approval, with some companies choosing to highlight the B02.indd 39B02.indd 39 8/25/08 1:52:29 PM8/25/08 1:52:29 PM Internal Use Only 40 PROCEDURE B02 difference within responsibilities: authorizers are assigned the power to infl uence and make decisions and commitments, while approvers follow a process to substantiate, corroborate, and authenticate. Also known as the propriety of transactions principle, this ensures that there is a culture and environment where transactions and activities are appropriately reviewed and authorized prior to execution. Internal controls over fi nancial reporting includes control objectives to address that: Payments are paid, recorded, and refl ect authorized transactions that are the result of purchased or committed obligations made on behalf of the company. Payments are made according to a specifi c timetable and in agreement with contractual arrangements. Cash or other assets are disbursed and recorded according to generally accepted accounting principles (GAAP). Payments are received, recorded, and refl ect authorized transactions that are the result of sales or committed entitlements due to the company. Receipts are collected in accordance with a specifi c time- table and in agreement with contractual arrangements. Cash or other assets are received and recorded in accordance with GAAP. Transactions are recorded in a timely manner and represent activity belonging to the entity involved and are classifi ed in accordance with company defi ned rules and procedures (i.e., chart of accounts). Transactions are generally recorded in the period they are received and accepted by the company. Exceptions must be in accordance with the company’s policies and procedures. Disclosure as a control is required for purposes of transparency. Whether internally or externally focused, disclosure requires that there is suffi cient and appropriate documentation to support the treat- ment of transactions, indicating that there is a clear audit trail as to what and how data was analyzed, decisions made, and actions taken. Disclosure is also a requirement for regulatory purposes. Similar to disclosure as a control, disclosure for regulatory purposes requires that the company’s policy and/or procedure and related background information is shared. In addition, disclosure for regulatory purposes may require: Roll-forward activity analysis showing the closing balance from one period plus/minus totals by activ- ity type to arrive at the closing balance for the current period. Segmented presentation of data and/or information showing the closing balance showing the subto- tals by logical classifi cations. Operational and fi nancial reviews are performed by authorized reviewers. The reviewer is respon- sible to examine the area in question and: Validate that the supporting documentation matches the content and context of the transaction and that any assumptions made are in accordance with company policies and procedures and GAAP. Validate that the calculations are accurate by reviewing the source of the data and testing the formulas. Analyze the results and fi ndings to ensure they are complete and “make sense” given the purpose, content, and context of the transaction. Evaluate the transaction as being required, in agreement with company policy and procedure and authorized. Once evaluated, reviews may be forwarded to others who have a “need to know.” Effectiveness and effi ciency of operations reviews refers to safeguarding the company’s core competen- cies as being critical for sustainability and the continued operations of the company. • • • • • • • • • • • B02.indd 40B02.indd 40 8/25/08 1:52:29 PM8/25/08 1:52:29 PM Internal Use Only INTERNAL CONTROL PROGRAM 41 Reconciliations are performed between the source documentation and the general ledger and/or between contracts and the processed transaction in order to: Validate that only legitimate and authorized activity is processed. Validate that amounts are accurately calculated. Match the infl ow of cash or other assets equals the amount of addition of company benefi ts or Match the outfl ow of cash or other assets equals the amount of reduction of company obligations. Ensure that reviews have been performed. Integrity is made up of accuracy, completeness, and timeliness. Integrity occurs when transactions and other events and circumstances transpire during a specifi c period and are recognized in that period. The items in the fi nancial statements are properly described and classifi ed as well as fairly presented in conformity with gener- ally accepted accounting and company policies and procedures. There are no unrecorded assets, liabilities, or transactions and no omitted disclosures. Accuracy refers to the correctness, exactness and truthfulness of the data and information presented. Accuracy refers to the physical existence of tangible assets, liabilities, and equity and the existence of the company’s rights and obligations as to intangible assets, liability, and equity. Accuracy of valua- tion refers to the validation and approval of assumptions made to quantify transactions at appropriate amounts. Completeness refers to the wholeness or comprehensiveness of the data and information presented. All transactions and events that should have occurred and have actually occurred refers to the concept of occurrence which is included with completeness. Timeliness refers to the adherence to a processing or operational schedule and the dating of the pro- cess and control points along that timeline. Timeliness also refers to the correct reporting of transac- tions in the period they should have been reported in. Segregation of duties refers to the identifi cation and assignment of key roles and responsibilities where roles must be separated in order to mitigate the risks such as misrepresentation, fraud, and collusion. Adequate segregation of duties reduces the likelihood that errors, intentional or unintentional, will remain undetected by providing for separate processing by different individuals at various stages of a transaction. The basic design is that no one employee or group of employees shall be in a position to both perpetrate and conceal errors or irregularities in the normal course of executing their responsibilities. Roles and responsibilities must be clearly defi ned to ensure that no one person has complete control over more than one key processing function, such as authorizing, approving, certifying, disbursing, receiving, or reconciling. Resource constraints may limit the number of employees, sometimes resulting in concerns regarding segrega- tion of duties. In those cases, management must take action by adding control features to compensate for the resource inadequacy. These actions may include managers reviewing system reports of detailed transactions; establishing peer reviews for selected transactions; providing oversight during counts of physical inventory; reviewing supporting documentation for journal entries prior to approval and independently reconciling account balances. Safeguarding assets refers to the custodial and security arrangements for the company’s tangible and intan- gible property and assets. Control of assets includes asset classifi cation, assignment, movement, and use. • • • • • • • • • B02.indd 41B02.indd 41 8/25/08 1:52:29 PM8/25/08 1:52:29 PM Internal Use Only 42 PROCEDURE B02 The company’s assets include its customers, qualifi ed vendors, and partners; employees; products and services; cash; marketable securities; inventories, property, plant and equipment; patents; trademarks; and goodwill as well as the processes and results of those operations such as data and information. Management must clearly identify the personnel who have primary custodial responsibility for each category of assets, critical forms and records, processing areas, and processing procedures. To the extent possible and practicable, responsibility for the physical custody of an asset must be vested with employees who have no responsibility for and are denied access to accounting for the asset. Determining the Scope Using a Top-Down approach According to Big G Governance guidance, companies may use a top-down, risk-based approach to determine an appropriate scope for identifying the relevant operational and fi nancial reporting risks. To determine the range for the internal control activities (e.g., ongoing monitoring of key indicators to engaging a full audit) fi nancial manage- ment must identify the fi nancial reporting elements including accounts and disclosures that have a signifi cant dollar or volume amount and which if misstated would have a material or signifi cant effect. To apply the top-down risk based approach, begin with the fi nancial reporting accounts and drill down to the sub- account or process level to identify those accounts that have a high: (1) volume of transactions, (2) dollar through- put, and/or (3) process risk. Then evaluate those fi nancial reporting elements as to risk by identifying: (1) “what could go wrong,” (2) the under- lying fi nancial reporting or fraud risk, and (3) where potential errors, omission, and misstatements may occur. For this stage of the evaluation, consider which of the control objectives has the potential for being violated or defi cient. There should be a list of accounts and a description of the type of risk. Rank the accounts and risks based on the magnitude of the accounts and likelihood of misstatements. Plot these results on a risk matrix according to their probability and impact rating. Develop appropriate level of control activities which identify the effectiveness of the control environment. The control environment infl uences and provides input and direction for implementing operational processes, risk assessments, and the control activities. Within the control environment, early warning signs that internal controls may break down occur when manage- ment sets unrealistic targets, when rewards depend on performance, and when there are upper and lower cutoffs to bonus plans. Internal controls need to be especially vigilant when it comes to poor segregation of duties where there is a high degree of decentralization, when weak or poor internal audit results have been documented, and where there are penalties for improper behavior, whether these behaviors are insignifi cant or unpublicized. Once you have defi ned the scope, begin to put together the schedule, selecting the best time within the fi nancial and reporting cycle to review and test controls within the selected accounts and/or processes. Some items to con- sider when scheduling the control review and/or testing include: Timing of review and/or testing as to be in “real time” (e.g., observing the process) or after the fact Level of detail required for the review and/or testing Since testing occurs after the fact, select a time within the reporting cycle that would have enough transactional volume to choose a meaningful sample size. Note that the schedule at this point is tentative, given that activities and resources have not yet been assigned. • • • B02.indd 42B02.indd 42 8/25/08 1:52:30 PM8/25/08 1:52:30 PM Internal Use Only INTERNAL CONTROL PROGRAM 43 Operations Business area managers and process owners are responsible for establishing and promoting controlled processes that provide reasonable assurance that: Data and information published either internally or externally has integrity; that is, it is accurate, reliable, complete and timely. The company’s resources (i.e., its people, systems, data and information, assets, and client goodwill) are ade- quately protected. The resources are acquired economically and employed effectively. Operational transactions are monitored for continuous process improvement. Quarterly, as part of the quarterly subcertifi cation process, business area managers and process owners must attest that they are in compliance with company policies, procedures, and external laws and regulations. Refer to the later chapter on the quarterly subcertifi cation to implement this part of the program. 2. Risk Assessment A risk assessment program shall be implemented that includes activities to: Classify processes as having high, medium, or low risk. Determine the company’s risk threshold. Monitor, evaluate, and report on the processes as to their exposure to risk. Business area and process owners are responsible to identify and evaluate internal and external factors that could adversely affect the achievement of the company’s goals and objectives and to refl ect those fi ndings in their business plans and reports to senior management. Use a top-down approach to identify key processes and account balances that must be considered in-scope for a risk assessment. Refer to the section on risk to help identify areas with higher risk or use the section above to deter- mine the in-scope areas for internal control testing. Select those processes and areas that pose a critical or high-risk level and where the company needs to share, mitigate, or control risks as the fi rst process areas to test. Processes that rank in the quadrant where there is medium or low risk may be tested using less rigorous testing techniques. Selected business area representatives, advisors, and senior management may offer additional accounts and/or processes as input to be tested based on current and future strategies. The scope for internal control testing is then reviewed and approved by the CEO, the CFO, and in-house legal counsel and presented to the BOD and the members of the audit committee. This select group must take responsibility to: Review and approve the internal control plan. Ensure that the right accounts and processes are monitored and evaluated. Oversee execution of the plan and ensure that it has proper resources and ongoing executive support. Within the risk assessment early warning signs that internal controls may break down occur when there is no risk assessment program; when risks, however low, seem to be clustered around the same process or functional area; or when risks seem to occur at the same point within the process or fi nancial cycle. Internal control representatives need to be especially vigilant when it comes to functions working in silos and not sharing information; low risks in one area may snowball as they progress down the line to where they become signifi cant. • • • • • • • • • • B02.indd 43B02.indd 43 8/25/08 1:52:30 PM8/25/08 1:52:30 PM Internal Use Only 44 PROCEDURE B02 3. Control Activities When designing control activities, consideration needs to be given to whether the control needs to be detective or preventive, what level of control activity is required, and how it will be tested. Detective and Preventive Controls Controls are identifi ed as either detective or preventive, with preventive controls preferred. Preventive and/or detective differences may change based on the type of event and where/how the control is initiated. Detection—refers to checks and balances that occur after the transactional event has occurred and is designed to identify an error, omission, misstatement, or fraud. Detective controls are important where there are weak or broken processes or where preventive controls are not designed into the process. General controls considered detective in nature include comparing budget to actual results, comparing period-over-period results, monitor- ing performance indicators, and following up on unexpected results or unusual items. Prevention—refers to control procedures designed within and becoming part of the process. Preventive controls are designed to prevent errors, omissions, misstatements, or fraud from occurring before processing the activity. General controls considered preventive in nature include written policies and procedures, limits to authority, attaching supporting documentation, questioning unusual items, and no blank signed forms. Consider this list a “prompt” to identify the types of detective and preventive controls that should be addressed in all processes. Remember that whether a control is considered preventive or detective depends on the type of trans- actional event, the event frequency, and whether it is performed as part of or separate from the process. Example: When accounts payable (A/P) invoices are reviewed and authorized for payments by ensuring a three-way match prior to releasing the invoice for payment, it is considered a preventive control. When the quantity and price extension on the vendor invoices are checked after the payment has been made, it is a detective control. When a credit analysis is performed prior to a credit limit or customer set up in accounts receivable (A/R), it is a preventive control. If all new customers are automatically granted A/R credit with credit assessments performed only if there are collection issues or when credit requests exceed a predefi ned dollar threshold, then the credit assessment is a detective control. When payroll runs are authorized as long as they are consistent period over period, it is considered a preventive control. If variances to the payroll run are only reviewed and resolved monthly, then it is a detective control. Type of Control Preventive / Detective Compliance with laws, GAAP, and company policies and procedures Detective Compliance with company policies and procedures Detective Compliance with contract terms and conditions Detective Authorized and approved transactions Preventive • • • • • (Continued) B02.indd 44B02.indd 44 8/25/08 1:52:31 PM8/25/08 1:52:31 PM Internal Use Only INTERNAL CONTROL PROGRAM 45 Type of Control Preventive / Detective Internal controls over fi nancial reporting Payments paid and recorded• Preventive Payments received, deposited and recorded• Preventive Transaction recorded• Preventive Disclosed• Detective Reviewed• Preventive Reconciliation• Detective Integrity• Preventive Accuracy• Preventive Completeness• Preventive Timeliness• Preventive Segregation of duties• Preventive Safeguard assets• Preventive Control Activities Select control activities that are commensurate with the level of risk as identifi ed in the risk assessment. Document the control activity procedure, the evidence collected, and the results of your fi ndings. Control activities refer to those specifi c actions designed to produce evidence in support of the control objective and may include some or all of the following techniques: Self-assessments performed by process owners using predefi ned self assessment or audit readiness checklists Walk-through and observation performed by peer groups and/or internal control representatives Monitoring performed by management and/or submitted to internal controls for review Reconciliations between source data and reporting records including period-to-period roll-forward and period- over-period analysis Testing performed by management and internal control representatives using statistical or random sampling techniques Quarterly subcertifi cation submitted by executive leadership, process owners, and selected business area executives attesting to compliance with company policies, procedures, and internal control requirements Remediation of action items resulting from internal control and internal audit reviews Testing and controlling is a management function and is an integral part of the overall process management. As such, it is the responsibility of managers at all levels to: Identify and evaluate the exposures to loss relating to their particular sphere of operations. • • • • • • • • B02.indd 45B02.indd 45 8/25/08 1:52:31 PM8/25/08 1:52:31 PM Internal Use Only 46 PROCEDURE B02 Specify and establish policies, plans, and operating standards, procedures, systems, and other disciplines to be used to minimize, mitigate, and/or limit the risks associated with the exposures identifi ed. Establish practical controlling processes that require and encourage administrators, offi cers, and employees to carry out their duties and responsibilities in a manner that achieves the control objectives. Maintain the effectiveness of the controlling processes established and foster continuous improvement to these processes. Monitoring and Testing The monitoring and testing of operational transactions validates that identifi ed controls are performing as they were designed. Depending on the complexity of the process (i.e., the number of steps), the activity is to test trans- actions through computerized and/or manual processes. The tests must address the issues of integrity (i.e., com- pleteness, accuracy, and timeliness). A cradle-to-grave test direction selects a sample of certain source documents (e.g., vendor invoice, sales trans- action, subsidiary ledger balance) and trace them through the operational processes until it reaches the fi nancial statement balances. A grave-to-cradle test selects a sample of other transactions from the fi nancial statement balance (i.e., the general ledger or reconciliation) back to the source input. The test of transactions in this direction addresses the issue of whether all data contained in a fi nancial account balance is supported by source documentation. The sample of transactions tested must be documented and selected using generally accepted auditing sampling techniques. Sampling techniques can employ either a judgmental or statistical approach. An example of a judgmen- tal approach is a systematic selection of days of the fi scal year or every 100th transaction in a numerical sequence. A statistical approach would take random samples from among all transactions. According to auditing standards, the tests of transactions must be designed to test management assertions. Evidence may be classifi ed into one of fi ve categories: Existence or occurrence. This assertion deals with whether assets, liabilities, and equity included in the balance sheet actually exist on the balance sheet date. Additionally, the assertion of occurrence is concerned whether recorded transactions included in the fi nancial statements actually occurred during the period. This assertion is concerned with the inclusion of amounts that should have been included (e.g., inventory that exists and is avail- able for sale at the balance sheet date). Completeness. This assertion states that the fi nancial statements include all transactions and accounts that should be presented. This test is concerned with the possibility of omitting items from the fi nancial statements that should have been included (e.g., a sales cutoff test to determine that sales are recorded in the proper accounting period). Valuation or allocation. This assertion is related to whether the asset, liability, equity, revenue, and expense accounts have been included in the fi nancial statements at appropriate values (e.g., fi xed assets stated at the net book value). Rights and obligations. This assertion is related to whether the assets are the rights of the company and the liabilities are the obligations of the company at the balance sheet date. Presentation and disclosure. This assertion is related to whether components of the fi nancial statements are properly classifi ed, grouped, or reported separately and disclosed in the fi nancial statements (e.g., liabilities properly recorded as a current or long-term liability). • • • • • • • • B02.indd 46B02.indd 46 8/25/08 1:52:31 PM8/25/08 1:52:31 PM Internal Use Only INTERNAL CONTROL PROGRAM 47 Even though a control may be embedded within a process, it still needs to be tested. There are times when an embedded control could be bypassed or exception reports ignored because it is “assumed” that the control is working. A few examples: Schedules and checklists often serve as controls when schedules and checklists are embedded as part of the process; they operate concurrently at all levels. However, schedules and checklists must still be reviewed and tested to ensure that management activities are identifi ed, with comments and exceptions noted including shortcuts or process “workarounds” (i.e., bypassing the designed process). Data and information is provided from a single central source is a good automated control; however, the source data must still be verifi ed to ensure that it is complete and accurate and that it is used according to its desig- nated purpose and that errors, omissions, and misstatements of the data are corrected at the source. To begin planning for the monitoring and testing plan, start with the accounts and processes identifi ed in the risk assessment. Next to each of those accounts and processes list the control objectives that need to be verifi ed with monitoring and testing. Next to each of those control objectives identify the control activities that will be used to provide evidence that the control objective is working (or not). Having an aligned link between account/process, control objective, and control activity is an indicator of a strong internal control program. Note to reader: As part of the testing guides, I have included working papers that can be used as a sample for preparing this worksheet. The downloadable version of the book presents this worksheet in Excel format. This is the technique recommended for use when rolling out the internal control testing guides. As you test and document the internal controls, consider the type of evidence that will be reviewed and the type of assertion that can be made against that evidence. Remember to document the evidence, whether it produces a fi nding or not. Within control activities, early warning signs that internal controls may break down occur when control activities are not linked to control objectives, when there is not enough time and resources to execute the control activity plan, or when the unfavorable results are scattered across all control objectives and processes. Internal controls need to be especially vigilant when process managers are continually not prepared or available to participate in the control activities. 4. Information and Communication Information and communication is about enabling employees by providing pertinent information at all levels of the company and distributing it in a form and time frame that supports the achievement of company goals and objectives. Senior management is responsible for information and communication activities that support the understanding and execution of internal control objectives. Employees are also responsible for information and communication activities, ensuring that senior management fully understands the process consequences of implementing or not implementing certain control objectives. Information sharing and communication refers to the fl ow occurring from the top down and bottom up. For employees to be enabled, senior management must clearly identify the environ- ment as open and allow employees ready access to contribute suggestions for improvement. Employees will best B02.indd 47B02.indd 47 8/25/08 1:52:32 PM8/25/08 1:52:32 PM Internal Use Only 48 PROCEDURE B02 know when “checking the checker” controls are ready to be replaced with control-smart learning, planning, and process modeling. Information and communication objectives are to: Ensure adequate and comprehensive internal fi nancial, operational, and compliance data. Ensure adequate and comprehensive external market information about events and conditions that are relevant to decision makers. Establish effective channels of communications to ensure that employees are aware of policies and procedures affecting their duties and responsibilities. Ensure that other relevant information reaches appropriate decision makers. Ensure that there are appropriate and secure information systems in place. Company business area managers and process owners are required to have an effective system of internal controls that responds to changes in the company’s environment and conditions; they must take appropriate action to remediate internal control fi ndings and improve process effectiveness and effi ciency. In addition, they must have a process proportionate with the complexity and level of risk associated with the company’s on and off-balance-sheet activities. Information and communication must fl ow from the top down, bottom up, and across the organization providing meaningful, relevant data to allow for prompt decision making and action. The internal control program manager shall issue progress reports at least quarterly or as deemed necessary to all internal parties as well as to the external auditors and outside legal counsel. Within information and communication, early warning signs that internal controls may break down occur when information and communication fl ows only in one direction, information is estimated rather supported by data points, or more time is spent on “wordsmithing” rather than remediation. The internal controls program manager needs to be especially vigilant when it comes to a difference between what is being communicated versus the fi ndings and evidence collected. 5. Monitor, Evaluate, and Report This last phase of the framework and the program’s process is to consolidate and report on the fi ndings and reme- diation efforts and to evaluate the effectiveness of the internal control program itself. This information is used to determine the company’s overall control position that is required within big G Governance submission. Classify Findings Control fi ndings are the result of the analysis and evidence collected from the control activity. As fi ndings are discovered, they need to be classifi ed into one of the following categories, with the most severe defi ciency category listed fi rst: 1. Signifi cant defi ciency conditions in the design or operation of the process and the internal control struc- ture could/would adversely affect the company’s ability to record, process, summarize, and report fi nancial data consistent with the assertions of management in the fi nancial statements. 2. Material weakness conditions are less severe but serious enough that the design or operation of one or more of the specifi c process elements could/would have a material impact to the accuracy of the fi nancial statements and if it occurred may not be detected within a timely period. • • • • • B02.indd 48B02.indd 48 8/25/08 1:52:32 PM8/25/08 1:52:32 PM Internal Use Only INTERNAL CONTROL PROGRAM 49 3. Reportable conditions refer to process weaknesses or opportunities for continuous improvement. When discovered, these should be noted so that the process owner may evaluate and/or correct the process before the issue becomes a weakness. These may be “early warning signs” and addressed as neither the process owner nor the internal control representative want to see an identifi ed reportable condition from one testing period show up as a material weakness in another period. 4. An effective control condition exists when there were no unexpected results and the internal control is operating within defi ned parameters and there is no immediate exposure to the company. Once consolidated, summarize the fi ndings using the following type of scorecard. The information contained on this scorecard identifi es the number of control activities performed within the fi ndings classifi ed from 1, Signifi cant Defi ciency, to 4, an Effective Control, as described above. Account/Process Rating of Control Activity Results 1 2 3 4 Accounts Payable Accounts Receivable Inventory Payroll Revenue When internal control defi ciencies are identifi ed, plans to remedy these defi ciencies must be documented and implemented as soon as possible. When a signifi cant defi ciency or material weakness is identifi ed, the internal control department must retest the process to ensure that the improvement has occurred. The corrected internal control procedure must be in place and in operation for a period of time prior to the fi nancial reporting date. Management must be able to evalu- ate the corrected control and conclude that the control is operating effectively. It is recommended that testing continue for at least three consecutive quarters and positive results shown before the defi ciency is deemed to be satisfactorily closed. This type of summary lets you compare accounts and processes at a high level to identify whether the control activities are equal to the level of risk as defi ned in the scope. It also lets you prioritize and focus on selected proc- esses to remediate the most signifi cant fi ndings fi rst. Information from this scorecard can help you better plan the control objectives and activities that will target high-risk, in-scope accounts and processes. If the results have a disproportionate number of 3 and 4-rated items, review the objectives and activities to ensure that you have aligned the appropriate level activity to “catch” the appro priate level of risk. Although this is a not a “gotcha” exercise, remember, you selected this list of accounts and processes as being high risk and high impact. If the fi ndings and results are accurate, then it signals that there is something wrong in the risk assessment process. Be careful not to play a numbers game—more is not necessarily better. Remember that control activities require planning, assigning of resources, and perhaps disruption to the operational fl ow. B02.indd 49B02.indd 49 8/25/08 1:52:33 PM8/25/08 1:52:33 PM Internal Use Only 50 PROCEDURE B02 Evaluating the Internal Control Program Measures must be established to determine the effectiveness of the internal control program itself. For senior management to have confi dence in attesting to the company’s internal control status, they must have confi dence that the program itself is working as it should. According to COSO, each of the fi ve control elements must be assessed before an opinion can be rendered about the design and effectiveness of the overall internal control program. The assessment rating is satisfactory or unsatisfactory and must be documented with rationale and supporting evidence where and as applicable. COSO Control Element Criteria for an Unsatisfactory Rating Control Environment The presence of any one of the control objectives is missing, violated, or inadequate. There are verifi ed systemic instances of breakdown of control activities. • • Risk Assessment Risk assessment objectives are incompatible or inconsistent with the control environment objectives. A risk assessment program is missing, not followed, or inadequate. Management has not mitigated critical operating risks. Internal control tests detect risks not previously contemplated by management. • • • • Control Activities Key control activities are not functioning as intended. Management’s control activity monitoring is missing, violated, or inadequate. • • Information and Communication Pervasive lack of knowledge by employees about their control responsibilities. Customer or supplier complaints and disputes are not resolved or remedial action is not undertaken in a timely manner. • • Monitoring Key metrics are not identifi ed, collected, and communicated. Management has not established a means of determining the quality of the internal control program over time. • • Overall The rating of all components must be considered to determine whether controls provide reasonable assurance that management objectives will be achieved. • Signifi cant defi ciencies and material weaknesses must be disclosed if they have not been cleared as of the fi nancial reporting date. One of the ways the company completes the governance journey is through the quarterly subcertifi cation program. A later chapter discusses this program in depth; however, here is a brief overview. This program and tool has ben- efi ts other than aiding in providing support for executive attestation to big G Governance regulatory submissions. As part of the company’s policies and procedures, the internal control department oversees the quarterly subcer- tifi cation letter also known as the letter of representation. The letter asks selected individuals to certify or attest that the information provided from their business areas of responsibility is complete, accurate, and conforms to the company’s code of conduct, policies, procedures, and internal controls; and that the fi nancial results are recorded in accordance with U.S. GAAP. The letter process and attestation is a job aid, used by internal controls to evaluate and support the company’s internal control posture. Comments submitted by the selected process owners and business area executives must be addressed as part of the internal control program. B02.indd 50B02.indd 50 8/25/08 1:52:33 PM8/25/08 1:52:33 PM Internal Use Only INTERNAL CONTROL PROGRAM 51 Submissions and Attestations According to Sarbanes-Oxley and Securities and Exchange Commission (SEC) governance, the CEO and CFO must submit a report from management and attest to the Company’s internal control position with submission of the quarterly 10Q and annual 10K reports. The report of management contains the following: A statement of management’s responsibility for establishing and maintaining adequate internal controls over fi nancial reporting. A statement identifying the framework (i.e., COSO) used by management to conduct the required evaluation of the effectiveness of the company’s internal controls over fi nancial reporting. Management’s assessment of the effectiveness of the company’s internal controls over fi nancial reporting as of the end of the company’s most recent fi scal year. Management is not permitted to conclude that the company’s internal controls over fi nancial reporting are effective if there are one or more signifi cant defi ciency or material weakness in the company’s internal controls over fi nancial reporting. A statement that the external auditor has issued an attestation report on management’s assessment of internal controls over fi nancial reporting. Within the monitor, evaluate, and report phase, early warning signs that internal controls may break down occur when monitoring activities are sporadic, skipping reporting periods, and when evaluation techniques are inconsist- ently applied in order to show less damaging results. Internal controls need to be especially vigilant when it comes to censoring results. With the attestation and submission of the fi nancial reports to big G Governance regulatory agencies, one cycle of the governance journey is complete. The following documents are presented in support of the program: Internal control program policy and procedure Internal control program charter Internal control plan • • • • • • • B02.indd 51B02.indd 51 8/25/08 1:52:33 PM8/25/08 1:52:33 PM Internal Use Only Policy and Procedures Procedure No. B02a Section: Corporate Page 1 of 3 Internal Control Policy and Procedure Department Ownership Issue/Effective Date: Replaces previously issued 52 PROCEDURE B02A Prepared by: Approved by: Authorized by: Date Date Date Scope The document applies to all IDEAL LLP’s legal entities, subsidiaries, and business units. Policy It is IDEAL LLP’s (Company) policy to establish and maintain an internal control program ( program) to serve as oversight for and test the company’s operational and fi nancial effectiveness and effi ciency in accordance with designated risk thresholds. This program shall be led and managed by the internal control program manager and have reporting responsibilities to senior leadership, including the chief executive offi cer, chief fi nancial offi cer, and the audit committee of the board of directors. An internal control department shall be established to design, implement and oversee a program that will comply with external laws and regulations as well as promote internal operational effectiveness and effi ciencies. The internal control model the company chooses to follow is the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework. The internal control department shall establish an annual plan and schedule to identify the cur- rent fi scal year’s area of focus. Company processes shall be assigned and owned by process owners who have the responsibility to create integrated (i.e., cross-functional) process maps, policies, and procedures as required. Process owners are responsible for defi ning and collecting process and fi nancial metrics to ensure the process is executed in an effective and effi cient manner. Process owners shall provide key per- formance indicators, participate in self-assessments and be prepared for internal control testing. At any time, if anyone (e.g., internal controls representative, process manager, or employee) con- siders a breach in operational or fi nancial process management has or is likely to occur; it is their responsibility to immediately contact executive leadership and internal controls to investigate. Procedure The internal control program as used within the business environment has come to be defi ned as a program to oversee processes and is required to: 1. Assess risk and evaluate processes as having high, medium or low risk as identifi ed through the company’s risk assessment process. B02a.indd 52B02a.indd 52 8/25/08 1:57:37 PM8/25/08 1:57:37 PM Internal Use Only INTERNAL CONTROL PROGRAM 53 2. Develop control objectives and control activities that are aimed at providing evidence of the effectiveness of the control objective (i.e., that the control objective is working or not). 3. Analyze and consolidate fi ndings from the control activities 4. Evaluate, report, and rate the company’s internal control status. The internal controls program manager shall communicate and report those fi ndings and status to the leadership team and the board of directors at least quarterly. 5. Monitor remediation and improvement efforts for those controls that are deemed to need improvement. In addition to monitoring the effectiveness of the internal control program itself, the internal control department shall follow the COSO model to defi ne and deploy the following phases: Control environment Risk assessment Control activities Information and communication Monitor, evaluate, and report At the beginning of each fi scal year, the internal controls program manager shall present a plan that includes testing and oversight for the company’s processes and activities. Although a schedule is prepared, internal controls may alter the timing of the scheduled tests so as to conduct random unplanned testing. Internal controls in cooperation with the process owners perform risk assessments in accordance with the risk assessment model and shall rank processes as to the likelihood and probability of an adverse operational or fi nancial impact to the company. Risk thresholds are broadly defi ned as: Low risk: The process shall be considered to have low risk as long as the measures are within acceptable control limits and there is minimal risk for adverse exposure. Low-risk processes shall be monitored at least monthly with exceptional variances investigated and remediate. When control limits are exceeded for three consecutive periods, the risk is reclassifi ed as medium. Medium risk: The process shall be considered to have medium risk as long as the measures are within acceptable control limits and there is moderate operational and fi nancial expo- sure due to adverse activity or when low-risk processes have exceeded their control limit measures. Medium-risk processes are reviewed and tested at least semiannually on a rotating basis. Medium-risk processes may be considered high risk when the control measures become unpredictable and unacceptable. • • • • • • • Policy and Procedures Procedure No. B02a Section: Corporate Page 2 of 3 Internal Control Policy and Procedure Department Ownership Issue/Effective Date: Replaces previously issued B02a.indd 53B02a.indd 53 8/25/08 1:57:38 PM8/25/08 1:57:38 PM Internal Use Only 54 PROCEDURE B02A High risk: The process shall be considered to have a high risk if it is a newly implemented or reengineered process or if it is deemed that the impact of an operational or fi nancial misstate- ment could have a material impact on operational results and/or fi nancial reporting. High-risk processes require the assignment of a quality review team and must be reviewed and tested at least quarterly. Control activities and testing guides may include operational reports and measures, fi nancial reports and measures, system-generated control reports, and manual sample testing. Testing guides shall be made available to the process owners prior to the actual testing. Testing guides may be augmented or supplemented based on fi ndings from testing activities. The internal controls manager shall monitor the program’s execution and results and monthly report on the status of schedule attainment, testing activities and fi ndings to the chief compliance offi cer and the chief fi nancial offi cer (CFO). Quarterly, a report shall be submitted to the chief executive offi cer (CEO) and board of directors for review. At least annually, the internal controls manager and the chief compliance offi cer shall provide an in-depth review of the risk assessment and internal control process to the CEO, CFO, and the board of directors. Control/Areas of Responsibility This Program shall have oversight by the chief compliance offi cer and CFO and shall be managed by the internal control program manager. The internal control program itself shall be monitored and evaluated as to its effectiveness and effi ciency. Internal control testing activities and fi ndings shall be monitored and with reports generated at least quarterly and distributed to the CEO, CFO, and other leadership including the audit com- mittee of the board of directors. Contact Chief Compliance Offi cer Chief Financial Offi cer • Policy and Procedures Procedure No. B02a Section: Corporate Page 3 of 3 Internal Control Policy and Procedure Department Ownership Issue/Effective Date: Replaces previously issued B02a.indd 54B02a.indd 54 8/25/08 1:57:38 PM8/25/08 1:57:38 PM Internal Use Only INTERNAL CONTROL PROGRAM 55 Reviewed by: document review Approved by: Approved by: document approved Date Date Date Purpose Internal controls is a function within corporate governance, separate and distinct from internal audit and compliance, and as such must be sponsored and approved by the executive leadership, implemented at the business area level with responsibility and accountability for compliance held at every level. IDEAL, LLP’s internal control department conducts independent and objective reviews of the company’s operations and procedures. Findings and recommendations are reported as appropri- ate. The internal control department shall use the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control Integrated Framework as the basis for the program. Scope The internal control department shall oversee the integrity of the company’s internal control pro- gram as well any outward facing statements concerning the company’s internal control or risk posture. To this end, the internal control department shall prepare a schedule which includes education and training, testing and remediation for the company’s process owners, managers, executives, and board of directors. Meetings Annually, prior to the beginning of the fi scal year, the internal control program manager shall present a plan to assess the company’s internal control and risk posture as well as a plan to reme- diate or improve operational effectiveness and effi ciency. Although primarily focused on fi nancial processes, the internal control department must also consider upstream operational processes. This annual plan shall be reviewed and approved by executive leadership and presented to the audit committee of the board of directors and the external auditors. At least quarterly, the internal control program manager shall provide progress reports to execu- tive leadership and the audit committee of the board of directors. Quarterly, the internal control program manager shall provide statements to the external auditors as to the status of the compa- ny’s internal controls and risks. Policy and Procedures Procedure No. B02b Section: Corporate Page 1 of 2 Internal Controls Program Charter Department Ownership Issue Date / Effective Date: Replaces previously issued B02b.indd 55B02b.indd 55 8/25/08 1:58:08 PM8/25/08 1:58:08 PM Internal Use Only 56 PROCEDURE B02B Responsibilities and Authority The success of an internal controls project depends upon the endorsement and ongoing support of senior management and the board of directors. Senior management must believe that imple- menting an internal control program is more than a legal obligation; in the long run, doing so will increase the value of the company. The internal control program manager shall have the authority, to the extent necessary or appro- priate, to secure the participation of subject matter experts and advisors. Selected business area representatives are invited to assist the internal controls department in the preparation and review of internal processes. All process owners, managers, and employees are expected to fully cooperate and participate in the testing and review process. The company shall provide appropriate funding and resources to the internal control program manager in order to execute his/her responsibilities. The internal control program manager shall review and reassess the adequacy of this charter at least annually and recommend proposed changes to the executive leadership for approval. The internal controls department shall review its own performance at least annually and include that performance review with its quarterly reports. Policy and Procedures Procedure No. B02b Section: Corporate Page 2 of 2 Internal Controls Program Charter Department Ownership Issue/Effective Date: Replaces previously issued B02b.indd 56B02b.indd 56 8/25/08 1:58:08 PM8/25/08 1:58:08 PM Internal Use Only INTERNAL CONTROL PROGRAM 57 INTERNAL CONTROL PLAN This chapter lists specifi c tasks and activities required to develop and execute the internal control plan (plan) and program. The plan incorporates the information presented thus far and the approaches that follow this chapter. The internal control program manager oversees the design and deployment of the plan and is responsible for its outcomes. The internal controls program manager shall establish the program, which includes activities and tasks to address the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework: A. Control environment B. Risk assessment C. Control activities D. Information and communication E. Monitor, evaluate, and report In support of planning process and as described below, at the end of this chapter are documents and forms that address: Internal control policy and procedure Internal control charter Roles and responsibilities classifi ed as per the COSO framework Authorization and approval process, policy and procedure Information and technology—end-user computing, process, policy and procedure Account reconciliation process, policy and procedure Quarterly subcertifi cation process, policy and procedure, exhibit and PowerPoint training Results of control activity testing form A. Control environment. The planning process involves defi ning the desired scope and outcome objectives for the program. This starts with the executive’s appointing an internal control program manager and communicating executive support by granting the program manager with access, authority, and resources. Together, the internal control program manager and the executive sponsor develop: An internal control program charter providing the authority and mandate to the internal control program manager. The internal control policy and procedure informing employees of their role and responsibility related to this program. Evaluate the need for supporting policies and procedures not otherwise addressed within the company pol- icy and procedure manual. Choose an internal control framework (e.g., COSO); identify control principles and objectives. Linking the internal control plan to COSO phase D: Information and Communication, the program manager assists the executive team with delivering appropriate tone-from-the-top communication that endorses the • • • • • • • • • • • • B02c.indd 57B02c.indd 57 8/25/08 1:58:32 PM8/25/08 1:58:32 PM Internal Use Only 58 PROCEDURE B02C control objectives and the ethical standards that must be designed and embedded into all company policies, procedures, and processes. The internal control program manager develops and gains approval for the internal control activity plan and schedule, ensuring that all major processes are covered at least once annually and that there is time allotted for remediation retesting and unscheduled testing engagements. The schedule must allow time for consolidation, assessment, and evaluation in time for quarter-end fi nancial reporting to regulatory agencies. The internal control program manager prepares an overview of how the internal control process is organized and managed and gains approval from the sponsoring executive, the audit committee of the board of directors, and the independent external auditors. The internal control program manager provides education and training for employees, process managers, exec- utives, and the board of directors as to their role and responsibility in the internal control program. The train- ing should include documentation to assist with each of the constituent groups understanding their role and responsibility. B. Risk assessment. Assess and defi ne the existing control procedures. The internal control program is assessed for risk, identifying the impact to the fi nancial statements and/or disclosure regulations if omissions, errors, or mistakes are found within the program itself. The internal control program manager must also consider establishing measures and control activities to ensure that the internal control program is operating as designed. Using risk assessment techniques identifi es the processes and/or accounts that need to be included within the current year’s program. Conduct a risk assessment to provide understanding, visibility, and ranking of the: Current infrastructure and the degree to which existing procedures meet or fall short of the internal control objectives defi ned in the fi rst stage. Defi ne the control principles, objectives, and activities that will be used to assess the processes and/or accounts in scope. Likely causes of error, omission, and misstatement. Identify signifi cant fi nancial reporting elements including accounts, disclosures, and relevant assertions prone to material misstatement. Signifi cant fi nancial reporting elements are those accounts where there is considerable volume of trans- actions and/or dollars such as revenue, inventory, and cash. Determine “what could go wrong” for each relevant assertion, considering the underlying processes and subsequent steps where potential errors can occur. Rank the risks according to the magnitude and likelihood of a material misstatement. Areas where fraud may occur. Referring back to the internal control process fl owchart, the internal control program manager may use the input acquired through the quarterly subcertifi cation process to identify focus areas for the coming quarter. As optional input, the internal control program manager may request that process managers conduct an inter- nal control readiness or self-assessment and submit results to internal controls representatives. This is an appraisal concerning the existence and adequacy of controls currently in place to ensure operational and fi nan- cial process effectiveness and effi ciency and compliance control objectives. • • • • • • B02c.indd 58B02c.indd 58 8/25/08 1:58:32 PM8/25/08 1:58:32 PM Internal Use Only INTERNAL CONTROL PROGRAM 59 Of course, before this can be done, the internal control program manager must have generic assessments ready to distribute to the process managers. Using the COSO framework, establish and design control activities to test the control objectives, ensuring that the results of the control activities will indeed provide evidence that the control objective is working or not working as designed. Estimate the time it should take to conduct the proposed activities. From this initial assessment, the internal control program manager summarizes the input to identify which processes must be considered in-scope for this year’s internal control testing and which are “at risk” or contain the opportunity for signifi cant exposure. Once identifi ed, the list is prioritized and assigned a place on the schedule. It is recommended that a top-down, risk-based approach be used to isolate those processes and/or accounts that must be considered in-scope. Refer to the risk section within the governance journey for additional detail. Plan the schedule so as to minimize disruption to business operations, and to allow time to measure and test a typical set of transactions. Consider how frequently the identifi ed processes and/or accounts need to be evaluated. Allow time in the schedule for retesting of specifi c areas where remediation efforts needed to be implemented and monitored. Communicate the plan and schedule to senior executives for their review and input. Management discretion may choose to add processes/accounts for testing. Communicate the plan and schedule to process owners. The best way to plan the schedule is to: Have a list of the processes and accounts that will be tested and the types of control activities that will be used. Estimate the time it takes to fulfi ll the testing obligations allowing extra time to address “surprise” fi ndings and to revisit weak areas. List the accounts and processes on a calendar, aligning the timing with the operational cycle in order to maximize the testing scope and sample size. Assign internal control resources to conduct the testing allowing time for the internal control representa- tive to follow up on unanticipated fi ndings, weak areas, or areas recently remediated. Additional time is also required for the internal control representative to analyze the evidence and document the fi ndings. Communicate the program and what is expected to process managers or, if possible, include within the training. It may not be possible if this is the fi rst year that the internal control program is being rolled out; otherwise, there should be enough history and detail for the internal control program manager to have the control activities and schedule prepared with the training material. To serve as an independent observer over the internal controls program, someone from internal audit and/or compliance tests and monitors the program for effectiveness and effi ciency. In more sophisticated business operations, instead of one internal control program manager there may be a committee made up of cross- functional representatives from internal controls, legal, information technology, human resources, fi nance, and internal audit to oversee the internal control program, including plans, fi ndings, areas for improvement, remediation and communication. The internal control plan is shared with the audit committee of the board of directors and the external auditors and provides updates at least quarterly as to the status of the program activities and results. • • • • • B02c.indd 59B02c.indd 59 8/25/08 1:58:33 PM8/25/08 1:58:33 PM Internal Use Only 60 PROCEDURE B02C C. Control activities. Identify and document controls specifi c to operational and fi nancial risks within a centralized document repository. An internal control document repository shall house the internal control plan, control principles, objectives, activities, process and/or account narratives, process fl ows, results of the control activities, and evaluation of the results. To the degree practicable consider cross-referencing this repository with the company’s policy-and-pro- cedure document repository. If there is no in-house repository, consider researching and evaluating one of the many software programs spe- cifi cally designed for this application. Customize this plan, the policies and procedures and the templates pre- sented in this manual to populate the internal control repository. In smaller companies, a repository might be as simple as a folder on a shared drive or printed documents housed within a central fi le cabinet or binder. Control Activity/Testing Engagement The control activity engagement shall mirror and be less formal than an internal audit engagement. We are looking for the same level of professionalism as with an internal audit; however, the objective is to test and repair rather than test and report. As a best practice, internal control fi ndings are considered a benefi t to the process and provide useful feedback for the process manager. At the beginning of each fi scal year, the chief fi nancial offi cer or executive sponsor and the internal control program manager notify the business and process owners of the coming year’s plan and schedule, mentioning that the schedule is subject to change. Not every process requires the same level of scrutiny, so some process managers may have to submit key performance indicators, while others will have their operation interrupted for more invasive testing activities. In order for the process manager to plan for a disruption to the process or the allocation of personnel to the control activity, provide a reminder notice to those areas, which will be tested. Provide the process manager with the readiness checklist so they can prepare for the control activity engagement. Prior to the start of the control activity engagement, the process manager should notify the staff to be prepared and fully cooperate. It may be appropriate to have a discussion prior to beginning the control activities. This provides both the inter- nal control representative and the process manager with the opportunity to discuss the goals and objectives as well as the best approach to be used to verify the status of the control objective. The internal control represent- ative should come prepared to build relationships, set the tone, and enlist the process manager’s cooperation. The internal control project representative or team perform the control activities as planned and gather evidence. The internal control program team shall be professional and use a variety of techniques to gather data and information. If the risk assessment and planning was adequately addressed, the scope and method for the control activity should have been clearly defi ned. The process manager should be prepared to share data and evidence in support of the objective. As a best practice, the process manager knows which control objective and control activities will be used, so they can present their evidence and documentation trail to the internal control representative. The internal control representative shall ask questions and listen, as these are effective testing techniques to determine if there are additional previously unidentifi ed risks or if the evidence presented supports the objective being tested. Learning how to ask direct and open-ended questions and fully listening to the response • • • B02c.indd 60B02c.indd 60 8/25/08 1:58:33 PM8/25/08 1:58:33 PM Internal Use Only INTERNAL CONTROL PROGRAM 61 provides the internal control representative with a valuable aid to more fully discover how well the control objective is actually working. Evidence must be presented as a reliable, accurate depiction in support of the control objective. The internal control representative must document the control activity and the approach used to collect an appropriate level of evidence. When performing testing, it is important to select a sample of transactions to review. When determining the size of the sample to collect, consider that the size must be large enough to draw inferences regarding overall compliance and yet manageable to review in the given period. It is common to establish threshold limits prior to selecting the sample. Example: If you are testing for the accuracy of the physical inventory, you may want to have an inventory report run that identifi es the quantity and book value of the inventory. The control objective is accuracy and the control activity is to validate the physical count by reperforming the count. The two areas of inventory you are interested in testing include (1) high volume and low value and (2) high value. Let’s assume there are 1,000 different product numbers for the high volume and low value and 20 product numbers for the high value. You may choose to validate the inventory count by randomly selecting 200 of the high volume and low value and counting all 20 product numbers for the high value. Depending on the type of inventory, the test to validate the high-volume low-value inventory might be to weigh a unit of one for each product number and then weigh the entire product number and divide to see if the weighed physical count reconciles to the actual physical count. If it is correct or close for all 200 samples, then no further testing is required; if it is not correct or close, then actually counting several within this sample is required, and expanding the sample size may be in order. The test to validate the high-value inventory is to physically recount the entire high-value inventory. Since you are reproducing the control, if there is any discrepancy, evaluate whether additional controls are required, such as retaining the high-value inventory in a separate secured area of the warehouse. The control objective has now been broadened to include safeguarding the asset. Once the evidence is collected, it must be evaluated to determine if the evidence is aligned with and supports the control objective. Sometimes the evidence collected shows a defi ciency in a different objective. Example of misalignment: If the control objective is to test for accuracy that the bill of lading on shipping orders are matched to sales orders before the goods are shipped and the control activity looks for authorization that the sales and shipping orders are approved, then there is a misalignment of the objective and the activity. A different control activity must be planned. Example of unplanned discovery: We are testing for accuracy that all sales orders are fully processed but the test evidence shows that although accurate, not all sales orders are recorded in the period they are supposed to be recorded in. The evidence leads the internal control representative to identify and list timeliness as a new control objective, control activity, and evidence on the testing form. Remedial action is required. Once the evidence is gathered, the internal control representative analyzes the evidence to prove or disprove if the evidence supports that the control objective is working. The analysis step may be supported with using such tools as variance analysis, process control charts, perfor- mance run charts, reconciliations, tree diagrams, and fi shbone charts—basically any type of analysis that the internal control representative is comfortable in using and is appropriate for the process being reviewed. • • B02c.indd 61B02c.indd 61 8/25/08 1:58:33 PM8/25/08 1:58:33 PM Internal Use Only 62 PROCEDURE B02C Using the Internal Control—Result of Control Activity Testing form, the internal control representative summarizes the tests and results. The results of each test, whether positive or negative, must be recorded to demonstrate that the internal control representative exercised an appropriate level of due diligence when reviewing the process. In addition, those items that indicate a defi ciency need to be identifi ed and classifi ed for remedial action. The internal control representative reviews the Result of the Control Activity Testing form with the process owner, and together they determine an appropriate plan for remediation. The internal control representative submits the form to the internal control program manager, who then consolidates it with the other submitted test forms in order to evaluate and analyze the status of the company’s internal controls. As the internal control program manager reviews the fi ndings, there may be similar fi ndings across functions that signal a systemic issue, which may require further testing and subsequent remediation. The internal control program team shall recommend integrating the control activities with technology to provide automated controls where possible. The process manager or internal control program team shall identify the signifi cant applications including end-user computing applications such as spreadsheets that support the signifi cant fi nancial reporting elements. For items that require remediation, process managers are to take corrective action and the internal control pro- gram manager must establish plans for subsequent retesting actions. D. Information and communication. Prepare and distribute reports. As soon as the internal control testing is complete or at least quarterly if only key measures are reviewed, the internal control program team evaluates the fi ndings, and prepares and distributes progress reports to process managers identifying those control activities performed and the corresponding results. Process managers are expected to reply with remediation and/or corrective action plans and an estimated completion date. At least quarterly, the internal controls program manager consolidates results accumulated from control activities. The results are classifi ed according to risk (i.e., impact to the fi nancial statements) and probability of occurring, with all material weaknesses and signifi cant defi ciencies highlighted on the report. From this ranking, the internal control program manager determines the company’s overall internal control rating and the effectiveness of the internal control program. E. Monitor, evaluate, and report requires that the internal control program manager consolidate the fi ndings and review the internal control status with senior managers and leaders. The fi ndings and review are presented include a summary of the internal control plan, progress on imple- menting the plan, results of the testing activities, and recommended areas for improvement and disclosure. The results are presented to the audit committee of the board of directors and to the independent external auditors. It was pointed out earlier that internal controls and audit are different processes with different objectives serving different constituents. However, to the degree that the internal controls program is effective and effi cient, the independent external auditors will view the contribution from internal controls as part of the com- pany’s control environment and reduce the scope of their audits, thereby reducing the independent external auditor fees to the company. This monitoring section of COSO is aimed at evaluating the effectiveness of the internal control program. • • • B02c.indd 62B02c.indd 62 8/25/08 1:58:34 PM8/25/08 1:58:34 PM Internal Use Only INTERNAL CONTROL PROGRAM 63 To support the big G Governance CEO and CFO attestation, the quarterly subcertifi cation letter asks select individuals who have or should have intimate knowledge of the company’s processes to attest and subcertify along with the CEO and CFO. During the quarter the internal control program manager maintains a list of pro- cesses, process owners, and their fi nancial and legal counterparts. A matrix is prepared, which serves as the dis- tribution list for the quarterly subcertifi cation letter and related questionnaire. Prior to the end of the quarter and allowing enough time for the internal control program manager to distribute, receive, evaluate, and resolve issues, the quarterly subcertifi cation letter program is initiated. The internal control program manager consolidates the data and information from the risk assessment, the control plan and activities, and the internal control program itself and the quarterly subcertifi cation pro- gram and prepares a report. The report is reviewed with the CEO the CFO and then distributed to the audit committee of the board of directors and independent external auditor. B02c.indd 63B02c.indd 63 8/25/08 1:58:34 PM8/25/08 1:58:34 PM Internal Use Only 64 PROCEDURE B02C ROLES AND RESPONSIBILITIES Control Environment Representing Management Oversight The board of directors is responsible for: Approving internal control strategies and policies Understanding the risks the company is subject to Setting the acceptable level of risks Ensuring that senior management takes the necessary steps to identify, monitor, and control the risks Approving the organizational structure Ensuring that senior management is monitoring the effectiveness of the internal control system The audit committee of the board of directors is responsible for monitoring, overseeing, and evaluating the duties and responsibilities of management, the internal audit activity, and the independent external auditors as those duties and responsibilities relate to the company’s processes for controlling its operations. The committee is also responsible for determining that all major issues reported by the internal audit activity, the external auditor, and other outside advisors have been satisfactorily resolved. Senior management is responsible for: Implementing the strategies approved by the board of directors Establishing appropriate internal control policies Monitoring the effectiveness of the internal control system Jointly, the board of directors and senior management are responsible for: Promoting high ethical and integrity standards Establishing a culture within the organization that emphasizes and demonstrates to all levels of personnel the importance of internal controls Managers are responsible for establishing a network of processes with the objective of controlling the operations in a manner that provides the board of directors reasonable assurance that: Data and information published either internally or externally is accurate, reliable, complete, and timely. The actions of company offi cers, managers, and employees are in compliance with the company policies, standards, plans and procedures, and all relevant laws and regulations. The company’s resources (including its people, systems, data/information bases, and client goodwill) are adequately protected. Resources are acquired economically and employed effectively; quality business processes and continuous improvement are emphasized. The company’s internal controls promote the achievement of plans, programs, goals, and objectives. • • • • • • • • • • • • • • • • B02c.indd 64B02c.indd 64 8/25/08 1:58:34 PM8/25/08 1:58:34 PM Internal Use Only INTERNAL CONTROL PROGRAM 65 Risk Assessment Senior management is responsible for: Identifying and evaluating internal and external factors that could adversely affect the achievement of the company's objectives Continually evaluating the risks affecting the achievement of the company's strategies, goals, and objectives Control Activities Senior management is responsible for: Establishing an appropriate control structure to ensure effective internal controls Establishing control activities at every business level Periodically ensuring that all operational areas are in compliance with established policies and procedures Ensuring that control activities are an integral part of the daily operations Ensuring that there is appropriate segregation of duties and that personnel are not assigned confl icting responsibilities Controlling is a function of management and is an integral part of the overall process of managing operations. As such, it is the responsibility of managers at all levels to: Identify and evaluate the exposures to loss relating to their particular sphere of operations. Specify and establish policies, plans, and operating standards, procedures, systems, and other disciplines to be used to minimize, mitigate, and/or limit the risks associated with the exposures identifi ed. Establish practical controlling processes that require and encourage administrators, offi cers, and employees to carry out their duties and responsibilities in a manner that achieves the control objectives outlined above. Maintain the effectiveness of the controlling processes established and foster continuous improvement to these processes. Be prepared to cooperate when internal controls notify them as to review scope and schedule. They must promptly reply to reporting conditions and remediate in a complete and timely manner. They must notify inter- nal controls when unusual or nonroutine transactions or results present. The process owner needs to: Perform a risk assessment. Understand the likely causes of error, omission, and misstatement. Scope the processes and activities to be performed. Establish a schedule to perform those activities. Assemble existing policies, procedures, processes, and instructions, including risks and controls. Produce evidence of operating effectiveness and effi ciencies. Identify, monitor, and track opportunities for improvement efforts. Monitor, track, and report on efforts to remediate defi ciencies. • • • • • • • • • • • • • • • • • • • • B02c.indd 65B02c.indd 65 8/25/08 1:58:35 PM8/25/08 1:58:35 PM Internal Use Only 66 PROCEDURE B02C Information and Communication Senior management is responsible for: Ensuring adequate and comprehensive internal fi nancial, operational, and compliance data Ensuring adequate and comprehensive external market information about events and conditions that are relevant to decision making Establishing effective channels of communications to ensure that all staff are aware of policies and procedures affecting their duties and responsibilities Ensuring that other relevant information is reaching the appropriate personnel Ensuring that there are appropriate information systems in place that cover all activities of the company Ensuring that information systems are secure and periodically tested Monitor, Evaluate, and Report Senior management is responsible for: Monitoring the overall effectiveness of the company's internal controls on an ongoing basis Monitoring key risks on a daily basis Evaluating each key risk separately Jointly, the board of directors and senior management are responsible for: Ensuring an effective and comprehensive internal audit of the internal control system Ensuring that the internal audit function reports directly to the board of directors or its audit committee and to senior management Senior management is responsible for: Ensuring that internal control defi ciencies are reported in a timely manner to the appropriate management level and addressed promptly Ensuring that material internal control defi ciencies should be reported to senior management and the board of directors Evaluation of internal controls belongs to everyone. Company entity general managers and controllers as well as functional business unit leadership: Requiring all business areas and company subsidiaries to have an effective system of internal controls that is consistent with the nature, complexity, and risk of the company's on- and off-balance-sheet activities and that responds to changes in the company's environment and conditions Taking appropriate action against companies with inadequate internal control systems to ensure that the inter- nal control system is improved immediately • • • • • • • • • • • • • • • B02c.indd 66B02c.indd 66 8/25/08 1:58:35 PM8/25/08 1:58:35 PM Internal Use Only INTERNAL CONTROL PROGRAM 67 INTERNAL CONTROL – PLANNING, TESTING AND REMEDIATION WORKSHEET Available in the URL download is an Excel worksheet with the following columns. For your convenience, the download is pre-populated with process/account, control objectives, and control activities as described in the inter- nal control testing guides from Unit 3 of this manual. Process/Account Using a top-down assessment approach, list the signifi cant processes and/or accounts that require testing. After the risk assessment has been performed and the risks identifi ed prioritize and classify the risks, assign an executive sponsor to oversee the investigation and management of the risk. Ideally, the process would be engineered to eliminate and/or mitigate the opportunity for omission, error, mis-statement and risk. Control Objective/Risk Identify the control objective or risk element that must be documented or tested. Designate your own control objectives or use the ones identifi ed and defi ned within testing guides presented in the manual. Control Activity Identify the planned control activity that must be documented or tested. Design your own control activities, or use the ones identifi ed and defi ned within testing guides presented in the manual. Remember that the control activity must demonstrate that the internal control representative has defi ned a substantive activity that will produce suffi cient evidence that the control is working. Supporting evidence shall be included or referenced on the Internal Control—Result of Testing form. Sample Size and Results of Testing Describe the approach used to determine the sample size, identify the sample size, and describe the fi ndings that result. Reference the Internal Control—Results of Testing checklist and the supporting evidence collected. Remember to note where the control objective is working as designed and there are no fi ndings. Even if not an immediate control exposure, remember to include areas of concern that may lead to control exposures or where process effectiveness and effi ciency opportunities may exist. • • • • • • • • • • • B02c.indd 67B02c.indd 67 8/25/08 1:58:35 PM8/25/08 1:58:35 PM Internal Use Only 68 PROCEDURE B02C Control in Place Identify “Yes” or “No” as to whether the control objective is in place and proved by the control activity. If “No,” then describe the issue and rate the control as: assessment refers to your evaluation as to whether the control is working as it should be. Rate 1 as a signifi cant defi ciency, 2 as a material weakness, 3 as a reportable condition, and 4 as an effective control. Process Owner Those items rated as 1, 2, or 3 require a process owner to oversee the remediation efforts. This column is to identify the name of the process owner or person responsible for remediation. Remediation Actions If remediation actions are required, identify the immediate next steps and corrective action plans. Remediation actions and next steps should be developed in cooperation with the process manager. Next Follow-up Date or Due Date A follow-up date is required for those issues which cannot be readily corrected. This date should not be more than two weeks from the date of the testing to ensure a timely response from the process manager. The corrective action may require a signifi cant process reengineering plan and periodic meetings to ensure that the re-engineering design corrects the control issues or it may require a documented “work around” which allows employees to monitor and track the opportunity for risk. A due date is preferable as the date the issue is corrected and ready for re-testing. Allow time for the correction to be implemented and performance indicators to prove that the correction has been deployed; then follow with a retest of the control objective. • • • • • • • • B02c.indd 68B02c.indd 68 8/25/08 1:58:35 PM8/25/08 1:58:35 PM Internal Use Only INTERNAL CONTROL PROGRAM 69 AUTHORIZATION AND APPROVAL PROGRAM Within the company, little g governance defi nes roles, relationships, and reporting requirements. Organization charts show how work is organized with solid and dotted lines drawn to cross-link functional groups. Direction and accountability become more complicated as cross-functional teams are established for projects. When there is disagreement or a lack of clarity over who is responsible for what, the development of a process ownership and authorization matrix is recommended. We discuss process ownership maps in other chapters, but here we examine its usefulness in assigning various levels of approval and authorization. Governance and leader- ship depend on establishing defi ned roles and responsibilities and encouraging and reinforcing specifi c behaviors. Defi ning the Terms Often used as synonyms, approval and authorization are different, requiring different skills and levels of action. The approval role is to accept as satisfactory, to hold a favorable opinion, to prove, and to attest. The approval responsibility refers to a process that encompasses reviewing and testing up to a level that allows the approver to feel comfortable and confi dent that the data and/or information presented is satisfactory and acceptable. Authorization refers to the person in command with infl uence and power to make the decision, to grant offi cial authority, or legally commit company funds and/or resources. A subdelegation of authority requires empowering others and is issued from those with authorization to act. As a control objective, those tasked with the role of approver may or may not have authority; therefore, the roles must be clearly defi ned and accepted. Example: The board of directors provides authorization to the chief executive offi cer (CEO) and chief fi nan- cial offi cer (CFO) to operate the company. The CFO subdelegates authorization for capital projects less than $5 million to the chief operating offi cer (COO); that is, the CFO allows the COO to make decisions about whether to proceed with capital projects; the COO has the ability to enter into formal company commit- ments for capital projects. In order to not be bogged down with the day-to-day operational aspects of the project, the COO assigns capital project approval to the real estate project manager. Once the COO has authorized the project, the real estate project manager’s role is to review and grant acceptance of the project details for execution. In this example, the real estate project manager is not authorized to sign contracts, but is authorized to execute those contracts. Example: Those who have authorization to sign procurement contracts may subdelegate the approval of those contracts to professional staff within the business fi nance, and legal units. The approval in this case refers to the reviewing and agreeing that the contract specifi cs (i.e., terms, conditions, products, services) are accurate and complete. Delegation of Authority Authority is derived from the owners of the company. For public companies, authority is identifi ed and granted by the board of directors; for nonpublic companies, authority belongs to the proprietor or partners. From these offi - cial positions, a subdelegation of authority may be established based on roles and responsibilities. An example of a company’s delegation-of-authority policy and procedure as well as its related matrix follows. B03.indd 69B03.indd 69 8/25/08 1:59:37 PM8/25/08 1:59:37 PM Internal Use Only 70 PROCEDURE B03 The matrix identifi es the types of commitments that the company is likely to require, and it identifi es the various positions that are then “authorized” to make those decisions and commitments. RASCI Building on this methodology, a company may fi nd the following tool useful as a compliment to the delegation- of-authority matrix. The role assignment is complementary to the one above, providing an additional layer identify- ing the various functions or operational areas. The role assignment is subordinate to the more formal delegation of authority. In every organization, in order to get work done, it is important to know who is responsible, who has approval, who provides support, who provides counsel, and who needs to be kept informed. A common methodology is to establish and use the RASCI (responsible, authority, support, counsel, and inform) matrix. Example: Referring to our procurement example above, only the procurement department is authorized to purchase goods and/or services, while each of the other functional areas are responsible for the purchased products. Example: The marketing organization may be assigned the authority to bring merger and acquisition requests forward to the CEO, CFO, and the board. However, they must consult with manufacturing, technical support, administration, human resources, and legal. In addition, they must engage research and development and fi nance in the authorization process and inform sales. Following are the: Subdelegation of authority policy and procedure and the sample delegation-of-authority matrix RASCI matrix and instructions Customize both of these matrices to fi t your company’s operational and transactional needs. • • B03.indd 70B03.indd 70 8/25/08 1:59:38 PM8/25/08 1:59:38 PM Internal Use Only INTERNAL CONTROL PROGRAM 71 SUBDELEGATION-OF-AUTHORITY MATRIX The authorization matrix is made up of the following sections: A. Annual Budget and Plans B. Nonbudgeted Capital Projects and Lease Obligations C. Human Resources D. Legal E. Acquisitions, Divestitures, and Joint Ventures/Alliances F. Procurement G. Commercial Sales of Licensed Agreements, Product, Professional Services, Intellectual Property Asset- Sharing Agreements H. Treasury and Intercompany Matters Defi nitions as used within the matrix: Acquisition: Acquiring or purchasing whether by asset purchase, stock purchase, merger, consolidation, or other business combination or otherwise, of any business, line of business, product, product line, assets including intellectual property and other intangible assets, securities, or any other ownership interest in any third party or related entity. Agreements: Encompass all one-time contracts and master agreements. Divestitures:– Sale or disposition whether by asset purchase, stock purchase, merger, consolidation, or other busi- ness combination or otherwise, of any business, line of business, product, product line, assets including intellectual property and other intangible assets, securities, or any other ownership interest in any third party or related entity. Review: (A) Providing documented feedback within the reviewer’s (or corporate committee’s) area of functional or technical expertise to the employee (or corporate committee) with decisional authority who, in turn, should consider such feedback prior to approving a transaction; or (B) that where review is conducted by the employee or committee with decisional authority over the transaction, considering of all of the facts and opinions gathered in the due diligence and review process and rendering a documented decision on whether to proceed with the proposed transaction as presented. Delegation of Authority (DOA): The formal written conveyance from one person to another of the authority to bind the company to a legally enforceable obligation. Roles and Responsibilities A – Approval/decisional authority: Employees who have requisite authority emanating from resolutions approved by the board of directors through proper delegations of authority to make a decision to commit or bind the com- pany to a legally enforceable obligation or benefi t (transaction). Employees with approval/decisional author- ity should ensure that all requisition reviews of transactions have been completed and consider them prior to approving transactions. I – Inform authority: Employees who must be informed about a transaction as early as practicable in the process and, in any event, prior to approval and execution. It is the responsibility of the employee with the approval/ decisional authorities to ensure that appropriate stakeholders in the organization are informed about transactions. • • • • • • • B03.indd 71B03.indd 71 8/25/08 1:59:38 PM8/25/08 1:59:38 PM Internal Use Only 72 PROCEDURE B03 R – Review authority: Employees responsible for reviewing proposed transactions and providing documented feedback within the reviewer’s areas of functional or technical expertise to the approval/decisional authority employee who, in turn, should consider such feedback prior to approving the transactions. Authority/signatory authority: Employees who have requisite authority to sign documents that commit or bind the company to a legally enforceable obligation or benefi t. Employees with signatory authority may not necessarily have approval/decisional authority; however, employees with approval authority have signatory authority. Any employee with signatory authority must ensure that all proposed transactions have received all requisite approvals prior to signing any documents that commit or bind the company to transactions. Payment execution authority: Employees who have requisition authority emanating from their position in the organization to authorize release of payments for goods, services, and obligations entered into by the company. Any employee authorized to execute payment must ensure that all requested transactions have received the appropriate documented reviews and approvals prior to the payment release. For most ordinary business expenditures, the payment execution authority and approval/decisional authority will be delegated to the same individual. Areas with Worldwide Authority In addition to the authorization levels identifi ed within the matrix, the following transactions must comply with their related policies and procedures: Accounting: An accounting manager other than the originator must approve all journal entries. Contracts: The worldwide legal department (legal) must approve all contracts and legal obligations made on behalf of the company prior to their execution. Legal may subdelegate contract review of standard contracts to the functional business area. Alterations to company standard contracts and agreements must be approved by legal. All contracts executed on behalf of the company must be executed by at least a vice president and senior offi cer if not set forth elsewhere in this policy. Human Resources must provide written approval prior to extending any fi nancial commitments to employees (e.g., hiring, salary or wage increases, incentives, commissions, and bonuses). Information Services (IS) must approve all purchases of computer-related hardware, software, networks, and peripherals used for internal purposes. Planning: The fi nancial planning and analysis function approves the company’s plan and forecasts. Product and Services Pricing must be established according to preapproved guidelines and approved by the product/service business unit and the SVP Pricing. Real Estate commitments to purchase, lease, or rent property on behalf of the company must be approved by the headquarter real estate/facilities function. The treasurer must approve real estate fi nancing arrangements. Sales and/or Services Finance must approve sales contracts or changes to sales terms and conditions, includ- ing delivery, shipment, payment, demo licenses, and future product discounts. Tax: Income, sales and use or country equivalent, import/export, property, and other tax-related preparations and obligations must be approved or delegated by the corporate tax department. Treasury must approve any and all bank accounts and establishes signing authority for issuing checks and arranging for electronic transfers. • • • • • • • • • • • • • B03.indd 72B03.indd 72 8/25/08 1:59:38 PM8/25/08 1:59:38 PM Internal Use Only Prepared by: Approved by: Authorized by: Date Date Date Scope/Background By resolution of the company’s board of directors (BOD), the BOD delegates to the chief execu- tive offi cer (CEO) authority including the authority to subdelegate and redelegate such authority to conduct activities necessary for the operational continuation of the business. The purpose of this document is to: Identify expenditure authorizations in order to provide clear guidance over decision making and accountability company-wide. Increase transparency of decision making to enhance operational effi ciency. U.S. and international regulations require documented delegation of authority for public companies: Section 103 of the Sarbanes-Oxley Act requires external auditors to evaluate whether a company’s internal control and procedures provide reasonable assurance that transactions are being made in accordance with authorizations as subdelegated to management and directors. Section 404 of the Sarbanes-Oxley Act, in order to support the effectiveness of the Company’s internal control environment, requires that there be written documentation of the subdelega- tion chain and approval to execute a specifi c transaction. The U.S. Foreign Corrupt Practices Act of 1977 stipulates in its record-keeping and accounting provisions that access to a company’s assets include management’s authorization (i.e., written delegation and subdelegation authority). Policy In accordance with the BOD resolutions regarding this matter; it is IDEAL, LLP’s (company’s) policy to establish and delegate authorization to specifi c functional areas of the business and to specifi c individuals for the purpose of making commitments, collecting and disbursing cash on behalf of the company. The BOD delegates to the CEO specifi c authority and, in turn, the CEO subdelegates authority for certain activities (e.g., review and approval) to certain company offi cers and employees. It is the company’s policy that authorization be delegated to those areas that are held respon- sible for the successful implementation of company objectives. The company assigns authoriza- tion levels based on the employee’s level of responsibility. Commensurate authority is available to meet the needs of proper conduct for the business and therefore refl ects the company’s strategic principles. • • • • • Policy and Procedures Procedure No. B03a Section: Internal Controls Page 1 of 4 Delegation of Authority Department Ownership Issue/Effective Date: Replaces previously issued B03a.indd 73B03a.indd 73 8/25/08 1:59:59 PM8/25/08 1:59:59 PM Internal Use Only 74 PROCEDURE B03A Authorization must be in accordance with the authorization matrix (separate document). In a hierarchical corporate environment, authorization may be delegated following the reporting line of command and must be documented. Delegation is restricted to full-time company employees. The CEO, chief operating offi cer (COO), chief fi nancial offi cer (CFO), chief administrative offi cer (CAO), and general counsel establish and delegate authorization limits. The company’s executive management empowers, authorizes, and grants responsibility to specifi c corporate positions through the company’s formal policies and procedures. Each business unit’s functional executive and their fi nancial designate should either directly approve every fi nancial commitment made on behalf of the unit or document the delegated line of authority. Functional authorizations must be aligned to the authorization matrix. Delegation of Authority Delegation of authority (DOA) is the formal written conveyance from one person to another of the authority to bind the company to a legally enforceable obligation. Each geographic and functional business area should document and align the sub delegation lim- its based on management responsibility. Note that business decisions require review and approval from a business manager, their fi nancial controller or designate. Delegations of authority may be considered: Short term: Each manager should establish protocols for delegation when they anticipate being absent due to illness, vacations, leaves, or extended business trips. Delegations should be documented and distributed to the appropriate departments within the business area. Long term: Any delegation of a long-term nature must be approved by the CFO. Special Areas with Worldwide Authority In addition to the authorization levels identifi ed within the matrix, the following transactions must comply with their related policies and procedures: Accounting: An accounting manager other than the originator must approve all journal entries. Contracts: The worldwide legal department (legal) must approve all contracts and legal obligations made on behalf of the Company prior to their execution. Legal may subdel- egate contract review of standard contracts to the functional business area. Alterations to company standard contracts and agreements must be approved by legal. Information services (IS) must approve all purchases of computer-related hardware, software, networks, and peripherals used for internal purposes. • • • • • Policy and Procedures Procedure No. B03a Section: Internal Controls Page 2 of 4 Delegation of Authority Department Ownership Issue/Effective Date: Replaces previously issued B03a.indd 74B03a.indd 74 8/25/08 1:59:59 PM8/25/08 1:59:59 PM Internal Use Only INTERNAL CONTROL PROGRAM 75 Human resources must provide written approval prior to extending any fi nancial commitments to employees (e.g., hiring, salary or wage increases, incentives, commissions, and bonuses). Planning: The fi nancial planning and analysis function coordinates the approval of the company’s plan and forecasts. Product and services pricing must be established according to preapproved guidelines and approved by the product/service business unit and the senior vice president pricing. Real estate commitments to purchase, lease, or rent property on behalf of the company must be approved by the headquarter real estate/facilities function. Facility-related con- tracts (e.g., landscaping, cleaning, utilities) must be approved by real estate. The treasurer must approve real estate fi nancing arrangements. Sales and/or services fi nance must approve sales contracts and changes to sales terms and conditions, including delivery, shipment, payment, demo licenses, and future product discounts. Tax: Income, sales and use or country equivalent, import/export, property, and other tax-related preparations and obligations must be approved or delegated by the corporate tax department. Treasury must approve any and all bank accounts and establishes signing authority for issuing checks and arranging for electronic transfers. Planned Spending Annually, the company approves regional plans that should achieve the business area’s goals and objectives. Spending to the authorized plan limits requires approval as per the authoriza- tion matrix. Under no circumstance shall local management authorize spending in excess of budget. Roles and Responsibilities The attached matrix identifi es specifi c roles and responsibilities: A-Approver having authority for fi nal decision and signature. R-Reviewer having review and analysis responsibility. I-Requires that information be provided to those in this role. Approval/decisional authority: Employees who have requisite authority emanating from resolutions approved by the BOD through proper delegations of authority to make a deci- sion to commit or bind the company to a legally enforceable obligation or benefi t (transac- tion). Employees with approval/decisional authority should ensure that all requisition reviews of transactions have been completed and consider them prior to approving transactions. • • • • • • • • Policy and Procedures Procedure No. B03a Section: Internal Controls Page 3 of 4 Delegation of Authority Department Ownership Issue/Effective Date: Replaces previously issued B03a.indd 75B03a.indd 75 8/25/08 2:00:00 PM8/25/08 2:00:00 PM Internal Use Only 76 PROCEDURE B03A Authority/signatory authority: Employees who have requisite authority to sign documents that commit or bind the company to a legally enforceable obligation or benefi t. Employees with signatory authority may not necessarily have approval/decisional authority; however, employees with approval authority have signatory authority. Any employee with signatory authority must ensure that all proposed transactions have received all requisite approvals prior to signing any documents that commit or bind the company to transactions. Inform authority: Employees who must be informed about a transaction as early as practi- cable in the process and, in any event, prior to approval and execution. It is the responsibility of the employee with the approval/decisional authorities to ensure appropriate stakeholders in the organization are informed about transactions. Payment execution authority: Employees who have requisition authority emanating from their position in the organization to authorize release of payments for goods, services, and obligations entered into by the company. Any employee authorized to execute payment must ensure that all requested transactions have received the appropriate documented reviews and approvals prior to the payment release. For most ordinary business expenditures, the payment execution authority and approval/decisional authority will be delegated to the same individual. Review authority: Employees responsible for reviewing proposed transactions and providing documented feedback within the reviewer’s areas of functional or technical expertise to the approval/decisional authority employee who, in turn, should consider such feedback prior to approving the transactions. Controls/Areas of Responsibility Each business area should have a documented list of fi nancial delegation and approval limits that is aligned with the company’s authorization matrix. All fi nancial commitments undertaken on the company’s behalf should be in conformance with the company’s code of conduct and other company policies. The person granting fi nancial authorization should not be the same person who requests, pur- chases, or receives the product or service. All contracts and documented records require stewardship in accordance with the records information management policy. A dedicated business planning and analysis group reviews and tracks results relative to achieving the company’s plan and reports variances as part of the monthly performance review package. Appropriate level of documentation and authorization signatures should accompany the request for spending and the subsequent set up in the accounting systems. Contact Chief fi nancial offi cer • • • • • • • • • • Policy and Procedures Procedure No. B03a Section: Internal Controls Page 4 of 4 Delegation of Authority Department Ownership Issue/Effective Date: Replaces previously issued B03a.indd 76B03a.indd 76 8/25/08 2:00:00 PM8/25/08 2:00:00 PM Internal Use Only INTERNAL CONTROL PROGRAM 77 SUB DELEGATION OF AUTHORITY MATRIX SUPPORTS THE SUB DELEGATION OF AUTHORITY POLICY AND PROCEDURE The Authorization Matrix is made up of the following sections A Annual Budget and Plans B Non Budgeted Capital Projects and Lease Obligations C Human Resources D Legal E Acquisitions, Divestitures and joint Ventures / Alliances F Procurement Commercial Sales of Licensed Agreements, Product, Professional Services, Intellectual G Property Asset Sharing Agreements H Treasury and Intercompany Matters Defi nitions Acquisition – acquiring or purchasing whether by asset purchase, stock purchase, merger, consolidation or other business combination or otherwise, of any business, line of business, product, product line, assets including intellectual property and other intangible assets, securities or any other ownership interest in any third party or related entity. Agreements – encompass ALL one-time contracts and Master Agreements Divestitures – sale or disposition whether by asset purchase, stock purchase, merger, consolidation or other business combination or otherwise, of any business, line of business, product, product line, assets including intellectual property and other intangible assets, securities or any other ownership interest in any third party or related entity. Review – a) providing documented feedback within the reviewer’s (or corporate committee’s) area of functional or technical expertise to the employee (or corporate committee) with decisional authority who, in turn, should consider such feedback prior to approving a transaction; or b) that where review is conducted by the employee or committee with decisional authority over the transaction, considering of all of the facts and opinions gathered in the due diligence and review process and rendering a documented decision on whether to proceed with the proposed transaction as presented. Delegation of Authority (DOA) is the formal written conveyance from one person to another of the authority to bind the company to a legally enforceable obligation. Roles and Responsibilities A Approval / Decisional authority – employees who have requisite authority emanating from resolutions approved by the BOD through proper delegations of authority to make a decision to commit or bind the company to a legally enforceable obligation or benefi t (transaction). Employees with approval / decisional authority should ensure all requisition reviews of transactions have been completed and consider them prior to approving transactions. I Inform authority – employees who must be informed about a transaction as early as practicable in the process and, in any event, prior to approval and execution. It is the responsibility of the employee with the approval / decisional authorities to ensure appropriate stakeholders in the organization are informed about transactions. R Review authority – employees responsible for reviewing proposed transactions and providing documented feedback within the reviewer’s areas of functional or technical expertise to the approval / decisional authority employee who, in turn should consider such feedback prior to approving the transactions. B03a.indd 77B03a.indd 77 8/25/08 2:00:01 PM8/25/08 2:00:01 PM Internal Use Only 78 PROCEDURE B03A Authority/Signatory authority – employees who have requisite authority to sign documents which commit or bind the Company to a legally enforceable obligation or benefi t. Employees with signatory authority may not necessarily have approval / decisional authority; however, employees with approval authority have signatory authority. Any employee with signatory authority must ensure that all proposed transactions have received all requisite approvals prior to signing any documents that commit or bind the Company to transactions. Payment execution authority – employees who have requisition authority emanating from his/her position in the organization to authorize release of payments for goods, services and obligations entered into by the company. Any employee authorized to execute payment must ensure that all requested transactions have received the appropriate documented reviews and approvals prior to the payment release. For most ordinary business expenditures, the payment execution authority and approval / decisional authority will be delegated to the same individual. Areas with Worldwide Authority In addition to the authorization levels identifi ed within the matrix, the following transactions must comply with their related policies and procedures: Accounting – An accounting manager other than the originator must approve all journal entries. Contracts – The Worldwide Legal Department (Legal) must approve all contracts and legal obligations made on behalf of the Company prior to their execution. Legal may sub-delegate contract review of standard contracts to the functional business area. Alternations to Company standard contracts and agreements must be approved by Legal. All contracts executed on behalf of the Company must be executed by at least a Vice President and Senior Offi cer if not set forth elsewhere in this policy. Global Information Services (GIS) must approve all purchases of Computer related hardware, software, networks and peripherals used for internal purposes. Human Resources must provide written approval prior to extending any fi nancial commitments to employees (e.g., hiring, salary or wage increases, incentives, commissions and bonuses). Planning – The Financial Planning and Analysis function approves the Company’s plan and forecasts. Product and Services Pricing must be established according to pre-approved guidelines and approved by the product / service business unit and the SVP Pricing. Real Estate commitments to purchase, lease or rent property on behalf of the Company must be approved by the headquarter Real Estate / Facilities function. The Treasurer must approve Real Estate fi nancing arrangements. Sales and/or Services Finance must approve sale contracts, changes to sales terms and conditions including: delivery, shipment, payment, demo licenses and future product discounts. Tax – Income, sales and use or country equivalent, Import/Export, Property and other tax-related preparations and obligations must be approved or delegated by the Corporate Tax department. Treasury must approve any and all bank accounts and establishes signing authority for issuing checks and arranging for electronic transfers. B03a.indd 78B03a.indd 78 8/25/08 2:00:01 PM8/25/08 2:00:01 PM Internal Use Only INTERNAL CONTROL PROGRAM 79 U .S . D ol la rs A ut ho ri za ti on L ev el s – re fe rs t o a si ng le t ra ns ac ti on B O D C E O C O O H um an R es ou rc es C F O G en er al C ou ns el B us in es s U ni t M an ag er B us in es s U ni t F in an ce M an ag er A A nn ua l B ud ge t an d P la ns R A A A A A R R B N on b ud ge te d C ap it al P ro je ct s an d L ea se O bl ig at io ns C ap ita l p ro je ct s no t a pp ro ve d as p ar t of th e an nu al b ud ge t – P er p ro je ct ag gr eg at e va lu e O ve r $1 0M A R R R R R R R $5 M to $ 10 M A R R R R R R $2 .5 M to $ 5M A I R I R R $1 M to $ 2. 5M A R R U p to $ 1M A A C ap ita l a nd O pe ra tin g L ea se O bl ig at io ns O ve r $1 0M A R R R R R R R $5 M to $ 10 M A R R R R R R $2 .5 M to $ 5M A I R I R R $1 M to $ 2. 5M A R R U p to $ 1M A A C H um an R es ou rc es E xe cu tiv e – in di vi du al e m pl oy ee pl an s: R ec ru itm en t, H ir in g, Se ve ra nc e A ny V al ue I A R A R R N on e xe cu tiv e – in di vi du al e m pl oy ee pl an s: R ec ru itm en t, H iri ng , S ev er an ce A ny V al ue I A A A A R es tr uc tu ri ng a nd R eo rg an iz at io n in iti at iv es O ve r $1 0M A R R R R R R R $5 M to $ 10 M A R R R R R R $1 M to $ 5M I A R A I R R U p to $ 1M I A R A I R R A U TH O R IZ AT IO N – D EL EG AT IO N , S U B D EL EG AT IO N O F A U TH O R IT Y A ut ho ri za ti on – D el eg at io n, S ub D el eg at io n of A ut ho ri ty (C on ti nu ed ) B03b.indd 79B03b.indd 79 8/25/08 2:00:30 PM8/25/08 2:00:30 PM Internal Use Only 80 PROCEDURE B03B U .S . D ol la rs A ut ho ri za ti on L ev el s – re fe rs t o a si ng le t ra ns ac ti on B O D C E O C O O H um an R es ou rc es C F O G en er al C ou ns el B us in es s U ni t M an ag er B us in es s U ni t F in an ce M an ag er E m pl oy ee b en efi ts , H R p ol ic y im pa ct O ve r $5 M A R R R R R R U p to $ 5M I I A R I R R E xe cu tiv e – st oc k op tio ns o r eq ui ty co m pe ns at io n pr og ra m s A ny V al ue A R R R R N on e xe cu tiv e – st oc k op tio ns o r eq ui ty c om pe ns at io n pr og ra m s A ny V al ue I A I R R R D L eg al Pr od uc t L ia bi lit y an d C la ss A ct io n C la im s, C or po ra te S ec re ta ry a nd V P Pu bl ic R el at io ns n ee ds to b e in fo rm ed o f A L L O ve r $1 0M A R R R R R R $5 M to $ 10 M A R R R R R U p to $ 5M I I A A R R N on m on et ar y, M at er ia l S et tle m en t A R R R R R N on m on et ar y, N on m at er ia l Se tt le m en t I I A A R R C om m er ci al L iti ga tio n an d C la im s in cl ud in g Pa te nt a nd I nt el le ct ua l Pr op er ty D is pu te s, C or po ra te Se cr et ar y an d V P Pu bl ic R el at io ns ne ed s to b e in fo rm ed o f A L L e xc ep t le ss th an $ 5M O ve r $1 0M A R R R R R R $5 M to $ 10 M A R R R R R U p to $ 5M I I A A R R N on m on et ar y, M at er ia l S et tle m en t A R R R R R N on m on et ar y, N on m at er ia l Se tt le m en t I I A A R R L ab or a nd E m pl oy m en t C la im s, C or po ra te S ec re ta ry a nd P ub lic R el at io ns n ee ds to b e in fo rm ed O ve r $1 0M A R R R R R R $5 M to $ 10 M A R R R R R U p to $ 5M I I A A R R N on m on et ar y, M at er ia l S et tle m en t A R R R R R N on m on et ar y, N on m at er ia l Se tt le m en t I I A A R R B03b.indd 80B03b.indd 80 8/25/08 2:00:31 PM8/25/08 2:00:31 PM Internal Use Only INTERNAL CONTROL PROGRAM 81 U .S . D ol la rs A ut ho ri za ti on L ev el s – re fe rs t o a si ng le t ra ns ac ti on B O D C E O C O O H um an R es ou rc es C F O G en er al C ou ns el B us in es s U ni t M an ag er B us in es s U ni t F in an ce M an ag er E A cq ui si ti on s, D iv es ti tu re s, a nd Jo in t V en tu re s/ A lli an ce s In ve st m en t C om m itt ee : r ev ie w s A L L a nd is m ad e up o f t he C E O , C O O , H um an R es ou rc es , C F O , G en er al C ou ns el , B us in es s U ni t M an ag em en t, B us in es s U ni t F in an ce M an ag em en t A ny s in gl e A cq ui si tio n or D iv es tit ur e O ve r $1 0M A R R R R R R R A cq ui si tio ns , D iv es tit ur es , a nd J oi nt Ve nt ur es /A lli an ce s w ith a s in gl e or ag gr eg at e va lu e U p to $ 10 M A A A A A R R F P ro cu re m en t Pu rc ha se o r L ea se o f G oo ds a nd Se rv ic es – V P Pr oc ur em en t m us t ap pr ov e A L L O ve r $5 M I A R I R R R R U p to $ 5M A A R R R U p to $ 50 0K R R A A Pr oc ur em en t ( ex cl ud es : M er ge rs , A cq ui si tio ns , L ic en si ng A gr ee m en ts , R oy al tie s, I nt el le ct ua l P ro pe rt y, Te ch no lo gy Pr of es si on al S er vi ce s – E xt er na l A ud ito rs A nn ua l C on tr ac t A G Sa le s St an da rd P ro du ct P ri ci ng – lis t p ri ce s, d is co un ts , T er m s an d C on di tio ns A ny V al ue I A A R R D is co un t w ith in s ta nd ar d ra ng e A ny V al ue A A D is co un t e xc ee di ng s ta nd ar d ra ng e A ny V al ue I A A A R R St an da rd C on tr ac t l an gu ag e A ny V al ue A A N on st an da rd C on tr ac t l an gu ag e A ny V al ue I A A A R R (C on ti nu ed ) B03b.indd 81B03b.indd 81 8/25/08 2:00:32 PM8/25/08 2:00:32 PM Internal Use Only 82 PROCEDURE B03B U .S . D ol la rs A ut ho ri za ti on L ev el s – re fe rs t o a si ng le t ra ns ac ti on B O D C E O C O O H um an R es ou rc es C F O G en er al C ou ns el B us in es s U ni t M an ag er B us in es s U ni t F in an ce M an ag er C om m is si on P la n I A A A A R R Pa ym en t T er m s an d C on ce ss io ns A ny V al ue I A A R R L ic en se s/ A ss et s ha ri ng a gr ee m en ts – ou tb ou nd te ch no lo gy s ha ri ng A ny V al ue I A A A R R L ic en se s/ A ss et s ha ri ng a gr ee m en ts – in bo un d te ch no lo gy s ha ri ng A ny V al ue I A A A R R H Tr ea su ry a nd I nt er co m pa ny M at te rs – A L L m us t be a pp ro ve d by t he C or po ra te T re as ur er C as h an d B an ki ng – o pe ni ng , ch an gi ng , c lo si ng a cc ou nt s – m ov em en t o f c as h – in ve st m en t o f ex ce ss c as h A ny V al ue I In ve st m en t t ra ns ac tio ns O ve r $1 0M I A A U p to $ 10 M I R F in an ci ng tr an sa ct io ns in cl ud in g de bt , i ss ua nc e or r et ir em en t o f d eb t, is su an ce o r re tir em en t o f g ua ra nt ee s O ve r $1 0M I A A U p to $ 10 M I R Tr an sa ct io ns in co rp or at in g eq ui ty co m po ne nt s A ny V al ue A A A A A B03b.indd 82B03b.indd 82 8/25/08 2:00:34 PM8/25/08 2:00:34 PM Internal Use Only INTERNAL CONTROL PROGRAM 83 RESPONSIBILITY, AUTHORITY, SUPPORT, COUNSEL, AND INFORM (RASCI) The following procedure can be used to establish the RASCI either at an organizational or process level. As a con- trol objective, RASCI clearly defi nes the interrelationships and dependencies between functional areas. The vari- ous assigned roles may be reviewed and tested to ensure that an appropriate level of due diligence is conducted. Consider which functional areas or individuals provide the various RASCI roles as described. Responsible refers to the person or group that actually performs the work and completes the task. The output of being responsible is action and implementation. The person or group who is in charge or has authority is responsi- ble for naming those who are in fact accountable for the design, deployment, and execution of actions. There may be many individuals or groups that will be held responsible for a given process or activity. Authority refers to the person or group that is held accountable for the work performed. This person has legitimate authority to approve the adequacy of the deliverable. Sometimes referred to as the executive owner or sponsor of a process or project, this person holds the power for go/no go decisions or responds with yes/no decisions. There must be one authority fi gure and only one authority role assigned per process. Support refers to the person or group that provides active assistance to complete the task. This person or group may have specifi c subject matter expertise, provide administrative or logistical coordination, and may be used for some or all of the activities and tasks. For successful outcomes there may be none, one, or many individuals or groups that provide supportive resources. Where there is no supporting role assigned, it means that the full sup- port remains with those identifi ed as responsible. Counsel refers to the person or group that provides consultative support between any of the persons or groups. Those who provide counsel have information, resources, or capability necessary for decision making or to complete the work. These are generally people with technical expertise regarding rules, regulations, and terms and condi- tions required in the design, development, and execution of the process or project. For successful outcomes there may be one or many individuals or groups that provide consultation. Inform refers to those persons or groups that must be notifi ed regarding the progress and/or results. These are individuals or groups with a “need to know” regardless of whether the need relates to courtesy information or is required for complementary processes or projects. Those assigned the inform role must understand the process and how it may or may not integrate with processes under their locus of control. To maintain segregation of duty integrity, the inform role must not be assigned to those who have been assigned responsibility within the authority, support or counseling roles. As a control objective, development of a RASCI matrix indicates that there are clearly defi ned roles and that review and testing can be directed to ensure that the cross-functional team has executed their role accordingly. Those responsible must maintain the audit trail, which indicates that review and approval has occurred throughout the process. An example of a RASCI matrix follows. When constructing the RASCI matrix, use the following steps: Identify processes or activities. Note that this list is useful for many internal control activities, so taking the time to create and gain approval on this list will assist with many control activities. Identify the roles. Broadly speaking, roles may follow the organization chart along functional lines. Complete the cells of the matrix by assigning an R, A, S, C, or I. Not every cell needs to be complete; how- ever, there is an advantage to fi lling every cell if one of the goals of using this matrix is to enhance and enrich cross-functional communication. • • • INTERNAL CONTROL PROGRAM 83 B03c.indd 83B03c.indd 83 8/25/08 2:01:11 PM8/25/08 2:01:11 PM Internal Use Only 84 PROCEDURE B03C Each process must have only one A, and should only have one R. When more than one R shows up, it is a sign that there is overlap and the potential for confusion. The process needs to be further divided with each party understanding the scope of their responsibility. To complete the matrix, assign supporting, counseling, and informing roles to the rest of the roles. Resolve areas where there are gaps (i.e., omissions) and duplication where there mustn’t be duplications. Once the cells have been completed, remember to gain agreement from the role owners that they have, in fact, accepted their assignment. • • • B03c.indd 84B03c.indd 84 8/25/08 2:01:11 PM8/25/08 2:01:11 PM Internal Use Only INTERNAL CONTROL PROGRAM 85 Functions / Processes R es ea rc h an d D ev el op m en t M an uf ac tu ri ng an d D is tr ib ut io n M ar ke ti ng Sa le s Te ch ni ca l Su pp or t F in an ce A dm in is tr at io n H um an R es ou rc es L eg al Research and Development Product Management A/R S C C S R I I I Product Development A/R R C C R R I I I Intellectual Property A/R R I I S I I I R Emerging Markets A/R C R S C C I I C Manufacturing and Distribution Production R A/R I C S R I I I Materials Management R A/R I I S S I I I Inventory Management I A/R I R S S I I I Distribution and Logistics I A/R I C C S R I I Safety and Security S A/R I I C I R I I Marketing Strategic Marketing C C A/R R I S I I I Geographic Marketing I C A/R R I S I I I Product Marketing R C A/R R C S I I S Brand Management C I A/R R I I I I S Demand Generation C S A/R R C I I I I Mergers and Acquisitions R C A/R I C R C C C Sales Sales Strategy R S S A/R C R I I I Sales Plan S R R A/R I R I I I Sales Operations S S S A/R R S I I S Technical Support Maintenance S I I S A/R S I I I Technical Support R S I I A/R I I I I Product Knowledge R R S I A/R I I I I (Continued) B03c.indd 85B03c.indd 85 8/25/08 2:01:12 PM8/25/08 2:01:12 PM Internal Use Only 86 PROCEDURE B03C Functions / Processes R es ea rc h an d D ev el op m en t M an uf ac tu ri ng an d D is tr ib ut io n M ar ke ti ng Sa le s Te ch ni ca l Su pp or t F in an ce A dm in is tr at io n H um an R es ou rc es L eg al Finance Corporate Finance S S S S S A/R S S S Corporate Accounting I I I I I A/R I I I Geographic Finance S S S S S A/R S S S Geographic Accounting I I I I I A/R I I I Functional Finance R R R R R A/R R R R Functional Accounting I I I I I A/R I I I Investor Relations I I I I I A/R I I I Planning and Budgeting R R R R R A/R R R R Administration Product Pricing S I C C I I A/R I C Information Technology C C C C C R A/R C C Procurement R R R R R R A/R R R Real Estate and Facilities S S I I I R A/R S I Insurance I I I I I S A/R I C Human Resources Recruitment C C C C C C C A/R C Retention C C C C C C C A/R C Training and Development R R R R R R R A/R R Compensation and Benefi ts I I I C I C I A/R R Employee Relations I I I I I I I A/R S Performance Management R R R R R R R A/R R Legal Law I I I I I I I I A/R Contracts I I C C I S C C A/R Compliance and Risk S S S S S S S S A/R B03c.indd 86B03c.indd 86 8/25/08 2:01:12 PM8/25/08 2:01:12 PM Internal Use Only INFORMATION TECHNOLOGY PROGRAM As technology provides opportunities for growth and development it also carries risks and threats due to interruption of service, theft of data or information and fraud or manipulation of data or information. Information technology (IT) control activities describe procedures that provide assurance that the processes which transport and hold data and information are reliable, safe, and secure. IT controls are essential to protect company-held data and information, demonstrate ethical behavior, and preserve brand reputation and company trust. Within the IT environment, IT controls must present continuous evidence of their effectiveness and that evidence must be monitored, assessed, and evaluated on an ongoing basis. Different functional areas have different issues and needs regarding IT and IT controls. Marketing and public relations may want to showcase IT improvements as a way to demonstrate competitiveness and innovation. Human resources and compliance areas may have protection against information theft and complying with legislation and regulations. Finance may want to demonstrate improved value for the IT investments by increasing productivity and driving costs down. IT may be driven by managing the complexity resulting from the necessity for diverse technical components working with each while at the same time monitoring the movement of IT assets. Within information technology there are general and application controls: General controls, also referred to as infrastructure controls, apply to all systems, components, processes, and data. General controls include such topics as: information handling and security, administrative access and authentication, the separation of key IT functions to ensure segregation of duties, management of IT asset acquisition and use, backup, recovery and business continuity. Application controls are business process specifi c and include such controls as data edits, separation of duties between transaction initiator from transaction processor or authorizer. Application controls are designed into the software program or system and may be preventive or detective in nature. These controls are generally automated and nondiscretionary; that is they are generally produced whenever the application is opened or used. There are often compensating and redundant controls which provide a clear check and balance to reconcile or validate the data; e.g., foot and cross-foot or the automatic reclassifi cation of amounts remaining in suspense accounts. As with other functional areas, perform a top-down risk assessment for IT. To assess the current risk status of IT controls, rate (as high, medium, or low) the following items as to their probability that something could go wrong and if that was to go wrong the impact on your company. Once you complete this risk assessment, ask your IT professionals to also provide this quick assessment. Share and compare your ratings and develop a plan to improve. Reliance on systems or programs that are inaccurately processing data, processing inaccurate data, or both. Are there some systems or applications that worry you more than others? Do you feel you are achieving the most productivity or return for your IT investment? Unauthorized access to data that may result in destruction of data or improper changes to data. Identify the types of data (e.g., fi nancial, legal, HR), which if lost or manipulated would have the greatest risk to your company. Unauthorized changes to data in master fi les Unauthorized changes to systems or programs Failure to make necessary changes to systems or programs Inappropriate manual intervention Potential loss of data • • • • • • • • • • INTERNAL CONTROL PROGRAM 87 B04.indd 87B04.indd 87 8/25/08 2:01:33 PM8/25/08 2:01:33 PM Internal Use Only 88 PROCEDURE B04 IT applications must design in and document controls to address these risk areas. IT policies and controls shall be developed to address: The level of security and privacy expected throughout the organization Classifi cation of information and the rights to access and limitation of use Concepts of data and system ownership, authorization required to originate, modify, or delete data Recruiting and hiring of staff for sensitive or critical areas Disaster recovery and business continuity Standards to be used when developing, modifying, confi guring, testing, and documenting software imple mentation IT segregation of duties ensures that no one individual has access to or controls all aspects of processing, reviewing and authorizing data. Within the IT environment, there must be separation between systems development and operations. The physical safeguarding and protection of IT assets including hardware, software, and networks from acciden- tal or deliberate damage or loss However, documentation is not enough with technical control activities required to be implemented, monitored and tracked. Standard operational technical controls must be designed into systems and program application set-up parameters, with these controls addressing: Access rights assigned to individuals must be allocated and controlled ensuring that the appropriate level of access is granted to only active employees. Segregation of duties enforced through system software and confi guration controls. The segregation of duties shall be the same as those defi ned for operational and fi nancial processes. Security, intrusion, and vulnerability assessment. IT security shall have preventive and detective controls in place and be continuously monitored for breach, with all noncompliance situations promptly addressed. Encryption services applied where confi dentiality is a stated requirement. Change management process applied to all changes and patches to software, systems, network components, and data. Technical controls are not just about overseeing the implementation of the applications, they must also address how the applications are used by end users. Technical control activities identifi ed as end user responsibility include: Input controls to ensure data is complete, accurate, timely, and authorized Processing controls to ensure data is processed as intended Output controls to ensure data is accurate, complete, timely, and authorized Data movement is monitored and tracked providing an audit trail Data, information handling and security control activities address: Classifying information and data to ensure data and information is appropriately labeled as internal use only, confi dential, or restricted. According to the level of classifi cation, data and information must be protected from unauthorized access, disclosure, or interruption and divulged as and when appropriate • • • • • • • • • • • • • • • • • • B04.indd 88B04.indd 88 8/25/08 2:01:34 PM8/25/08 2:01:34 PM Internal Use Only INTERNAL CONTROL PROGRAM 89 Authenticating data as employing technical controls to validate data integrity as to its source, access, and use Retaining retention controls ensures data is stored and accessible as complete and accurate in accordance with records and information management policies and procedures Availability controls ensure that the data and information is available when, where, and in the format it is needed. Availability control issues also includes recovery from loss, disruption, or corruption of data and IT systems. From the preceding lists, there are layers of technology controls that touch every aspect of your business. Whether through enterprise-wide systems, applications and networks or via local applications, all need to have built-in tech- nology controls. Ask your IT professionals to also answer the following control questions and compare with the initial assessment above. When performing readiness checklist for information and technology-related controls, consider the following questions and risk assess your responses. 1. For access controls: a. Is a restricted list prepared based on job responsibilities? b. How and how often is the access list reviewed for accuracy and approved for appropriateness? 2. For exception report controls: a. Which systems and applications produce exception reports? b. What information is contained in the report? c. Who reviews the report and how often? d. What follow-up activities are performed for exceptions/errors detected? e. How are fi le transfers reviewed for completeness and accuracy? f. How often do fi le transfers occur? g. What system generates the report? 3. For management review/monitoring controls: a. How often are reports/results reviewed? b. What is the purpose of the review? c. Who performs the review? d. Are discrepancies and variances logged for corrective action? e. Who is responsible for monitoring and tracking follow-up actions until they are resolved? 4. For segregation of duties controls: a. Which responsibilities are segregated? b. Does this list match to the one used by fi nance? c. Does an organization or department chart exist, and where is it located? 5. For approval or authorization controls: a. Are these designed into the system or application or manual? b. Do the approval and authorization controls match to the offi cial delegation of authority documentation? 6. For reconciliation controls: a. Who prepares and performs the reconciliation? b. What is the purpose of the reconciliation? c. Who reviews the reconciliation and how is this evidenced? d. Is the re-independent sources for supporting reports and systems and how is this documented? e. How are differences investigated/resolved? • • • B04.indd 89B04.indd 89 8/25/08 2:01:34 PM8/25/08 2:01:34 PM Internal Use Only 90 PROCEDURE B04 7. For document processing controls: a. Are the IT systems, applications, and procedures documented? b. Are documents prenumbered and system generated (e.g., sales orders, invoices)? c. How are documents safeguarded (e.g., physical controls over checks, contracts, manual journal entry logs)? 8. For physical asset controls: a. Are the systems and applications rated as to their criticality to the business? Is documentation available that describes procedures for monitoring, maintenance, and disaster recovery of these systems and applications? b. Is access to assets and related record keeping appropriately restricted, and is it reviewed periodically? c. What procedures ensure the accuracy of the related record keeping (activity logs)? 9. For system based controls: a. Are there checks and balances designed into the program to ensure that data entry contains valid informa- tion (e.g., current date, established dollar range) in order for a record to be accepted? b. Is information validated against a master table where applicable (e.g., customer number, product number, vendor number, purchase order number)? c. Are master data and tables reviewed and updated regularly to ensure accuracy and completeness? d. Are duplicate postings/entries not accepted into the system? e. Are accounting period-end cutoff dates enforced by the system? f. Are system-based control overrides properly authorized? B04.indd 90B04.indd 90 8/25/08 2:01:35 PM8/25/08 2:01:35 PM Internal Use Only INTERNAL CONTROL PROGRAM 91 END-USER COMPUTING AND SPREADSHEET CONTROL End-user computing (EUC) describes job situations where professionals utilize computers as supporting tools within the computing environment. What is EUC? EUC refers to the use and integration of computer-aided tools and approaches that reside on the user’s computer rather than on the company’s mainframe. EUC is becoming more accepted and is one of the more common and widespread activities carried out in organizations today. More and more, business activities begin and end with computer activities and an end user. What is EUC about? EUC tools are where the end user has arranged for or provided the programming or customized inquires. The results of this programming are used to determine or analyze transactional activities with the purpose of producing data and information required for journal entries and/or disclosure statements. For account- ing and fi nance professionals, EUC is defi ned as spreadsheets used in the process to determine fi nancial statement transaction amounts where the amounts are used to produce journal entries and/or support disclosure statements. Why is EUC important? For accounting and fi nance professionals, Sarbanes-Oxley regulations require documented controls for internal controls over fi nancial reporting. Developing an EUC policy and procedure and paying attention to EUC controls adds accuracy, completeness, and integrity to the output used for fi nancial analysis and reporting. Spreadsheets are manual and can easily lead to error, omission or misstatement by such simple changes as inserting or deleting columns or rows and cutting and pasting data. The simple act of opening the spreadsheet could cause an unwanted recalculation of the data. The more heavily a company relies on EUC, the more attention it needs to pay to EUC controls. Many end users do not have programming disciplines or a sophisticated knowledge of spreadsheet potentials. Most end-user spreadsheet users employ the same standard arithmetic formulas and formatting commands. Programming and formula documentation and designing in controls is often lacking. In companies where there is a seamless fl ow of information from the source data entry to fi nancial statement reporting the need for additional EUC controls is not necessary. However in most companies, there is a gap between the software application where the source data is entered and the fi nancial reporting system. Often, a data report is downloaded from the application to a spreadsheet, analyzed, and perhaps reformatted to be uploaded into the general ledger application. The difference is shown in the following fl ow. Best Practice General Practice Application Application Processing General Ledger General Ledger Data Output Spreadsheet B04.indd 91B04.indd 91 8/25/08 2:01:35 PM8/25/08 2:01:35 PM Internal Use Only 92 PROCEDURE B04 Each handoff point or arrow requires controls to be embedded into the process. Employees who use EUC are generally performing the roles of preparer, reviewer, fi le share owner, and security operations. The internal control for end-user computing requires that these roles be segregated. Typical control responsibilities of each of these groups are listed as: The preparer role obviously prepares and formats the spreadsheet by programming the formulas and arranging for the input of source data. Preparers are responsible to document the process with auditable instructions for any user to follow as well as to build in control totals to verify the accuracy and completeness of the data input and output. With EUC, the reviewer’s role serves as a check to the preparer. The reviewer arranges to test and audit the documentation, spreadsheet formulas, and use of the data input and output. The reviewer confi rms that the preparer has used the spreadsheet appropriately and that other than the data input, there were no changes to the formulas or use of the output. Required spreadsheet changes must be documented and approved by data output stakeholders. File share owners are responsible for maintaining an inventory of spreadsheets, spreadsheet owners, and a description of their purpose and function. To safeguard the spreadsheet asset, fi le share owners retain approved spreadsheets on a shared repository. The security operations team oversees access rights to the fi le share reposi- tory and the use of the spreadsheet. The fi le share owner may have security operations responsibilities as long as they are not the preparer or the reviewer. A controlled alternative for end-user computing is to deploy the following process. However, depending on the persuasiveness of spreadsheet use, this process could easily become onerous and bureaucratic to monitor. Begin by identifying those spreadsheets that are critical to the company’s fi nancial reporting and expand the discipline where it makes sense. The benefi ts of the program are to provide a consistent and standard format for spreadsheets and introduce and encourage the use of software application design and control disciplines. Include review and approval of data prior to submission to the next process step. When the preparer needs the spreadsheet, they go to the repository where the spreadsheets are maintained to access it. Before using the spreadsheet, they should perform a review to ensure the spreadsheet format or formulas have not been tampered with. Once they are satisfi ed, they populate and use the spreadsheet as it was designed. Using the control totals built into the program, the preparer reconciles the input and output data to validate that the data is complete and accurate. The preparer signs the spreadsheet cover sheet to indicate that they have per- formed the necessary controls. Once the preparer has completed their use of the spreadsheet, the spreadsheet is saved on the offi cial repository. The reviewer tests the spreadsheet to ensure data and formula accuracy. The reviewer also examines the docu- mentation for auditability. The reviewer signs the spreadsheet cover sheet to indicate that they have reviewed and tested the spreadsheet, data output, and documentation. The reviewer is often identifi ed as the spreadshet owner. • • • B04.indd 92B04.indd 92 8/25/08 2:01:35 PM8/25/08 2:01:35 PM Internal Use Only INTERNAL CONTROL PROGRAM 93 When changes are required to the spreadsheet, the preparer arranges for the updated spreadsheet to be reviewed by the reviewer and any other interested stakeholders. Their approval is required by for the fi le share owner to replace the revised spreadsheet on the approved repository. The fi le share owner monitors and tracks changes to the spreadsheet and updates the spreadsheet inventory as required. At least quarterly, the fi le share owner reviews and validates the spreadsheets with the spreadsheet owners. The IT Security operations department maintains a list of authorized users who have access rights to specifi c spreadsheets and at least quarterly validates that list with the spreadsheet owners. Cover Sheet example: End User Computing Spreadsheet Cover Page Follow Standard naming Convention for Spreadsheet name Name of Spreadsheet Date of use Defi nition or Purpose of the spreadsheet List specifi c testing activities or reconciliations performed Report deemed reliable as it is Directly run from xxx application. It is traced and agreed with xxx control totals. Calculations were re-produced and verifi ed and the schedule was footed Data input traced back to source transactions Data output traced to next step in the process, e.g., general ledger Conclusion: Based on the above testing, the data and information calculated and presented appears accurate Prepared by Name___________________________________________ Date ______________ Reviewed and Approved by Name___________________________________________ Date ______________ B04.indd 93B04.indd 93 8/25/08 2:01:36 PM8/25/08 2:01:36 PM Internal Use Only 94 PROCEDURE B04 The documentation and instruction must include a defi nition of the spreadsheet, reference to reliable source data, instructions to prepare the data output, formulas including use of control totals, data output, how it is analyzed and used, and where it is distributed. Tips to prevent or detect spreadsheet errors follow, and they should be documented when used. Try to avoid complex formulas. If its purpose is not obvious, break it into smaller components. This makes errors more apparent and makes the spreadsheet easier to audit. Incorporate validation checks on data input. For example, use functions like IF (OR A1 � 5000, A1 � 10,000,“out”, “in”) to check a value is inside a range. This reduces the number of errors on data input. Have a batch total to check the total of data input. Input a control total, and have the spreadsheet calculate its batch total underneath. This ensures all the data is in the spreadsheet before it is manipulated. Use formulas that foot and cross-foot when summing data. This provides a cross-check and increases likelihood to catch errors as well as catch insertions of rows or columns if there are errors in formulas. Large columns of data should not contain subtotals and totals. This greatly increases likelihood of errors. Try not to hide columns or rows. If necessary, please indicate the purpose of hidden columns or rows within the spreadsheet defi nition. Develop and use standard naming conventions. The spreadsheet cover page and inventory list should contain such information as: Spreadsheet name and owner File name and path to access the spreadsheet Purpose of the spreadsheet Structure and layout including links from other spreadsheets and data input Source of the input data Assumptions and limitations for the formulas Structure and layout of the data output Use and distribution of the output Preparer’s name and date prepared Reviewer’s name and date reviewed • • • • • • • • • • • • • • • • • B04.indd 94B04.indd 94 8/25/08 2:01:36 PM8/25/08 2:01:36 PM Internal Use Only INTERNAL CONTROL PROGRAM 95 Prepared by: Approved by: Authorized by: Date Date Date Scope The document applies to all IDEAL LLP’s legal entities, subsidiaries, and business units. End-user computing applications or use of spreadsheets present a signifi cant risk exposure to the company mainly because: Desk reviews by the preparer cannot be relied on to identify shortcomings or risks. Preparers do not require special programming analysis or knowledge of internal controls to design or develop a spreadsheet. Spreadsheets generally do not have version or access control. Spreadsheets may change anytime as they are opened. Policy It is IDEAL LLP’s policy that spreadsheets be treated as software applications with controls designed into the formula logic and risk assessed based on source and use of the information provided. Procedure Process owners and managers are responsible for identifying the spreadsheets used within their process. Working together, process owners, information technology services, and internal control shall: Ascertain how many spreadsheets are in use and which are critical to the business by securing an inventory of spreadsheets and a description of their use. Capture such information as who uses it, for what purpose (i.e., fi nancial or operational), what is the magnitude (i.e., dollar or volume impact of the spreadsheet). Assess the current levels of controls protecting those spreadsheets by rating the spreadsheet use according to its complexity and magnitude of the potential risk. Classify the potential risk as high, medium, or low. Complexity is classifi ed as light, intermediate, or advanced. Magnitude of the spreadsheet may be classifi ed as immaterial, material, or critical. • • • • • • • • Policy and Procedure Procedure No. B04a Section: Internal Controls Page 1 of 2 End-User Computing – Control of Spreadsheets Department Ownership Issue/Effective Date: Replaces previously issued B04a.indd 95B04a.indd 95 8/25/08 2:02:32 PM8/25/08 2:02:32 PM Internal Use Only 96 PROCEDURE B04A Confi rm that the spreadsheets are operating in accordance with management intentions by testing its integrity and conducting an audit of the spreadsheet input, formulas, and output. Document the results as a baseline by recalculating tracing the input, recalculating and testing the formulas and the labeling and use of the output. Improve/implement a system of controls designed to protect the integrity of the spreadsheet. High- and medium-risk spreadsheets need to be protected with manual and system controls such as: Automatic version control Access control with the spreadsheets residing on central server Identifi cation and validation of changes to spreadsheet formulas or formats Spreadsheets shall be backed up to external media Noninput fi elds shall be password protected. All spreadsheets shall be documented as to owner and use, version, and change control and provide instruction as to the source of the input data, formulas, and processing of data and when, where, and how output should be directed. Periodically, test and confi rm the spreadsheets are operating in an effective manner. Manual con- trols shall be tested at least quarterly for spreadsheets deemed high risk; at least semiannually for those deemed to be medium risk and at least annually for those deemed low risk. Wherever possible, system controls shall be embedded into the spreadsheet with system and control totals added for review and validation. System controls for spreadsheets shall be reviewed with each run of the spreadsheet. Control/Areas of Responsibility Process owners and managers are responsible for the control and use of all spreadsheets used within the process. The internal controls department shall oversee the use, inventory, and testing of spreadsheets. As with other software applications, information technology services shall create and maintain the inventory for and access to company-approved spreadsheets (i.e., those identifi ed as high or medium risk). Contact Internal control Information technology services • • • • • • • • Policy and Procedure Procedure No. B04a Section: Internal Controls Page 2 of 2 End-User Computing – Control of Spreadsheets Department Ownership Issue/Effective Date: Replaces previously issued B04a.indd 96B04a.indd 96 8/25/08 2:02:33 PM8/25/08 2:02:33 PM Internal Use Only ACCOUNT RECONCILIATION PROGRAM If there is one policy and procedure I could implement throughout all accounting and fi nance organizations, it would be account reconciliation. If every account went through this type of analysis, reviewing and monitoring it would greatly reduce the number of “surprises” and adjustments required and increase the level of fi nancial and reporting integrity. Internal controls, internal audit, and external audit use account reconciliations as support and evidence of the company’s control environment. They rely on account reconciliations on an individual account basis as well as a program basis in order to: Assist with “grave-to-cradle” risk assessments Identify key control objectives and actions Assess adherence to company policies and procedures Provide evidence of management review Validate the balance sheet account totals As a control tool within a culture of continuous improvement, account reconciliations means that when errors, omissions, and misclassifi cations occur, they are corrected at the source and future recurrences are not as likely to occur. When account reconciliations are used as an analysis tool, before the books are closed, this is a preventive control; when they are used after the books are closed, they are detective as well as preventive in that they correct an inappropriate process for the next reporting cycle. An account reconciliation program begins by having defi ned accounts. As basic as defi nitions are, many compa- nies do not have documented defi nitions for the accounts listed in the chart of accounts. If your company has an accounting manual, then your company is ahead of most. It seems that in this age of constant change, the account- ing manual seems out of date as soon as it is populated. However, for communication, education, training, and control purposes, it is still a valued and useful tool. In today’s online world, accounting manuals can and should be made available to all, accounting and fi nancial professionals as well as functional units. The accounting manual identifi es the account hierarchy, defi nes the account, describes the accounting treatment for the types of journal entries that are classifi ed to the account, and provides journal entry examples. Additional information that may be provided would be a reference to accounting literature and a description of how the accounts are organized, that is, chart of accounts and procedures for creating, updating, and rescinding accounts. However, even if you do not have an accounting manual, a successful account reconciliation program can be achieved. A successful account reconciliation program serves to improve fi nancial integrity by reviewing and moni- toring account balances for completeness, accuracy, and timeliness. The program serves: As evidence that accounting policies and procedures are understood and followed As a link between operational processing and recording transactions As documented evidence that the general ledger account balances are valid, appropriate, approved, and adequate To discover accounting errors, omissions, and misclassifi cations in a timely fashion As an analytical tool to view the company’s activity and results in a different way • • • • • • • • • • INTERNAL CONTROL PROGRAM 97 B05.indd 97B05.indd 97 8/25/08 2:02:51 PM8/25/08 2:02:51 PM Internal Use Only 98 PROCEDURE B05 When reconciling items are discovered and analyzed, they point to correcting activities that may or may not require additional controls. Recurring reconciling items signal a systemic issue which must be addressed and may be cor- rected with: Training; hiring appropriate skills; providing better instruction, data, information, or tools; and is generally used to correct errors • Reconciliation Yes No Operational/ Transactional Support General Ledger Balances Account Definition/Chart of Account General Ledger Balances Match, Analyze, Review, Reconcile Match ExplainedVariances Unexplained Variances Continue to Analyze Activity Prepare Journal Entry Analyze Variances Due to Accuracy, Completeness, Timeliness Research, Investigate, Document Monitor and Age Okay for Month End? Show as Unreconciled Greater than 90 Days? Write Off Unexplained Variance Submit Reconciliation for Management Review and Approval Prepare Reconciliation Form Account Reconciliation No Yes In pu t Pr oc es s O ut pu t B05.indd 98B05.indd 98 8/25/08 2:02:52 PM8/25/08 2:02:52 PM Internal Use Only INTERNAL CONTROL PROGRAM 99 Inserting checklists, system control totals, reviews, and authorization and is generally used to correct omissions. Standardizing journal entry and account fl ow by predefi ning or preprogramming account classifi cation into instructional guidance and/or systems that may be used to correct misclassifi cations. Format and Analysis Techniques It is important to use standard formats and consistent analysis techniques when analyzing and documenting account activity. However, it is often useful to use a parallel type of analysis to see if a different result occurs. For example, when accounts receivable (A/R) is reconciled to the accumulated outstanding customer balances, it might be useful to analyze and reconcile the A/R general ledger closing balance to the aging report or by geographic location. Segmenting the information provides a different point of view and maybe a different analytical result. The analysis may not identify control issues but may reveal risks and/or opportunities not previously visited. A change in format and/or analysis when presenting the information in a different way adds value to the review and decision-making process; follow with a parallel analysis for a few periods to bridge the change and see if there is sustained value. Account reconciliation presentation formats may vary with all format versions containing the general ledger account balance, opening and closing balances, and a list of the activity that occurred during the period. Depending on the volume and type of transactional activity the information may be organized in a variety of ways. A few format alter- natives are provided. This presentation reviews the operational impacts to identify the types of operational events that occur during the period. The benefi t with this approach is that it classifi es and groups the transactions in logical segments. It could be additions and subtractions as exampled below, by geographic location or by data source. This format may used be referred to as a roll-forward analysis. This type of transactional reconciliation ensures that all the data and information that was supposed to be repre- sented in the closing balance of the account activity has been included. This technique is very useful when there is more than one source of input; whether the source must also have upstream controls built into the manual and/or system processes to ensure that only valid and complete data is input into the account. Opening Balance from the General Ledger Additions as per the transactional support Addition adjustments which include errors, omissions and misclassifi cation Subtractions as per the transactional support Subtraction adjustments, which include errors, omissions, and misclassifi cation Closing balance as calculated from above Closing Balance from the General Ledger If there is a difference between the closing balances, treat this as unexplained activity that requires additional investigation and review, • • B05.indd 99B05.indd 99 8/25/08 2:02:52 PM8/25/08 2:02:52 PM Internal Use Only 100 PROCEDURE B05 This presentation format asks for analysis between the opening and closing general ledger account balance. The difference should be explained by a net of the monthly transactional activity or may be presented in similar seg- mented detail to the above format. The benefi t with this approach is that it ignores business-as-usual transactions and focuses on explaining unreconciled transactions. This type of transactional reconciliation refers to when the data directed to the account is matched with the data that actually shows up in the account. The account reconciliation analyst confi rms that the data that is supposed to be directed to the account is appropriately coded and that the expected transactional volume and amount is recorded in the account. Opening Balance from the General Ledger Closing Balance from the General Ledger Difference due to transactional activity that occurred during the period Transactional activity grouped by category (e.g., sales activity by region, activity by asset class, activity by portfolio investment, activity by source documentation type or system feed) If there is a difference between the transactional activities, treat this as unexplained activity that requires additional investigation and review B05.indd 100B05.indd 100 8/25/08 2:02:53 PM8/25/08 2:02:53 PM Internal Use Only Policy and Procedure Procedure No. B05a Section: Accounting and Finance Page 1 of 4 Account Reconciliation Department Ownership Issue/Effective Date: Replaces previously issued INTERNAL CONTROL PROGRAM 101 Prepared by: Approved by: Authorized by: Date Date Date Scope The document applies to all IDEAL LLP’s legal entities, subsidiaries, and business units. Policy It is IDEAL LLP’s (Company) policy to reconcile every balance sheet (B/S) account with a clos- ing balance greater than US$5,000 on a monthly basis in accordance with the accounting and fi nance close schedule. B/S accounts with a closing balance less than $5,000 must be reconciled at least once a quarter. These analyses and reconciliations are to be prepared and reviewed by the appropriate divisional personnel, with all analysis subject to corporate review and audit. Account reconciliations shall be forwarded for review and signoff in accordance with the Sarbanes-Oxley (SOX) narratives or the business areas respective fi nancial designate. Underlying detail, in the form of a subledger or schedule, must support every B/S account bal- ance and such detail must be reconciled to the general ledger on a monthly basis. Any unrecon- ciled difference must be investigated and resolved with adjustments made in a timely manner prior to the end of the quarter. Upon completion of the investigation, any remaining unsupported balance shall be written off. Procedure Corporate accounting determines account ownership based on the area that has the most knowl- edge and control of the account (unless internal control considerations dictate otherwise). The B/S account balance is determined with the close of the books at each month-end. The reconciliation begins with the current year-to-date closing balance as per the general ledger. Review the subledger or supporting schedule to summarize the components that correspond to the general ledger’s balance. In some cases there may be more than one subledger that needs to be considered. Subtract the general ledger and subledger (or other supporting document) closing balances to determine the difference to be reconciled. List known adjustments that must be taken during the accounting period. Subtract the total of known adjustments from the difference to be reconciled. • • • • B05a.indd 101B05a.indd 101 8/25/08 2:03:32 PM8/25/08 2:03:32 PM Internal Use Only 102 PROCEDURE B05A The remaining balance is to be investigated and resolved. The reconciliation status is identifi ed as either A, B, or C. Circle A if there are no outstanding explanations required. Circle B if there are known adjustments and list those that will be taken during the current accounting period. Circle C if there is a remaining balance that must be further investigated and list the actions that will be taken during the following accounting period. Unreconciled items and amounts must be tracked, aged, and monitored for clearing. Each functional business area’s controller or fi nancial designate shall review, agree, and sign off on the reconciliation. Reconciliations for accounts with closing balances greater than US$1M shall be submitted to corporate accounting for additional review at the end of each quarter. The reconciliation shall be prepared using the standard format attached (reference exhibit). Account reconciliations shall be completed no later than the 10th business day. When summarizing the account, use the key components that represent the types of transactions fl owing into the account. For example, payroll payable may have the following components: regu- lar salaried full-time employees, regular hourly employees, temporary or partial-period employ- ees, reimbursements, and other. Components that make up an account may mirror the plan input, transaction sources, or areas that will aid in account analysis. It is not acceptable to simply sum- marize the debit and credit totals. For accounts that are reconciled for the fi rst time, the opening balance must be reconciled. Differences between the general ledger and subledgers or supporting documentation must be investigated and resolved in a timely, accurate manner. Recurring variances must be investigated and resolved at the root cause, as they may indicate a systemic issue. Out-of-balance situations may occur due to: 1. Natural timing differences 2. Misclassifi cation (i.e., journal entry to the wrong account) 3. Miscalculation (i.e., mathematical error in determining the amount of the journal entry that was to be recorded) 4. Errors where an entry was omitted or recorded multiple times 5. Other unexplained or a combination of reasons that have not yet been identifi ed • • • • • • • • • • • Policy and Procedure Procedure No. B05a Section: Accounting and Finance Page 2 of 4 Account Reconciliation Department Ownership Issue/Effective Date: Replaces previously issued B05a.indd 102B05a.indd 102 8/25/08 2:03:32 PM8/25/08 2:03:32 PM Internal Use Only INTERNAL CONTROL PROGRAM 103 Misclassifi cations, miscalculations, and errors of omission or duplication must be readily iden- tifi ed and corrected. Corrections shall take place within the following month. Any individual unreconciled differences greater than US$5,000 occurring at quarter-end or year- end must be disclosed to the chief accounting offi cer (or a designate). Every effort must be made to understand and resolve such differences in the month the error occurs. If you are not sure if a difference should be considered material, contact corporate fi nancial reporting to discuss and resolve the matter. Levels to defi ne materiality shall be defi ned by the chief accounting offi cer (CAO) and commu- nicated within the quarter-end and year-end instructions. Each month, the CAO shall receive a status of the reconciliation accounts, identifying those that have large unreconciled values (i.e., exceed the materiality thresholds) as well as those that have long term (level C) unexplained variances. Control/Areas of Responsibility The functional business area’s controller or fi nancial designate is responsible to ensure that bal- ance sheet accounts are: Accurately reconciled on a timely basis Accurately refl ect the recording of all business transactions Assets are properly accounted for and expensed Liabilities are properly refl ected and accrued for Unreconciled amounts at the end of the quarter must be expensed. The regional controller or fi nancial designate may approve write-offs up to $5,000, while all other write-off amounts must be approved by corporate accounting. Corporate accounting shall monitor and track the materiality and recurrence of unreconciled bal- ances and review the status quarterly with the CAO. Contact Corporate controller Chief accounting offi cer • • • • • Policy and Procedure Procedure No. B05a Section: Accounting and Finance Page 3 of 4 Account Reconciliation Department Ownership Issue/Effective Date: Replaces previously issued B05a.indd 103B05a.indd 103 8/25/08 2:03:33 PM8/25/08 2:03:33 PM Internal Use Only 104 PROCEDURE B05A Exhibit Account Reconciliation for the Period Ending (date)__________ Account Number Account Name Owner of the Account Reconciliation prepared by Reconciliation Status Circle one A) Balanced with no outstanding explanations B) Balanced with known adjustments to be taken C) Not balanced with investigative actions to be taken Actions 1) 2) 3) Reviewer’s signature Date Second-level signature Date Balance per Subledgers or Supporting Schedule $xxx,xxx Reconciling Items (add or subtract known adjustments) Month $xx,xxx Total known adjustments to be taken $xx,xxx Unreconciled balance (aged and investigated) $xx,xxx Balance per General Ledger $xxx,xxx In accordance with the Policy, forward to corporate accounting with summary of supporting documentation. Policy and Procedure Procedure No. B05a Section: Accounting and Finance Page 4 of 4 Account Reconciliation Department Ownership Issue/Effective Date: Replaces previously issued B05a.indd 104B05a.indd 104 8/25/08 2:03:33 PM8/25/08 2:03:33 PM Internal Use Only QUARTERLY SUBCERTIFICATION PROGRAM The quarterly subcertifi cation program demonstrates completion of the governance journey by linking big G Governance requirements of the Sarbanes-Oxley Act and the Securities and Exchange Commission (SEC) require- ments to this little g governance program. Even if you are not required to prepare quarterly submissions to the SEC, this program is a powerful way to confi rm that all parts of the organization are aligned, covered and prepared for internal control testing. OVERVIEW The purpose of the quarterly subcertifi cation program is to support the policy that all disclosures made by the company be accurate, complete, and fairly present the company’s fi nancial condition and results of operations in com pliance with applicable laws and stock exchange requirements. Since the chief executive offi cer (CEO) and chief fi nancial offi cer (CFO) do not have intimate knowledge of all business processes, information presented in the fi nancial statements and related SEC fi lings, the purpose of the quarterly subcertifi cation process is to ensure that the information required to be disclosed for external fi nancial reporting purposes is accumulated and commu- nicated to the company’s management, as appropriate, to allow timely decisions regarding required disclosure. The following is taken from the Sarbanes-Oxley Act of 2002 (SOX) section 302, which requires a public company’s principal executive offi cer (CEO) and the principal fi nancial offi cer (CFO), to personally certify with each 10-Q and 10-K fi ling: (1) the signing offi cer has reviewed the report; (2) based on the offi cer’s knowledge, the report does not contain any untrue statement of a material fact or omit to state a material fact necessary in order to make the statements made, in light of the circumstances under which such statements were made, not misleading; (3) based on such offi cer’s knowledge, the fi nancial statements, and other fi nancial information included in the report, fairly present in all material respects the fi nancial condition and results of operations of the issuer as of, and for, the periods presented in the report; (4) the signing offi cers: (A) are responsible for establishing and maintaining internal controls; (B) have designed such internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made known to such offi cers by others within those entities, particularly dur- ing the period in which the periodic reports are being prepared; (C) have evaluated the effectiveness of the issuer’s internal controls as of a date within 90 days prior to the report; and (D) have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date; (5) the signing offi cers have disclosed to the issuer’s auditors and the audit committee of the board of directors (or persons fulfi lling the equivalent function): (A) all signifi cant defi ciencies in the design or operation of internal controls which could adversely affect the issuer’s ability to record, process, summarize, and report fi nancial data and have identifi ed for the issuer’s auditors any material weaknesses in internal controls; and (B) any fraud, whether or not material, that involves management or other employees who have a signifi cant role in the issuer’s internal controls; and INTERNAL CONTROL PROGRAM 105 B06.indd 105B06.indd 105 8/25/08 2:04:17 PM8/25/08 2:04:17 PM Internal Use Only 106 PROCEDURE B06 (6) the signing offi cers have indicated in the report whether or not there were signifi cant changes in internal controls or in other factors that could signifi cantly affect internal controls subsequent to the date of their evalu- ation, including any corrective actions with regard to signifi cant defi ciencies and material weaknesses. This program was developed to assist the CEO and CFO with their certifi cation. Since the CEO and CFO do not have intimate knowledge of all business processes, data, and information presented in the fi nancial statements and related SEC fi lings, the CEO and CFO invite select employees to subcertify that the data and information provided by their areas of responsibility is in accordance with the SOX and SEC governance requirements. The Quarterly subcertifi cation program is established to oversee this process. MATRIX AND LETTER There are two major inputs to the quarterly subcertifi cation program: 1) The process owner matrix (matrix) identifying the positions and individuals that are required to certify to the quarterly subcertifi cation letter. The objective is to identify those who are responsible for knowing details required for certifi cation. 2) The management representation letter and its various components (letter) indicating the certifi cation statements. Note to reader: The examples or organization structure and description of functional responsibility will vary from company to company. 1) Matrix The matrix is a list of the company’s processes and identifi es an executive owner, process owner, and the process owner’s fi nancial and legal counterparts. If the processes are not centralized with a global owner, then regional process owners and their support must also be listed. The fi rst part of the matrix is the list of processes. It is important that someone versed in organizational develop- ment and process management review this list to ensure that the company is organized in an effective and effi cient manner. Processes are generally grouped according to a process hierarchy, with the matrix containing the list of all relevant processes. For a company that has not thought about its process fl ow, this is an important exercise that will highlight how the various functions interact with each other. When I visit a company for the fi rst time, I ask them to tell me about themselves. How they respond tells me a lot about what is important and how they are organized. Process-driven companies begin by telling me how they produce and deliver goods and services to customers. When preparing this matrix for the fi rst time, it is not unusual to fi nd that there are: Processes listed that do not belong as separate and distinct but rather should be organized within a different functional group; for example, the shipping of product for sales may be organized under operations and perhaps would be better suited within supply chain management. • B06.indd 106B06.indd 106 8/25/08 2:04:18 PM8/25/08 2:04:18 PM Internal Use Only INTERNAL CONTROL PROGRAM 107 Processes may be missing from the list; for example, goods receipting might be handled by the facilities function and would be better represented as a stand-alone process or included within inventory management. As the matrix is prepared, it should become obvious where there are operational risks and opportunities due to the way the company is organized. These observations become opportunities for improvement. The next step is to identify owners for each of the cells within the matrix. The process ownership role is essential in defi ning and running the company with purpose. A process owner is someone who has extensive knowledge in executing and managing the operational tasks. Remember that you are looking to name someone who has intimate knowledge of the process, data, and information as it will ultimately appear in reporting documents. In my experience, fi rst-time preparers of the matrix are often surprised that: They can’t fi ll in names for the positions, meaning there are gaps in process coverage. There is a mismatch of talent to process, meaning that process owners must have the appropriate level of subject matter expertise and authority. One person is responsible for multiple processes, meaning that a working process owner needs to be assigned or recognized. When fi lling in the names of process owners, ownership must also be identifi ed for their accounting and legal sup- port. We highlight accounting and legal areas because these functions should have detailed knowledge of the proc- ess, regulations, and results in order to advise the CEO and CFO as to certifi cation. Some organizations may want to expand the matrix to include human resources and information technology support. Ensure that the rank of the process-within-the-process hierarchy has an employee of commensurate rank as proc- ess owner and support. In other words, you don’t want to have a junior manager in charge of a process that is criti- cal to the success of the company. • • • • Function or Process Executive Sponsor Business / Process Owner Financial Controller / Designate Legal Support Product Management Sales Marketing Administration/Operartions Human Resources Information Technology/Information Systems Accounting and Finance Compliance Legal B06.indd 107B06.indd 107 8/25/08 2:04:18 PM8/25/08 2:04:18 PM Internal Use Only 108 PROCEDURE B06 Process owners must have the authority and accountability to implement and execute a process with effectiveness and effi ciency in order to satisfy company goals and objectives. Process owners may have specifi c responsibility to: Provide strategic, tactical, and operational direction for an effective and effi cient set of related tasks. Use data, information, and competitive comparisons to improve process performance. Provide leadership in managing functional and cross-functional teams, ensuring that individuals have the appro- priate level of knowledge, skill, and authority required to perform the job. Communicate and report results upstream to senior management and downstream to team. Because of the nature of the SOX certifi cation, a process owner’s accounting and legal support are also called upon to render an opinion on the state of the process. Note that within accounting, fi nance and legal functions, there are processes that also require a business process owner, accounting fi nance representative, and a legal designate. Each quarter, the matrix is updated to refl ect changes in position, organizational structure, and responsibility. Since the CEO and CFO must certify, senior management may request that additional employees be included if they have or may have data and information which is in scope to the subcertifi cation process. Steps to Customize the Matrix The process list will vary based on such considerations as the type of industry you are in or the grouping of proc- esses by your organizational structure. To customize the matrix: Determine the processes and subprocesses that defi ne your business. Identify the executive sponsor and business or functional operational process owner by name. List in the detail where individual process owners have authority, accountability to execute, and implement process management. For each process, identify their accounting and fi nance support. For each process, identify their legal support. Add columns if process owner responsibilities differ by geographic region. Following are examples of subprocesses that support the functional areas listed. Product Management Information Technology/Information Systems Research and Development• Master Data• Engineering• Information Handling• Manufacturing• Access• Production• Privacy• Inventory Management/Supply Chain• Network Management• Distribution/Logistics• Accounting and Finance Intellectual Property• Accounts Payable• Royalty• Accounts Receivable• • • • • • • • • B06.indd 108B06.indd 108 8/25/08 2:04:19 PM8/25/08 2:04:19 PM Internal Use Only INTERNAL CONTROL PROGRAM 109 Quality Assurance• Consolidation• Strategic Integration and Business Development• Equity Compensation• Sales Financial or External Reporting• Sales Administration• Financial Planning and Analysis• Sales Operations• Fixed Assets, Property, Plant and Equipment, Long- Lived Assets • Commissions• General Ledger• Presales Support• Payroll• Postsales Technical Support• Tax• Marketing Treasury• Branding, Trademarks• Compliance Competitive Intelligence• Business Continuity• Product Marketing• Insurance and Risk Management• Field Marketing• Internal Audit• Promotions, Trade Shows, Events, Sponsorships• Internal Controls• Contributions, Donations• Investor Relations• Communication• Records Information Management• Administration/Operations Legal Procurement• Contracts• Corporate Communication• Government and Public Relations• Import/Export• Litigation• Occupational and Environmental Health and Safety• Real Estate and Facilities• Human Resources Recruiting, Hiring• Compensation• Benefi ts, Tuition Reimbursement, Leaves• Assignments• Postretirement• Learning, Education, and Training• Employee/Internal Communication• The matrix is used to identify who should receive the letter. B06.indd 109B06.indd 109 8/25/08 2:04:19 PM8/25/08 2:04:19 PM Internal Use Only 110 PROCEDURE B06 2) Letter The letter is a combination of various components used to collect information and comments from selected employees. This information is used to satisfy and support statements submitted to big G Governance. The submis- sion and related statements apply to internal control over fi nancial reporting (ICOFR) regulations. The objective of the letter is to hold those closest to the process accountable for the management of that process, including the data, information, and disclosures about transactional processing, control environment, and current and potential risks. Attached to the invitation from the CEO/CFO to participate in the quarterly subcertifi cation process, the letter contains the following sections: A) Management letter that supports the fi nancial data and operational processes. All invitees are asked to com- plete this section of the letter. B) Specifi cally for 302 (fi nancial) subcertifi cation. Section B is required to be completed by those responsible for approving transactions that are ultimately refl ected within the fi nancial statements and those who contribute to management discussion and analysis (MD&A) or provide input for disclosure statements. C) Specifi cally for 404 (internal control) subcertifi cation. Section C is required to be completed by those responsi- ble for designing, implementing, or overseeing the process; once completed, it must be forwarded as part of the response. Depending on their role and participation in the company’s operational and fi nancial processes, individuals may have to complete some or all sections. For ease in following up with respondents, there should be three separate distribution lists (those who are required to complete sections A, B, and C; A and B only; and A and C only). Each quarter, the letter is updated to refl ect changes in the scope for responding to big G Governance require- ments, organizational structure, and responsibility. A sample letter with all of its attachments follows. Highlighted areas must be completed by the person certifying to the quarterly subcertifi cation. Schedule The timeline for completing the required tasks begins with the end date (i.e., the date for submission to the SEC). Working backward, other tasks include reviews of the 10K/10Q and the related certifi cations with the board of directors, audit committee, executive team, and the fi nancial reporting team. After each of these reviews, there may be additional comments that require resolution. In order to prepare for these reviews, the Internal Controls function must address all comments received by either resolving that they have already been refl ected in the fi nancial statements and/or MD&A or are included within other disclosures. A suggested timeline for completing the required tasks might include the following. Business day 0 represents the date that the submission to the SEC for the 10Q/10K is planned. Tasks Business Days Submission to the SEC 0 Review with the board of directors –2 Review with the audit committee –3 Review with internal control over fi nancial reporting (ICOFR) committee or team –4 B06.indd 110B06.indd 110 8/25/08 2:04:20 PM8/25/08 2:04:20 PM Internal Use Only INTERNAL CONTROL PROGRAM 111 Responses due from those completing sections A, B, and C and A and B of the letter –7 Distribute draft 10Q/10K to subcertifi ers –10 Responses due from those completing sections A and C –14 Training for fi rst-time subcertifi ers –18 Invitation from CFO with letter and matrix sent to subcertifi ers –20 Approved matrix and letter fi nalized –20 Once the matrix and the letter are prepared, representatives from internal controls, fi nancial reporting, legal, com- pliance, and senior management review and approve the package to be distributed and the response timeline. These representatives are also known as the ICOFR committee or team. It’s important to note that the letter is a personal certifi cation and to assist preparers with understanding what that means, they are asked to attend training. A training presentation is included as part of this program. Customize and deliver it for all fi rst-time subcertifi ers and those who want to learn more about the subcertifi cation process. Following is a suggested process fl ow for completing the matrix and letter, sending the package to each of the exec- utive sponsors, program owners, accounting, and legal staff identifi ed on the matrix. Internal Controls Updates Matrix Previous Matrix List of Process Owners and Support Mgmt. Discretion/ Input Updated Distribution List and Matrix Internal Controls Updates Letter Current Letter Regulatory Wording for 302, 404 Mgmt. Discretion/ Input Approved Matrix, Letter CFO sends Letter to Business Area, Process Owner, Accounting and Legal Support Representatives from Internal Control, Financial Reporting, Legal, Compliance, Sr. Management Updated Letter Financial Reporting Review Team B06.indd 111B06.indd 111 8/25/08 2:04:20 PM8/25/08 2:04:20 PM Internal Use Only 112 PROCEDURE B06 Once the letter and the package are received by the process owner, accounting, and legal support, they conduct a level of due diligence that provides them with enough comfort to address the certifi cation statements. In well-run companies, the level of due diligence occurs throughout the quarter and is not just a quarter-end exercise. Since the process owners are responsible for managing their processes, presumably, there are no surprises. Process owners may decide to retain a running list of fi nancial reporting and internal control weaknesses and opportunities that they remediate throughout the quarter. Not everything on this list is material enough to be listed as a comment within the letter; however, everything on the list should be worked on. If the process owner or oth- ers are in doubt as to what to report or not report in the letter, they should be encouraged to contact their internal controls and/or fi nancial reporting representative. Determine Approach for Responding Due Diligence Review Cascade Letters Reconcile Input Provided to 10Q/ 10K Draft Validate Backup to Transactional Input, Activity Reports Based on Business Process Ownership, Subject Matter Experts, Lines of Responsibility Are there Local Issues that Require Followup? Review Findings and Prepare Response to Letter Document and Close Finding Document, Monitor and Test YesNo Sign and Submit Letter to Internal Controls Letter received by Business Area, Process Owner, Accounting and Legal Support As internal controls receives input from the process owners and their support, they must respond to every com- ment to ensure the comments have been refl ected in the fi nancial statements and/or disclosed. Depending on the volume and type of comments received, internal controls may decide to keep track of the comments manu- ally, within an Excel spreadsheet, or as part of the internal controls software application that tracks controls and compliance-related issues. B06.indd 112B06.indd 112 8/25/08 2:04:20 PM8/25/08 2:04:20 PM Internal Use Only INTERNAL CONTROL PROGRAM 113 Unresolved comments received from section A may require either remediation or an immediate change to the fi nancial statements; comments from section C require remediation; while unresolved comments received from Section B require an immediate change to the fi nancial statements and/or disclosure before the 10Q/10K can be fi led. As deadlines are reached, the internal controls program manager prepares a status report and distributes it to the ICOFR team for action. Since time is of the essence, it is helpful if each of the groups decide ahead of time what types of comments they will follow up with. The status report may include details segmented by process, region, or type of issue. The types of issues may be classifi ed as a) adequately disclosed and closed, b) there is no ICOFR impact and closed, c) remains open and requires additional investigation or review to determine ICOFR impact, and, d) an “other” category. For those items that remain open, the type and amount of the potential impact to the fi nancial statements for the quarter must be estimated. Signed Letters Internal Controls Assesses and Classifies Comments Prepare and Distribute Status Report Comments from Sections A, C Comments from Sections A, B Remediation Process Change or Disclosure Process Internal Controls Database Internal Controls Reconciles and Follows up with Unreturned Letters Comments Where no Action is Required Update Documentation and Database Update Internal Controls Database B06.indd 113B06.indd 113 8/25/08 2:04:21 PM8/25/08 2:04:21 PM Internal Use Only 114 PROCEDURE B06 The remediation process is discussed elsewhere in this manual; process items identifi ed must be considered as part of the risk assessment and part of the internal control posture. Material weaknesses and signifi cant defi ciencies unresolved prior to quarter-end must be disclosed with the submission to the SEC. Once all the comments have been addressed, internal controls submits the internal control posture statements for inclusion in the 10Q/10K and submits its report to the CFO, CEO, and external auditors. In order to improve the internal control process effectiveness and effi ciency, after the 10Q/10K is fi led, the internal controls program manager assesses and evaluates the program for process improvements, remembering to ask for feedback from those who provided input to preparing the matrix, letter, and comments as well as those who had to remediate open comments prior to SEC submissions. The quarterly subcertifi cation program and process is a commanding tool and technique used to bring together the elements of governance, risk, oversight, documentation, and internal control. Following is the letter and the section C questionnaire. B06.indd 114B06.indd 114 8/25/08 2:04:22 PM8/25/08 2:04:22 PM Internal Use Only INTERNAL CONTROL PROGRAM 115 Date: To: Distribution List From: Chief Financial Offi cer Subject: Quarterly Subcertifi cation Letter: In accordance with Securities and Exchange Commission (SEC) regulations, the chief executive offi cer (CEO) and the chief fi nancial offi cer (CFO) are required to sign the quarterly certifi cation letter (letter). Since they do not have intimate knowledge of all business processes, information presented in the fi nancial statements and related SEC fi lings, selected employees who have knowledge of fi nancial and business issues across the company are asked to certify that the information provided from their areas of responsibility is complete, accurate and conforms to the company’s code of conduct, policies, procedures, and internal controls. You have been identifi ed as one of these selected employees based on line of sight, which refers to those individuals with suffi cient authority and line of sight to the operational or functional area and coverage for all business areas. You are asked to review, comment, and sign the following letter. Based on your line of sight, you are asked to attest to some or all of the sections. The letter contains three sections: A) Management representation letter B) Sarbanes-Oxley 302 disclosure subcertifi cation C) Sarbanes-Oxley 404 subcertifi cation To assist, attached are: Matrix and distribution list identifying the A, B, C sections that apply to you 404 Questionnaire—for those asked to complete section C. This must be returned whether the internal control posture has changed or not. For those who have to respond to section B, as the draft 10Q/10K is available, it will be forwarded to enable you to complete the section. Training is available for fi rst-time subcertifi ers and those who want to learn more about the subcertifi cation process. In order to complete your response, you must perform a level of due diligence that is appropriate. Suggested approaches include: internal control reviews and testing, monitoring and analyzing process performance, and inter- nal control data and/or further cascading the letter through your organization. Fill in the highlighted areas; add comments where appropriate; sign and handwrite the date. Fax or scan a copy of the letter and then e-mail both the scanned copy of the letter and the completed 404 questionnaire to Internal Controls . If you are unavailable during this time, you must have written delegation of authority to an appropriate level employee forwarded to internal controls prior to the return date. Please submit the signed letter no later than . You may contact the internal controls team for additional information or questions. We expect 100 percent compliance. I appreciate your urgent attention to this matter. Thank you for your cooperation and assistance. Chief Financial Offi cer • • B06.indd 115B06.indd 115 8/25/08 2:04:22 PM8/25/08 2:04:22 PM Internal Use Only 116 PROCEDURE B06 Re: Quarterly subcertifi cation letter for the quarter period ending I confi rm to the best of my knowledge and in the acting capacity of my responsibilities the following representa- tions regarding the fi nancial information provided to the company as of and for the quarter period ending as stated above. My representations are based on the execution of standard disclosure controls and procedures, review for adequacy of internal controls over fi nancial reporting and appropriate documentation supporting signifi cant or unusual items and accounting adjustments, inquiry of key operating and fi nancial personnel, and other evaluation procedures I consider necessary to collect and disclose, in a timely manner, information required to be recorded or disclosed in our fi nancial information. To the best of my knowledge and belief, I representing confi rm the following: A) Representation of Financial Data and Business Practices 1. In accordance with the company’s code of conduct and in my role, the fi nancial data provided to the accounting and fi nance departments and our external auditors is inclusive of all relevant information, is true and accurate, and is prepared in conformity with U.S. generally accepted accounting principles (U.S. GAAP) and the com- pany’s policies and procedures. The data fairly presents in all material respects the fi nancial position, results of operations, and cash fl ows of my area of responsibility. 2. I am not aware of any accounts, transactions, or agreements not authorized or properly recorded in the fi nancial records underlying the fi nancial information provided or that is not in accordance with the company’s policies in all material respects. 3. I have no knowledge of any violations of laws or regulations with regard to the company’s business practices and specifi cally those defi ned in the United States Foreign Corrupt Practices Act (FCPA) of 1977 or the com- pany’s anti-bribery policy. I am not aware of (a) any fraud as defi ned in Note 1 (below) involving management or employees, (b) any violations of laws or regulations whose effects have not been considered for disclosure in the fi nancial information provided or as a basis of recording a loss contingency, (c) any communications from regulatory agencies concerning noncompliance with or defi ciencies in fi nancial information provided, or (d) any failure to comply with contractual agreements where such failure would have a material effect on the fi nancial information provided. 4. We have not entered into any agreements not in the ordinary course of business, nor have any other matters or occurrences come to my attention up to the present time that would materially affect the interim fi nancial information provided for the period covered. 5. I understand that, although I am not expected to have knowledge in relation to areas for which I am not respon- sible, this certifi cation relates to any knowledge that I in fact have about the company. 6. I am aware of no other liabilities, loss contingencies or guarantees, whether written or oral, that have not been accrued. All accrued balances are appropriately supported. 7. I am aware of no material transactions that have not been properly recorded in the accounting records. Furthermore, no material events have occurred subsequent to the period covered in this representation letter that have not been appropriately disclosed but prior to the release of the company’s 10Q/10K. With respect to the period between the date of this letter and the date the Form 10Q/10K is fi led, communication of any mate- rial changes since the date of this representation letter must be provided to the CFO’s offi ce immediately. B06.indd 116B06.indd 116 8/25/08 2:04:22 PM8/25/08 2:04:22 PM Internal Use Only INTERNAL CONTROL PROGRAM 117 8. To the best of my knowledge, the company has satisfactory title to all owned assets, there are no liens or encum- brances on such assets, nor has any asset been pledged as collateral and the carrying amounts of all material assets will be recoverable. 9. Accounts receivable represent valid claims against debtors for sales or other charges arising on or before the last day of the month and appropriate provisions have been made for losses that may be sustained on uncollect- ible receivables. 10. All sales agreements recorded are fi nal and there are no side letters or concessions which would alter the original terms of the contract. Revenue recognized has been modifi ed to the extent appropriate when right of return, price protection, or other signifi cant future obligations exist under the terms of the sales arrangements. 11. If I manage inventory, provisions have been made, where necessary, for losses sustained in the fulfi llment or inability to fulfi ll any sales commitments, losses resulting from purchase commitments for inventory, or losses resulting from reduction of inventory values. 12. If I manage investments, provisions have been made, where necessary, for losses sustained as a result of other- than-temporary declines in the fair value of investments. 13. I sign this certifi cation without qualifi cation, except as may be indicated below: __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ Note 1. The term fraud includes misstatements arising from fraudulent fi nancial reporting and misstatements arising from misappropriation of assets. Misstatements arising from fraudulent fi nancial reporting are intentional misstatements, or omissions of amounts or disclosures in fi nancial statements to deceive fi nancial statement users. Misstatements arising from misappropriation of assets involve the theft of an entity’s assets where the effect of the theft causes the entity’s fi nancial statement not to be fairly presented. B) For Financial Statement Subcertifi ers (302 Disclosure Subcertifi cation) 14. I have reviewed the relevant sections of the draft quarterly report on Form 10Q/10K for the quarter ended (the quarterly report) that is to be fi led with the SEC based on my area of responsibility and any other materials I believe to be relevant in providing this certifi cation. In connection with preparation and/or review of the quar- terly report, I have provided or caused to be provided for consideration for inclusion in the quarterly report all information that I believe may be material for purposes of disclosure in the quarterly report. To the best of my knowledge, the quarterly report does not contain any material misrepresentations or omit a material fact neces- sary to make the statements in the quarterly report not misleading. 15. I understand that should any material events that could change the representations made above occur between the date of this letter and the date that the quarterly report is fi led with the SEC, it is my responsibility to notify the CFO and internal controls, in writing, of the nature of such events immediately. 16. I understand that the CEO, CFO, and the company’s offi cers shall rely on this certifi cation to support their evaluation concerning the effectiveness of the company’s disclosure controls and procedures. 17. I sign this certifi cation without qualifi cation, except as may be indicated below: __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ B06.indd 117B06.indd 117 8/25/08 2:04:22 PM8/25/08 2:04:22 PM Internal Use Only 118 PROCEDURE B06 C) 404 Subcertifi cation 18. I am responsible for establishing and maintaining adequate internal controls in my area of responsibility (as defi ned above) to provide reasonable assurance regarding the reliability of fi nancial reporting and the prep- aration of fi nancial statements for external purposes in accordance with generally accepted accounting princi- ples. The assertions made in this subcertifi cation are to report changes to internal controls that have occurred during the quarter. 19. In connection with the overall maintenance of internal control over fi nancial reporting, and monitoring of changes in internal controls therein, I assert that, I have completed, or reviewed the completed 404 Internal Control Questionnaire (Questionnaire) for my area of responsibility. 20. I, along with the Company’s senior management, continue to communicate to employees, management’s own- ership for internal controls and to reinforce the company’s commitment at all levels to the ongoing maintenance of an appropriately controlled environment. 21. I have received satisfactory answers to any questions I have raised (or have knowledge that were raised) that could have a potential fi nancial statement impact or that could require disclosure in the fi nancial statements except as noted below: __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ 22. I sign this subcertifi cation without qualifi cation, except as indicated below: __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ Quarterly Subcertifi cation I have reviewed the following sections (identify the sections that refer to you with a check- mark) with due diligence as these sections relate to and unless otherwise noted in the specifi ed item numbers, I confi rm that to the best of my knowledge I am in compliance. q A) Representation of Financial Data and Business Practices q B) Financial Statement Subcertifi ers (302 disclosure) q C) Internal Control Subcertifi cation (404 certifi cation) I understand that the CEO and CFO will rely on this subcertifi cation to support the company’s disclosure require- ment to report material changes to the company’s internal control over fi nancial reporting for the quarter ended. Signature: ____________________________ ___________________________________ Print Signature ____________________________ ____________________________ Title Date of Representation (handwrite date) B06.indd 118B06.indd 118 8/25/08 2:04:23 PM8/25/08 2:04:23 PM Internal Use Only INTERNAL CONTROL PROGRAM 119 QUARTERLY SUBCERTIFICATION SECTION 404 QUESTIONNAIRE For all those required to complete section C of the quarterly subcertifi cation, complete this questionnaire and forward to internal controls as part of the certifi cation letter submission. I , am responsible for establishing and maintaining adequate internal controls over fi nancial report- ing in my process area of responsibility < insert process>. To the best of my knowledge, I confi rm the following: Question Yes/No Comments 1. Have there been any new or signifi cant changes to information technology systems for the area? 2. Has there been any signifi cant modifi cation to processes (e.g., reengineering)? 3. Were there any signifi cant changes to roles and responsibilities within the area (e.g., changes to key management, staffi ng, turnovers)? 4. Has the company acquired an entity or integrated a process that would affect the internal control environment or activities? 5. Has the company divested an entity in whole or part, or outsourced a process in whole or part? 6. Have new business risks and/or changes to existing business risks been identifi ed that would affect the internal control environment or activities? 7. Have there been any process changes resulting from implementing new policies or procedures within the area? 8. Have there been any regulatory changes that have had or will have an impact on the internal control status? 9. Have there been any changes to customer, employee, or vendor contracts that would have or will have an impact on the internal control status? 10. Has there been or are you expecting any changes or potential changes that could have an impact on the internal control status, not otherwise addressed within this questionnaire? If you respond “yes” to any of the above questions, provide a detailed description of the change and indicate whether the change has been reviewed, tested, and approved by internal controls. B06.indd 119B06.indd 119 8/25/08 2:04:23 PM8/25/08 2:04:23 PM Internal Use Only 120 PROCEDURE B06A Prepared by: Approved by: Authorized by: Date Date Date Scope The document applies to all IDEAL LLP’s legal entities, subsidiaries and business units. Policy It is IDEAL, LLP’s (company) policy that selected business area managers and process owners as well as their fi nancial and legal counterparts are responsible for providing a sub certifi cation to the chief executive offi cer (CEO) and chief fi nancial offi cer (CFO) on a quarterly basis. The subcertifi cation asks individuals to certify that the information provided from their areas of responsibility is complete, accurate and conforms to the company’s code of conduct, policies, procedures, and internal controls. Representatives from the company’s internal controls, fi nancial reporting, legal, and compliance departments oversee this policy, and approve the details of this program including and not limited to the distribution list (also known as the matrix), the preparation of the letter (also known as the quarterly subcertifi cation letter). The internal controls department is responsible for the execu- tion, monitoring, and tracking the components of this program. Procedure Each quarter, the internal controls program manager updates the process owner matrix (matrix), which produces the distribution list of those who are required to subcertify the various sections of the quarterly subcertifi cation letter (letter). The letter is reviewed and updated according to changes in regulations or management emphasis. The letter is made up of three sections: A) Management letter that supports the fi nancial data and operational processes. All invitees are asked to complete this section of the letter. B) Specifi cally for 302 (fi nancial) subcertifi cation. Section B is required to be completed by those responsible for approving transactions which are ultimately refl ected within the fi nancial statements, those who contribute to management discussion and analysis (MD&A), or pro- vide input for disclosure statements. C) Specifi cally for 404 (internal control) subcertifi cation. Section C is required to be completed by those responsible for designing, implementing, or overseeing the process; once completed, it must be forwarded as part of the response. Policy and Procedure Procedure No. B06a Section: Corporate Page 1 of 2 Quarterly Subcertifi cation Department Ownership Issue/Effective Date: Replaces previously issued B06a.indd 120B06a.indd 120 8/25/08 2:05:04 PM8/25/08 2:05:04 PM Internal Use Only INTERNAL CONTROL PROGRAM 121 The quarterly subcertifi cation package includes the invitation from the chief fi nancial offi cer to participate, matrix, letter, and the 404 questionnaire. The recipients of the letter shall conduct due diligence reviews or further cascade the let- ter through their organizational area of responsibility. They must document the approach they use to subcertify and they must retain related documentation to support their comments and certifi cation. Recipients shall conduct reviews to a degree that will satisfy the claims to be made within the Letter (e.g., accurate and complete). Exceptions or deviations (also called issues or fi ndings) from the representations must be identifi ed within the space provided within the letter. Once received, the issues or fi ndings are evaluated and assessed to determine: (1) if they are immaterial and considered a local issue to remediate, (2) if they are cross-referenced to other issues or fi ndings previously identifi ed and currently under remediation, (3) if they are new to the issue and fi ndings list. Once categorized, the issues/fi ndings are logged into the internal control database for monitoring and tracking. All issues and fi ndings are evaluated and assessed as to whether they require a change to and/or disclosure to the current quarter 10Q or 10K submission. Findings and issues are reviewed with internal controls, fi nancial reporting, legal, and compliance prior to review with senior management, the audit committee, and the board of directors. Control/Areas of Responsibility Compliance with this policy is the responsibility of each functional area’s executive manager and controller. Business areas or processes that have comments and/or have identifi ed areas with weak internal controls must be investigated, monitored, and resolved. Internal control monitors the timely submission of the letters and will follow up on all open items. Internal controls, fi nancial reporting, legal, and compliance review the comments and out- standing items to determine the completeness and accuracy of the fi nancial statement presen- tation and SEC fi lings. Business areas or processes that have comments and/or have identifi ed areas with weak internal controls must be investigated, monitored, and resolved prior to sub- mission to the SEC. Contact Internal Control Program Manager Chief Financial Offi cer • • • Policy and Procedure Procedure No. B06a Section: Corporate Page 2 of 2 Quarterly Subcertifi cation Department Ownership Issue/Effective Date: Replaces previously issued B06a.indd 121B06a.indd 121 8/25/08 2:05:05 PM8/25/08 2:05:05 PM Internal Use Only 122 PROCEDURE B06B QUARTERLY SUBCERTIFICATION - MATRIX Instruction The fi rst part of the matrix is the list of processes. It is important that someone versed in organizational development and process management review this list to ensure the company is organized in an effective and effi cient manner. Processes are generally grouped according to a process hierarchy; with the matrix containing the list of all relevant processes. For a company that has not thought about its process fl ow, this is an important exercise which will highlight how the various functions interact with each other. When I visit a company for the fi rst time, I ask them to tell me about themselves. How they respond tells me a lot about what is important and how they are organized. Process driven companies begin by telling me how they produce and deliver goods and services to customers. When preparing this matrix for the fi rst time, it is not unusual to fi nd that there are: processes listed which do not belong as separate and distinct but rather should be organized within a different functional group, for example, the shipping of product for sales may be organized under Operations and perhaps would be better suited within supply chain management. processes may be missing from the list (e.g., goods receipting) might be handled by the facilities function and would be better represented as a stand alone process or included within inventory management. As the matrix is prepared, it should become obvious where there are operational risks and opportunities due to the way the company is organized. These observations become opportunities for improvement. The next step is to identify owners for each of the cells within the matrix. The process ownership role is essential in defi ning and running the company with purpose. A process owner is someone who has extensive knowledge in executing and managing the operational tasks. Remember that you are looking to name someone who has the intimate knowledge of the process, data and information as it will ultimately appear in reporting documents. In my experience, fi rst time preparers of the matrix are often surprised that: They can’t fi ll in names for the positions; meaning there are gaps in process coverage. There is a mismatch of talent to process; meaning that process owners must have the appropriate level of sub- ject matter expertise and authority. One person is responsible for multiple processes; meaning that a working process owner needs to be assigned or recognized. When fi lling in the names of process owners, ownership must also be identifi ed for their accounting and legal support. We highlight accounting and legal areas because these functions should have the detail knowledge of the process, regulations and results in order to advise the CEO and CFO as to certifi cation. For some organizations, you may want to expand the matrix to include human resources and information technology support. Ensure that the rank of the process within the process hierarchy has an employee of commensurate rank as process owner and support. In other words, you don’t want to have a junior manager in charge of a process which is critical to the success of the company. • • • • • B06b.indd 122B06b.indd 122 8/25/08 2:05:26 PM8/25/08 2:05:26 PM Internal Use Only INTERNAL CONTROL PROGRAM 123 Process owners must have the authority and accountability to implement and execute a process with effectiveness and effi ciency in order to satisfy company goals and objectives. Process owners may have specifi c responsibility to: Provide strategic, tactical and operational direction for an effective and effi cient set of related tasks. Use data, information, and competitive comparisons to improve process performance. Provide leadership in managing functional and cross functional teams, ensuring individuals have the appropriate level of knowledge, skill and authority required to perform the job. Communicate and report results upstream to senior management and downstream to team. Because of the nature of the SOX certifi cation, a process owner’s accounting and legal support are also called upon to render an opinion on the state of the process. Note that within accounting, fi nance and legal functions there are processes which also require a business process owner, accounting fi nance representative as well as a legal designate. Each quarter the matrix is updated to refl ect changes in position, organizational structure and responsibility. Since the CEO and CFO must certify, senior management may request additional employees be included if they have or may have data and information which is in-scope to the sub-certifi cation process. • • • • B06b.indd 123B06b.indd 123 8/25/08 2:05:27 PM8/25/08 2:05:27 PM Internal Use Only 124 PROCEDURE B06C QUARTERLY FINANCIAL SUBCERTIFICATION TRAINING FOR FIRST-TIME SUBCERTIFIERS Note to Readers and Presenters: PowerPoint slides may be downloaded via the URL. Following are the slides and notes for presenters to conduct awareness training for fi rst time quarterly subcertifi ers. Notes for presenters are advice on how to present the slide or additional information in support of the bullets identifi ed on the slide. The presenter must be thoroughly familiar with the quarterly subcertifi cation process and what is required. It is often wise to have representatives from internal controls, legal and fi nance as well as others from the internal control over fi nancial reporting team. Slide: Agenda Overview Certifi cation Process Letter is made up of sections: Representation of Financial Data and Business Practices 302 Disclosure Subcertifi cation 404 Internal Control Subcertifi cation Deadlines and applying the rules Materiality Due diligence Slide: Program Objectives The effort is focused on designing and implementing a company-wide, integrated, bottom-up approach to these processes. Objectives: Cover all types of disclosures (i.e., operational, fi nancial, regulatory) across all business units and geo- graphic areas. Develop the tools necessary to identify, track, and elevate disclosure issues. Create a calendar for the primary disclosure vehicles. Institutionalize the disclosure process to provide consistency across disclosure cycles. Note for Presenters: In response to the new requirements enacted by Congress and the Securities and Exchange Commission (SEC), the company is enhancing the disclosure and certifi cation processes. The effort is focused on designing and implementing a company-wide, integrated, bottom-up approach to these processes. • • • • • • • • • • • • • • • • B06c.indd 124B06c.indd 124 8/25/08 2:08:04 PM8/25/08 2:08:04 PM Internal Use Only INTERNAL CONTROL PROGRAM 125 Objectives: Design, document and implement a company-wide, integrated, bottom-up approach to the disclosure process, leveraging current internal efforts already underway and incorporating existing disclosure processes already in place. Clarify roles and responsibilities in the disclosure and subcertifi cation processes, and accountabilities to cover all types of disclosures (i.e., operational, fi nancial, regulatory) across all business units and geographic areas. Develop the tools necessary to identify, track, and elevate disclosure issues, such as checklists of key considera- tions for subcertifi ers and disclosure guidelines. Create a calendar for the primary disclosure vehicles (10Q, 10K, press releases, etc.) to identify timing and ownership of discrete processes. Institutionalize the disclosure process to provide consistency across disclosure cycles. Slide: Certifi cation Summary As a public company, IDEAL, LLP, operates under the scrutiny of numerous regulatory bodies. Regulations are designed to strengthen corporate governance and restore investor confi dence. Certifi cation is made for the following: A) Representation of Financial Data and Business Practices ensures that fi nancial data is complete and accurate. B) Section 302 of the Sarbanes-Oxley Act makes the CEO and CFO personally responsible for the disclo- sures made in fi lings. C) Section 404 of the Sarbanes-Oxley Act assigns ownership to the CEO and CFO to defi ne ongoing oversight. Slide: Subcertifi cation Summary Since the CEO/CFO do not have intimate knowledge of all business processes and in order to assign respon- sibility and accountability and have comfort that the information presented in the fi nancial statements and SEC fi lings is complete and accurate, they require selected employees to also sign/attest. Individuals invited to subcertify are chosen based on: Line of Sight Provide Oversight Coverage Note for Presenters: Line of Sight: Subcertifi ers should be individuals with suffi cient authority and line of sight to the operational or functional area. Provide Oversight: Subcertifi ers should be individuals who provide oversight for control activities at their operational and/or geographic area of responsibility and who have reporting staff with direct internal control over fi nancial reporting responsibilities. Coverage: Complete coverage of all business areas. • • • • • B06c.indd 125B06c.indd 125 8/25/08 2:08:05 PM8/25/08 2:08:05 PM Internal Use Only 126 PROCEDURE B06C Slide: Assigning Ownership for Subcertifi cation Methodology: Cascading approach based on line of command and process ownership: Review of organization chart to identify the executive and process owners and their designated support team Include global and geographic process owners Match the owners to their fi nancial and legal counterparts Notes for Presenters: The internal controls function is responsible for the design, implementation, and execution of the subcerti- fi cation process. The program is made up of two elements: the matrix that identifi es process owners and their accounting and fi nance support and the letter and its various components used to encompass the areas which require CEO/CFO certifi cation. The methodology used to assign ownership of the processes and their support team is based on a cascading approach based on line of command and process ownership and reading the four steps. Slide: Subcertifi cation Matrix Assigns subcertifi cation responsibility based on process Processes are defi ned by internal controls and others to ensure all processes ae captured. • • • • • Function or Process Executive Sponsor Business / Process Owner Financial Controller / Designate Legal Support Product Management Sales Marketing Administration / Operartions Human Resources Information Technology / Information Systems Accounting and Finance Compliance Legal Note for Presenters: Refer to the matrix as distributed in the package; have them review it for accuracy and concur. B06c.indd 126B06c.indd 126 8/25/08 2:08:05 PM8/25/08 2:08:05 PM Internal Use Only INTERNAL CONTROL PROGRAM 127 Slide: Subcertifi cation Process Flow Update Distribution List, Letter and Package CFO Sends out Package Distribution List Member Due Diligence Reviews Cascade Letters Responses Received and Entered Into Database Database Summarize and Input Findings for Certification Monitor Through Internal Controls Review Remediation and Review Process Note for Presenters: Describe the steps of the process fl ow. Slide: Framework and Process Board of Directors and Audit Committee Universe of Potentially Material Information Disclosure Vehicles 10K, 10Q, 8K, and Related Communication Sub Certifier Network GeographyBusinessUnit Process Owner Feedback Feedback Executive Includes CEO/CFO Evaluate Draft Certify File Review Identify Internal Controls, Finance, Legal, Compliance B06c.indd 127B06c.indd 127 8/25/08 2:08:05 PM8/25/08 2:08:05 PM Internal Use Only 128 PROCEDURE B06C Note for Presenters: Reading the chart from the bottom up, identify those who have or should have intimate knowledge of the proc- esses, operations, and business transactions that ultimately are refl ected within the company’s fi nancial state- ments and areas for disclosure. Using the comments from the letter as input, internal controls oversees that each comment is evaluated, inves- tigated, and addressed prior to submitting results to executive management. Once the comments have been addressed and refl ected in the fi nancial statements and/or areas for disclosure a draft of the various SEC reports and related external communications is reviewed and approved by the executive, board of directors, and audit committee prior to fi ling the release. Slide: Section A: Management Letter of Representation Slide: Representation of Financial Data and Business Practices Note for Presenters: Over the next several charts copy the statements as they appear in the quarterly subcertifi cation letter and read through them. Slide: Section B: 302 Certifi cation Slide: 302 Subcertifi er Responsibilities The CEO and CFO rely on subcertifi ers for assurance that fi lings are accurate, complete, without omis- sion, and not misleading. Responsibilities: Review draft 10K/10Q for potentially material information. Conduct due diligence and resolve any outstanding issues related to potential disclosure. Elevate potentially material items so that fully informed decisions on materiality can be reached. Sign the 302 subcertifi cation form attesting to due diligence in reviewing information for potential disclosure. At any time, inform internal controls, fi nancial reporting, and/or compliance of any possible misstate- ments or omissions of a potentially “material event” that has occurred or is likely to occur. Note for Presenters: Read through the slide. Slide: Section B: 302 Certifi cation Note for Presenters Copy the statements as they appear in the quarterly subcertifi cation letter and read through them. Slide: Section C: 404 Certifi cation Internal Control over Financial Reporting (ICOFR) is: A process designed to provide reasonable assurance regarding the reliability of fi nancial reporting and the preparation of fi nancial statements for external purposes in accordance with generally accepted accounting principles. • • • • • • • B06c.indd 128B06c.indd 128 8/25/08 2:08:06 PM8/25/08 2:08:06 PM Internal Use Only INTERNAL CONTROL PROGRAM 129 ICOFR includes those policies and procedures that provide reasonable assurance that: – Records are maintained. – Transactions are recorded. – Receipts and expenditures are authorized. Note for Presenters: The SEC and the Public Company Accounting Oversight Board (PCAOB) have defi ned internal control over fi nancial reporting (ICOFR) as: A process designed to provide reasonable assurance regarding the reliability of fi nancial reporting and the preparation of fi nancial statements for external purposes in accordance with generally accepted accounting principles. ICOFR includes those policies and procedures that provide reasonable assurance that: Records are maintained. Transactions are recorded. Receipts and expenditures are authorized. Unauthorized acquisition, use, or disposition of assets that could have a material effect are pre- vented or detected. Slide: Management’s Role and Responsibility On an annual basis, management must: Assess the effectiveness of the ICOFR. Support its evaluation. Accept responsibility. Identify and disclose material or potentially material changes. Present a written assessment and certifi cation. On a quarterly basis, management must: Report on the status of signifi cant defi ciencies and/or material weaknesses. Identify and disclose material or potentially material changes. Note for Presenters: To support management’s assertions regarding the effectiveness of internal control over fi nancial reporting: On an annual basis, management must: Assess the effectiveness of the company’s internal control over fi nancial reporting using suitable criteria. The objective of such assessment is to obtain reasonable assurance as to whether any material weaknesses exist. Support its evaluation with suffi cient evidence, including documentation. • • • • • • • • • • • B06c.indd 129B06c.indd 129 8/25/08 2:08:06 PM8/25/08 2:08:06 PM Internal Use Only 130 PROCEDURE B06C Accept responsibility for the effectiveness of the company’s internal control over fi nancial reporting, identify and disclose material or potentially material changes to the company’s internal control over fi nancial reporting and present a written assessment and certifi cation concerning the effectiveness of the compa- ny’s internal control over fi nancial reporting. On a quarterly basis, management must: Report on the status of signifi cant defi ciencies and/or material weaknesses to the audit committee. Identify and disclose material or potentially material changes to the company’s internal control over fi nancial reporting. Slide: Section C: 404 Certifi cation Note for Presenters Copy the statements as they appear in the quarterly subcertifi cation letter and read through them. Slide: Certifi cation Slide: Quarterly Subcertifi cation I have reviewed the following sections (identify the sections that refer to you with a check- mark) with due diligence as these sections relate to and unless otherwise noted in the specifi ed item numbers, I confi rm that to the best of my knowledge, I am in compliance. � A) Representation of Financial Data and Business Practices � B) Financial Statement Subcertifi ers (302 disclosure) � C) Internal Control Subcertifi cation (404 certifi cation) I understand that the CEO and CFO will rely on this subcertifi cation to support the company’s disclosure requirement to report material changes to the company’s internal control over fi nancial reporting for the quar- ter ended. Note for Presenters: Read the certifi cation statement and remind the certifi ers to sign, date, and submit the form to internal controls. Slide: Certifi cation: Next Steps Remediate open items that require action, including those that you deemed immaterial, to be reported. Embed the internal controls principles (e.g., accuracy, completeness, authority) into your regular reviews. Plan and incorporate internal control testing into processes and monitor results for continuous process improvement. Note for Presenters: Comments and process items identifi ed in the letter must be considered as part of the risk assessment and part of the internal control posture. Material weaknesses and signifi cant defi ciencies unresolved prior to quarter-end must be disclosed with the submission to the SEC. Once all the comments have been addressed, internal con- trols submits the internal control posture statements for inclusion in the 10Q/10K and submits its report to the CFO, CEO, and external auditors. • • • B06c.indd 130B06c.indd 130 8/25/08 2:08:07 PM8/25/08 2:08:07 PM Internal Use Only INTERNAL CONTROL PROGRAM 131 Slide: References For additional information on Sarbanes-Oxley, visit: www.sec.gov/spotlight/sarbanes-oxley.htm http://thecaq.aicpa.org/Resources/Sarbanes+Oxley/ For internal support, contact your internal controls department. For program information, contact IDEAL via Policyguru via www.idealpolicy.com Note for Presenters: Encourage fi rst-time certifi ers to visit these sites to learn more about their responsibilities, the regulations, and the process. • • • • • • B06c.indd 131B06c.indd 131 8/25/08 2:08:07 PM8/25/08 2:08:07 PM B06c.indd 132B06c.indd 132 8/25/08 2:08:07 PM8/25/08 2:08:07 PM 133 CONTROL ACTIVITY PROGRAM TESTING GUIDES C01.indd 133C01.indd 133 8/25/08 2:14:24 PM8/25/08 2:14:24 PM C01.indd 134C01.indd 134 8/25/08 2:14:25 PM8/25/08 2:14:25 PM Internal Use Only CONTROL ACTIVITY PROGRAM The fi rst unit of the manual describes the governance journey from big G Governance to little g governance, using risk assessment and an oversight strategy to identify the scope of what needs to be covered within the internal control program. Presented are concepts, models, and a general discussion about the broader aspects of governance. From the fi rst unit, by following the exercises you should have prepared and ranked a list of processes and accounts where there is control risk. These are the processes and accounts where you will want to focus on control activity fi rst. The second unit of the manual describes the internal control program and dives deeper into specifi c control envi- ronment policies, procedures and processes to complete the governance journey. In addition to the internal control program itself are specifi cally chosen policies and programs that are universally recommended for all companies regardless of the type of industry. To be effective in your company, the programs and processes presented must be customized; however, to serve as an effective control, the strategic intent and concepts presented must remain the same. The exercises presented in the internal control program should assist you in identifying control objectives and activities which would be suitable for addressing the risks identifi ed from the fi rst unit. This third unit should aid in putting the rest of the program together including testing, monitoring, and reporting. This third unit of the manual uses the basic structure of the internal control program presented in the second unit to build specifi c internal control activity plans. Within this unit are fi nished product testing guides with an accom- panying excel worksheet (available via the URL download) ready for you to conduct the control activities, monitor, and track remediation efforts. For most companies these testing guides will be too generic to serve the purpose of providing complete control activity coverage. Therefore, rather than just present a series of fl owcharts, questions, and activities to perform, it is better to fi rst provide instruction as to how to build your own set of testing guides. Following this chapter are the templates and forms referenced in this introduction and following those forms are actual testing guides for you to customize. Instruction for Building Your Testing Guide The testing guides should be made available to anyone who wants to review them and use them as interim readi- ness or preparation checklists. These guides must change as the result of risk assessment change, as actual control activities are performed and fi ndings are discovered or as the internal control professional deems necessary. The sample of test guides issued within this unit has assumed risk assessed processes and subprocesses have identifi ed the focus areas. The internal control representatives have decided on a level of testing commensurate with the level of risk. Use these as a guide or point of reference for developing your own internal control activity testing plans and guides. Testing guides are prepared by the internal control department and may contain input from internal audit, compliance, and the process manager. Since the internal control department has prepared, reviewed, and approved the use of the guide. The testing guide template used as the control activity plan serves as the cover sheet to the evidence collected. The guide and the summary evidence is then attached to the Result of Control Activity Testing form, otherwise known as the fi ndings report. The header of this form contains information required for the classifi cation and administration of this docu- ment. The procedure number should follow the same “smart numbering” criteria used to classify and group the CONTROL ACTIVITY PROGRAM TESTING GUIDES 135 C01.indd 135C01.indd 135 8/25/08 2:14:25 PM8/25/08 2:14:25 PM Internal Use Only 136 PROCEDURE C01 company’s policies and procedures. The section name refers to the functional area or business unit responsible for the process. Process refers to the department or functional area that oversees this process. The issue date refers to this version of the testing guide and for tracking purposes; you may want to reference the document date that this guide replaces. The rest of the heading refers to this testing cycle and indicates the name of the process owner and the physical location where the control activities are tested. The internal control representative conducts or oversees the testing and the date the tests begin and end. Reference those policies and procedures that apply to this process or that infl uence this process’s control environment. Flowchart refers to including a high-level fl owchart or list of procedure steps to be followed. The intent is to summarize the process fl ow so that anyone picking up the document would understand the scope of the process under review. If developing fl owcharts for the fi rst time, unless you are an engineering company where everyone understands how to read and use fl owcharts, I strongly recommend keeping fl owcharts simple. Ask what input is required to start the process then continue to ask “then what” until the output has been identifi ed. At decision points, ask about the criteria for decision making, who reviews the information prior to the decision, and who is authorized to make those decisions. When fl owcharting decisions make sure the “Yes” and “No” response have output boxes. Hint: Make sure lines go into and out of every box, don’t get caught in loops. Use the standard fl owchart symbols and connect them with lines and arrows showing the direction of the process fl ow. Process symbol—describes what has to be done. Hint: begin with a verb where possible. Database symbol—identifi es stored data. The process may call for data to be accessed, changed, and replaced. Decision symbol—identifi es a point where a decision is required. Ensure the likely out- comes of the decision; for example, “yes”, “no” responses are indicated on the fl ow. Document symbol—identifi es the point within the process where a hard or soft copy document is produced or referenced. Document symbols are often attached to process box symbols. • • • • A popular alternative and substitute to simple process fl owcharts are swim lane process fl ows, emphasizing roles and responsibilities. Control objectives and activities are selected to address the specifi c risk identifi ed. The Internal Control repre- sentative will be testing for the existence of the control objective which if present would eliminate or mitigate the risk. Specifi c control activities are selected or designed to ensure those objectives are met. Evidence is collected to support the fact that an appropriate level of due diligence has occurred. Findings and areas of improvement are identifi ed on the Result of Control Activity Testing form. C01.indd 136C01.indd 136 8/25/08 2:14:25 PM8/25/08 2:14:25 PM Internal Use Only CONTROL ACTIVITY PROGRAM TESTING GUIDES 137 Control Objectives As defi ned in previous chapters, generally accepted control objectives are: Compliance with laws and regulations Compliance with company policies, procedures Compliance with contract terms and conditions Authorization and approval Internal controls over fi nancial reporting (ICOFR) includes control objectives to address that: Payments are paid, recorded, and refl ect authorized transactions. Payments are received, recorded, and refl ect authorized transactions. Transactions are recorded in a timely manner. Disclosures provide transparency to the transaction. Operational and fi nancial reviews are conducted as due diligence Reconciliations Integrity is made up of accuracy, completeness, and timeliness. Segregation of duties Safeguarding assets Control Activities When considering approaches to collect and evaluate evidence consider cost versus benefi t. Some common types of control activities are described. Direct or sample testing, ordinarily performed on a periodic basis by individuals with a high degree of objec- tivity relative to the controls being tested. Because this type of control testing requires time and resources, not only from internal control professionals but from the process stream, this is a disruptive and costly control activity that should be used in high-risk areas. In the fi rst year or early years of an internal control program, more direct testing may need to be done in order to establish a baseline of controllable activities. Checklists are generally used when there are a lot of steps and/or decisions which may require alternate pro- cessing streams. You may want to design into the process description peer or management reviews for selected transactions over a pre-defi ned threshold limit. For example, sales orders over $100,000 require peer-to-peer review, and sales orders over $500,000 require management review of the checklist. Peer-to-peer reviews is a useful tool when (1) training new employees or (2) validating that the process is being followed. Peers may review the output of the process or observe the entire process to ensure that each process step and especially control steps are not bypassed. Having current and management approved desk procedures are useful when peer-to-peer or checklists are used as control activities. Control self-assessments tools generally mirror audit working plan and ask that the process owner take responsibility for being prepared for an audit or internal control testing. The use of a control self assessment by a process owner may not be accurate in that they know the “intended” approach and may not be objective or diligent to observe the actual approach. It is recommended that self-assessments be facilitated by an objective, • • • • • • • • • • • • • • • • • • C01.indd 137C01.indd 137 8/25/08 2:14:27 PM8/25/08 2:14:27 PM Internal Use Only 138 PROCEDURE C01 independent third party who understands the process and control environment. The facilitator must not only challenge the process owner about following the defi ned described steps but also note and include suspected areas of control weaknesses and defi ciencies. A truly knowledgeable facilitator will also be able to recommend process improvements. Observation controls are similar to peer-to-peer reviews of the process; however, like self-assessments, these are undertaken by objective, independent facilitators. This approach is mostly used when there is little or no docu- mentation to support the process. The observer walks the process from beginning to end and prepares notes as to the steps performed, highlighting areas that need additional control or process improvement. The comments and notes the observer makes assist the process manager in formally producing documented procedures. Ongoing monitoring and tracking of key performance indicators is a normal management activity for recurring activities. These are generally automated controls mapped across time with acceptable control variances determined ahead of time. Periodically, test the thresholds of control variances to ensure that the limits are established appropriately. This type of testing is appropriate for high-volume, low-risk areas. It is not enough to simply perform these control activities; it is vital that the approach and the results be documented. Regardless of the approach used, it is important to document the type of activities performed and in support of those activities collect evidence to prove the status of the control effectiveness. Readiness checklist is used as a preparation guide for the process owner. The answers to these questions and evidence to support the answers should be made available to the internal control representative prior to the testing. However, if this is not completed before, then the internal control representative could use this as a prelude to the actual control activities. The readiness checklist is designed to: Identify audit readiness or self-assessment questions. These questions should be answered as “Yes” or “No,” with the “No” responses indicating a control weakness. There is a similarity of questions from process to process because these readiness questions are generally aimed at ensuring the basic requirements exist. Regardless of whether detailed control activities are scheduled for a process, the process owner should review their responses to the readiness checklist at least annually. Each business area and/or process owner must have suffi cient documentation and evidence to support their readiness checklist or self-assessment responses. Key measures are intended to demonstrate that the process is measured, monitored, and tracked. List key or likely operational indicators and/or measures that may be monitored to ensure control objectives and activities are met. These should be recurring measures that the process owner uses to oversee the effectiveness (refers to defects and effi ciency; refers to cycle time of the process). List key fi nancial indicators that would be used for decision making and reporting purposes. Instruction for Completing the Result of Control Activity Testing Form The Internal Controls––Result of Control Activity Testing form is presented at the end of this chapter and can be used as an aid when documenting, ranking, and consolidating the control activities. • • • • • • C01.indd 138C01.indd 138 8/25/08 2:14:27 PM8/25/08 2:14:27 PM Internal Use Only CONTROL ACTIVITY PROGRAM TESTING GUIDES 139 To complete the form, identify the following information as part of the header: Company refers to the company, functional business area, or process being tested. Location refers to the geographic location where the test is executed. Financial period refers to the fi nancial period or transaction period under review. Date refers to the date the test is conducted or use a start and end date if the testing period is over a signifi cant amount of time. Prepared by refers to the person or team leader conducting the internal control test. Reviewed by refers to the person or team leader overseeing and reviewing the test and fi ndings. Purpose: Identify the purpose of the testing as: Self-assessment––conducted or overseen by the process manager. Results of self-assessments should be shared with the internal control representative or may be submitted directly to the internal control program manager. Interim control activity assessment––conducted by an internal control representative as an “off-cycle” assess- ment that could be a surprise spot assessment or a remedial assessment. Control activity assessment––conducted by the internal control representative as part of the planned internal control testing plan. Scope or process description: The intent is not to duplicate existing documentation but to reference the proce- dure in existence at the time of the testing. Reference to the in-scope process documentation may include policy and procedures, instructions, and forms. Result of Control Activities Tested: Number and identify each control objective and activity being tested. Follow or create a cross-reference to the control objectives and activities as listed on the test guide. Result of the control activity should identify the size of the sample criteria used for sampling and the fi nding; reference fi ndings as (E) controls were found to be in existence, (CT) controls were found to be executed com- pletely and in a timely fashion, (VA) controls were found to be valid and accurate. Include other assertion levels as appropriate to your test plans. Assessment refers to your evaluation as to whether the control is working as it should be. Rate as 1 to 4, with each rating defi ned as 1 as a signifi cant defi ciency, 2 as a material weakness, 3 as a reportable condi- tion, or 4 as an effective control. Evaluation: is the place where you can offer an overall evaluation as to whether internal control objectives are being met or not. Include an overall rating of 1, 2, 3, or 4. Signatures are required from those who prepared or led the control team conducting the review and those who reviewed and approved the fi ndings and results. Process owners may use this form to identify control activities they perform on a regular or ongoing basis. In this case, I recommend completing the form once a quarter and attaching the results from each review, noting the timing, extent, and result of the control activity. • • • • • • • • • • • • C01.indd 139C01.indd 139 8/25/08 2:14:27 PM8/25/08 2:14:27 PM Internal Use Only 140 PROCEDURE C01 Following is a list of the most common result of control activity testing comments and identifi ed areas for improvement. Inadequate knowledge of company policies, procedures, or governing regulations. Employees generally feel very comfortable executing their duties in order to “get the job done,” and for the most part, these instructions should not pose internal control issues. As we all know, employees often encounter roadblocks and have to fi nd another route or bypass and this is where the control issues are hidden. Employees may not be aware that there are overarching policies and procedures that address unique situations. Ensure that there is periodic training and review of all policies and procedures. Inappropriate access to assets. Employees often have a level of trust that might compromise the safeguarding of assets through such activities as sharing passwords, leaving keys in the open or offi ces unlocked, and access to cash and/or checks not fully secured. Form over substance. Having this type of control exposure refers to when employees really don’t understand the full extent of their responsibility; for example, review and approve has a different connotation than approve. Employees must ensure that not only the control directive is followed but also its intent. Having the best internal controls in place may still be hampered by a soft control environment where managers or others may exercise “control override” for the sake of “getting the job done” or excusing mistakes and errors as “human errors.” Other types of internal control missteps indicative of a weak control environment include: Lack of adequate management oversight and accountability and failure to develop a strong awareness of inter- nal environment which respects internal controls. Inadequate assessment of the risk of certain activities. Unfortunately, this is often skill and/or experience related with the risk mitigated by building controls into the process and ensuring employees follow the process. The absence or failure of key control activities, such as segregation of duties, approvals, verifi cations, reconcilia- tions and reviews of operating performance. Inadequate communication of information between levels of management, especially in the upward communi- cation of problems. Inadequate or ineffective internal control program and other monitoring activities. Once the form is complete, attach the test guide and supporting evidence and forward to the internal controls program manager. These forms are consolidated and used to follow up on remediation plans for items rated 1 or 2 and to determine the overall status of the company’s internal control environment. Monitoring and Tracking Monitoring refers to the assessment of internal control performance over time. It is accomplished by collecting key performance indicators, results from the various types of testing approaches and of course by direct testing. The purpose of monitoring is to determine whether internal controls are adequate to detect and prevent exposures and unnecessary risk. Monitoring could be the same as a control objective and/or activity. For example, authorizing documentation is a control objective with the evidence of that authorization serving as support of the authorization activity. Performed sporadically, it is a control objective and activity; performed with each qualifying event, it is a monitoring activity. • • • • • • • • C01.indd 140C01.indd 140 8/25/08 2:14:28 PM8/25/08 2:14:28 PM Internal Use Only CONTROL ACTIVITY PROGRAM TESTING GUIDES 141 To the extent practicable, build in standardized consistent control activities that can function as both control and monitoring activities. Because the internal control program is a process, its effectiveness is an assessment of the condition of the process at more than one point in time. Just as control activities help to ensure that actions to manage risks are carried out, monitoring is the part of the process that ensures that control activities and other planned activities are carried out properly and in a timely manner and that the actionable items that are identifi ed as a result of the testing process are tracked to ensure the timely, complete, and accurate correction of fi ndings and areas for improvement. The effectiveness of monitoring depends on the persuasiveness of the information obtained and whether or not operational improvements have occurred as a result. Persuasiveness is measured not by the volume of measures but on the quality of the measures and how well they are aligned to the control objective. For example, to measure whether accrual journal entries are posted in the accounting system on time, test the beginning-of-the-month jour- nal entry activity to determine if the data and information was known and should have been accrued at the end of the previous month. Monitor and track the number and dollar volume of the errant journal entries. Correcting the problem is then considered part of remediation. A clear indication that monitoring is effective is when the appropriate control measures are used to better under- stand the process and drive process effectiveness (i.e., less defects and effi ciencies, i.e., less time and resources) and therefore increase bottom line profi tability. Effective monitoring shall be designed to identify and correct weaknesses before those weaknesses could manifest and adversely impact achieving the company’s objectives. Remember that the internal control program and process also requires testing, monitoring and tracking. Control objectives and activities must be established to ensure that this program is working as designed. Remediation Remediation refers to the investigation and correction of control defi ciencies or opportunities for process improve- ment. Remediation follows closely to monitoring and tracking in that necessary actions must be taken in between collecting data and information for follow-up. The purpose of remediation and corrective action is to mitigate and reduce the number of internal control fi ndings producing a better-controlled environment. The remediation efforts begin by identifying and classifying opportunities to improve the company’s control posture. These opportunities are collected from the Result of Control Activity Testing form. These opportunities are analyzed by process to discover the overall control status of the process and also analyzed across processes where similar defi ciencies may point to a centralized solution (e.g., improve access controls). Classify and prioritize the items which are to be monitored establishing a qualitative or quantitative indicator for process owners to report. Work with the process owner to provide corrective action. Collect indicators and analyze trends over the period in between testing. Schedule testing more frequently for those areas that have high volume or high risk or are stalled (i.e., no real progress has been made). Retain open communication between process owners and senior executives. Facilitate and mediate to close the process gaps. • • • • • • • C01.indd 141C01.indd 141 8/25/08 2:14:28 PM8/25/08 2:14:28 PM Internal Use Only 142 PROCEDURE C01 Since decisions to remediate will depend on the diagnosis, accurate assessment of the root cause is crucial. Investigative and correction techniques vary and may include such analytical and decision-making aids as fi shbone diagrams, cause-and-effect diagrams, and process value chains. The objective is to identify the root cause of the control issue and design controls into the process that will correct the control defi ciency or at least mitigate it. In the quest to identify and implement the most “elegant” remediation solution, be careful not to overdesign the correction, remember to conduct a cost-versus-benefi t analysis and risk assess it before it is implemented. It is expensive, in time and resources, to reengineer a process and the consequences are felt up- and downstream. The completion and implementation of the corrective action can be tedious with potential for ineffectiveness within the correction process itself. Although the fi ndings have been identifi ed and the detailed plans have been identifi ed, there is a point within correction where scope creep comes into play (i.e., “while we are at it, let’s also try to correct this”) and boredom sets in (i.e., “is this project still around”). Use the remediation phase to stay focused on the task or divide the remediation effort into milestone stages so that successes can be readily achieved and momentum is not lost. Measure the results of the remediation efforts and once implemented, conduct a detailed test of the control objectives that were to be remediated. If the control weakness is a high volume and high risk, consider running and testing the old and new control activities in parallel before closing the control issue. Reporting As we’ve previously identifi ed, information and communication are essential to effecting the control environment. Reliable and relevant data and information fl owing from the top down, bottom up and across functions are required for an effective program; reporting falls into this category. Open lines of communication must occur between all the stakeholders with reports adapted to address their focus areas. The focus for process owners and participants is at the detail level, while for senior executives it has to do with identifying opportunities and weaknesses which will affect meeting company goals and objectives and for the audit committee of the board of directors and external auditors, it is about transparency and compliance with regulations. Developing an internal control scorecard to identify the key fi ndings, items to be remediated and the status of that remediation is important for communication. The use of standardized communication reports and vehicles requires up-front planning and ensures that busy executives will likely take the time to review it. Following is a scorecard based on the Internal Control––Results from Control Activity Testing. Instructions to Complete the Internal Controls–Reporting Scorecard The Internal Controls–Reporting Scorecard is presented at the end of this chapter and is one way to easily report and communicate on the company’s internal control status. The heading is composed of the following information which is the same as what is required on the Result of Control Activity Testing form. The Reporting Scorecard consolidates the results from the testing form and presents the information at a higher level. The report should be distributed to those who need to know including and not necessarily limited to: chief execu- tive offi cer, chief fi nancial offi cer, executive team, and process owners. The purpose of this report is to consolidate the fi ndings from the Result of Control Activity Testing and report on the progress made to remediate open issues. C01.indd 142C01.indd 142 8/25/08 2:14:28 PM8/25/08 2:14:28 PM Internal Use Only CONTROL ACTIVITY PROGRAM TESTING GUIDES 143 The goal, of course, is to achieve zero material weaknesses and zero signifi cant defi ciencies, as these have been determined to be unacceptable levels of risk. The Reporting Scorecard is required because it is recognized that resolution for these issues may take time and resources to resolve. In the meantime, workaround controls must be implemented to reduce the level of risk and exposure. Since exposures and risks are identifi ed via the internal control testing process, we have to also identify how well the testing process is going and whether the internal control testing plan is being executed as designed; there- fore, a statement is included as part of the goal to indicate that the internal control testing plan is current as of a specifi c date. The fi ndings table is completed by listing the processes at a consolidated high level such as sales, manufacturing, inventory management, distribution, real estate, occupational health and safety, legal, human resources, fi nance and compliance. The high-level processes must be comparable to the risk assessments. There could be additional processes identifi ed; however, the processes previously identifi ed as having a high or medium risk level must be included on this list. In order to prepare the consolidated view, a bottom up build of the processes and subprocesses identifi ed in the Results of the Control Activity Testing forms must be grouped and combined as reports are communicated along the line of command. Supporting reports may or may not need to be distributed based on the volume of issues with unacceptable ratings. The list of processes must be consolidated at a high level with detail available to drill down when necessary. If this is a report that is distributed to executive leaders, group the processes by functional area with a senior manager. Drilldown of backup charts should be made available upon request and must tie into the data and information collected from the control activities. Total number of controls refers to the number of control activities that were executed. This is intended to demonstrate internal control due diligence as compared to process risk. Aggregate the number of activities by the rating they achieved. The ratings must be consistent with the Results of Control Activity Testing forms. Ratings are 1 to 4 defi ned as 1 for a signifi cant defi ciency, 2 as a material weakness, or 3 as a reportable condition Those activities rated as a 4, effective control, do not have to be reported on this table. However, they should be counted in the number of control activities from the fi rst column. Subtotal the columns, noting that the columns will not add across before of the activities rated as effective. Be careful not to play a numbers game, as more is not necessarily better. It is strategically better to target the control objective and the control activity to get to the data and information required to prove that the control objec- tive exists. The action table brings attention to those items rated 1 (SD) and 2 (MW), representing processes and subprocesses that must be part of everyone’s radar screen and require additional information. If you want to get fancy, you can highlight those remediation plans that are past their expected completion date. The process may be a subprocess of one mentioned above. If the consolidated process was generally found to be acceptable, however, one area or subprocess requires remediation, highlight that one area; example: Accounts Payable––Check Disbursement. Each subprocess with a 1 or 2 rating must be listed. The process owner or the person responsible for remediating the exposure is named as is the long- and short-term remediation actions and the expected completion date. C01.indd 143C01.indd 143 8/25/08 2:14:29 PM8/25/08 2:14:29 PM Internal Use Only 144 PROCEDURE C01 For example: Actions: Process Process Owner Remediation Actions Expected Completion Date Accounts Payable––Check Disbursement Jane Doe Acquire a lockbox to store signature plates. April 1, 2XXX The fi nal section of this report provides room for internal controls to enter comments about the process including those areas: Where additional or potential risk has been discovered Which require attention even though the rating has not reached unacceptable levels (i.e., 1 or 2) Which are ready for retesting and to eliminate them from the Reporting Scorecard Where a solution may be replicated for use in other processes Internal Control Planning, Testing, and Remediation Worksheet As described in the second unit the Internal Control Planning, Testing and Remediation Worksheet serves as the database to log fi ndings, monitor, and track improvements and report on progress. As a planning tool, this worksheet the processes and subprocesses identifi ed in the risk assessment are listed. The potential risks and/or control objectives that must be present in the process are identifi ed and the specifi c activity to prove the existence of the control objective is identifi ed and planned. An example of a completed worksheet: • • • • Process/Account Control Objective or Risk Control Activity or Test Accounts Payable Accurate There is a chart of accounts and instruction for assigning account distribution for accuracy in recording transactions and classifying expenses. Daily, peer to peer reviews are established. Test a sample of transactions for account coding accuracy. A/R – Collections Reconciliation Review reconciliations of customer A/R balances between the sub ledger and general ledger. Review and reconcile the aging report to the general ledger. Revenue Compliance with Contract Terms All customers have a valid and approved contract. Customers requesting non-standard contract terms and conditions require additional fi nancial and legal approval. Review exception report for customs without valid contracts and remediate for resolution. C01.indd 144C01.indd 144 8/25/08 2:14:29 PM8/25/08 2:14:29 PM Internal Use Only CONTROL ACTIVITY PROGRAM TESTING GUIDES 145 As a testing tool, the internal control representative records the details of the testing activities and identifi es the supporting evidence collected. An example of a completed worksheet: Control Objective or Risk Sample size and results of Testing Control in Place (Y/N) if No type of exposure Accurate Verifi ed that there are instructions and a valid Chart of Accounts available for coding transactions, however there were errors. Sample size of 50 transactions from all levels of transaction dollar thresholds. A checklist was available for peer to peer reviews. There were lapses in the peer to peer reviews with the most material transaction not fully reviewed. Errors were minor and did not affect fi nancial reporting data or information. Yes, 3. The control is generally in place, however there is opportunity for improvement. Reconciliation Reviewed and analyzed the reconciliations prepared each month of the quarter. Further analysis on unrecognized amounts included a recurring condition where reductions to price were routinely granted to customers who were not satisfi ed with the product’s performance. These reductions were not refl ected as an adjustment to revenue but rather recognized within the Allowance for Doubtful Accounts. No, 2. although the reconciliations were prepared, they were not appropriately analyzed, documented or approved. Revenue is not appropriately recognized. Compliance with Contract Terms Sample size 100% of all customer contracts over $100,000, 50% random sample for those contracts between $50,000 and $100,000 and 10% for those contracts less than $50,000. Customer signs standard terms and conditions, however side agreements are present indicating that if the customer is “not happy” the Customer may return the product or accept an adjustment to the amount owed the company. No, 1. This is a signifi cant defi ciency. There are unapproved side agreements with acceptance clauses and revenue is improperly recognized because the price is not fi xed nor determinable. As a remediation tool, those items rated as 1, signifi cant defi ciency (SD); 2, material weakness (MW); and 3, reportable condition (RC) require action. Because of the risk of noncompliance exposures, signifi cant defi - ciencies and material weaknesses require immediate action. Reportable conditions also require action or at least comment as they may be tracking toward an unacceptable level of risk. C01.indd 145C01.indd 145 8/25/08 2:14:29 PM8/25/08 2:14:29 PM Internal Use Only 146 PROCEDURE C01 An example of a completed worksheet: Process / Account Process Owner Remediation Actions Next Follow up / Due Date Accounts Payable Jamie Doe 1) Automate expense coding into the A/P system. 2) Prepare thresholds for peer to peer reviews including all transactions over a certain size (e.g., $20,000) and 50% randomly selected sample for transactions between $5,000 and $20,000 and 20% review sample size for those less than $5,000. Rather than daily reviews, consider implementing peer to peer reviews once a week and covering the weekly activity. Management to select a sample from each category to review. 1) Investement anlaysis and change request analysis for A/P system in 5 days 2) 5 days to review and update the peer to peer checklist and immediately thereafter re-instate the peer to peer reviews with management sign off. A/R – Collections Terry Doe Review the Company’s policies and procedures to ensure that the following is included: appropriate fi nancial and legal approval is required for any and all post contract changes. Ensure the Allowance is only used for Bad Debt expenses, where the customer is unable to pay debts owed to the Company. Weekly reviews until this issue is resovled, the policies and procedures are clear. Follow up with training for A/R staff. Revenue Mike Doe Review the Revenue Recognition policies and procedures to ensure this topic is adequately addressed. Those not in compliance with company policy may be terminated. Assess current contracts to determine the extent of this issue. Prior period restatement and disclosure to the SEC may be required. Institute a process for monitoring contracts and side agreements, training sales force, sales administration, legal and fi nance as to revenue recognition issues and consequences. Within 2 days, assess contracts with this clause. Within 5 days, develop a remediation plan and action. C01.indd 146C01.indd 146 8/25/08 2:14:29 PM8/25/08 2:14:29 PM Internal Use Only Reference Policies and Procedures List the policies and procedures that apply to this process Readiness Checklist Identify audit readiness or self-assessment questions. These questions should be answered as “Yes” or “No” with the “No” responses indicating a control weakness. There is a similarity of questions from process to process because these readiness questions are generally aimed at ensuring the basic requirements exist. Regardless of whether detailed control activities are scheduled for a process, the process owner should review their responses to the readiness checklist at least annually. Each business area and/or process owner must have suffi cient documentation and evidence to support their readiness checklist or self assessment responses. Flowchart Insert a high-level process fl owchart. Control Objectives and Activities Based on the type of risk identifi ed, identify the control objectives that, if present, would elim- inate or mitigate the risk. Specifi c control activities must be designed to ensure those objectives are met. Evidence is collected to support the fact that an appropriate level of due diligence has occurred. Findings and areas of improvement are identifi ed on the Result of Control Activity Testing form. Key Measures List key or likely operational indicators and/or measures that may be monitored to ensure control objectives and activities are met. These should be recurring measures that the pro- cess owner uses to oversee the effectiveness (i.e., refers to defects and effi ciency; i.e., refers to cycle time of the process). List key fi nancial indicators that would be used for decision-making and reporting purposes. This test guide is used as the internal control activity for: Process Owner: Located at: Control Activities conducted by: Date: • • • • • • • • • CONTROL ACTIVITY PROGRAM TESTING GUIDES 147 Internal Control Procedure No. C01a Section: Accounting and Finance Page 1 of 1 Process Name Issue Date: Replaces previously issued C01a.indd 147C01a.indd 147 8/25/08 2:14:50 PM8/25/08 2:14:50 PM Internal Use Only 148 PROCEDURE C01B Purpose: This form is to be used as a template to document the results of the control testing activities. Identify the purpose and timing of the testing e.g., quarterly SOX review. Scope or Process Description: Policy and Procedure references Result of Control Activities Tested Number and identify each control objective and activity being tested. Follow or create a cross- reference to the control objectives and activities as listed on the test guide. Result of the control activity should identify the size of the sample, criteria used for sampling and the fi nding; reference fi ndings as (E) controls were found to be in existence, (CT) controls were found to be executed completely and in a timely fashion, (VA) controls were found to be valid and accurate. Include other assertion levels as appropriate to your test plans. Assessment refers to your evaluation as to whether the control is working as it should be. Rat- ings are 1 to 4 defi ned as 1 for a signifi cant defi ciency, 2 as a material weakness, 3 as a reportable condition, or 4 as an effective control. Description of Control Objective / Activity tested Result of Control Activity Assessment 1, 2, 3, 4 1. 2. 3. 4. 5. 6. Evaluation: In my opinion, the overall control assessment for the process described above is rated as < insert rating 1, 2, 3, 4 > and . Prepared by: _____________________________________________ Date ___________ Reviewed and approved by: _________________________________ Date ___________ Once complete, attach the test guide as a cover sheet to the supporting evidence and forward to internal controls. • • • Internal Controls Procedure No. C01b Section: Accounting and Finance Page 1 of 1 Result of Control Activity Testing Company Location Financial Period Prepared by: Date Reviewed by: C01b.indd 148C01b.indd 148 8/25/08 2:15:17 PM8/25/08 2:15:17 PM Internal Use Only INTERNAL CONTROL—PLANNING, TESTING, AND REMEDIATION WORKSHEET Available in the URL download is an excel worksheet with the following columns. For your convenience, the download is prepopulated with process/account, control objectives, and control activities as described in the inter- nal control testing guides from of this manual. Process/Account Using a top-down assessment approach, list the signifi cant processes and/or accounts that require testing. After the risk assessment has been performed and the risks shall be classifi ed and prioritized with owners and next step actions identifi ed. Control Objective/Risk Identify the control objective or risk element that must be documented or tested. Designate your own control objectives or use the ones identifi ed and defi ned within testing guides presented in the manual. Control Activity Identify the planned control activity that must be documented or tested. Design your own control activities, or use the ones identifi ed and defi ned within testing guides presented in the manual. Remember that the control activity must demonstrate that the internal control representative has defi ned a sub- stantive activity that will produce suffi cient evidence that the control is working. Supporting evidence shall be included or referenced on the Internal Control––Result of Testing form. Sample Size and Results of Testing Describe the approach used to determine the sample size, identify the sample size, and describe the fi ndings that result. Reference the Internal Control––Results of testing checklist and the supporting evidence collected. Remember to note where the control objective is working as designed and there are no fi ndings. Even if not an immediate control exposure, remember to include areas of concern which may lead to control exposures or where process effectiveness and effi ciency opportunities may exist. Control in Place Identify “Yes” or “No” as to whether the control objective is in place and proved by the control activity. If “No,” then describe the issue and rate the control as: assessment refers to your evaluation as to whether the control is working as it should be. Rate 1 as a signifi cant defi ciency, 2 as a material weakness, 3 as a reportable condition, and 4 as an effective control. • • • • • • • • • • • • • CONTROL ACTIVITY PROGRAM TESTING GUIDES 149 C01c.indd 149C01c.indd 149 8/25/08 2:15:41 PM8/25/08 2:15:41 PM Internal Use Only 150 PROCEDURE C01C Remediation Actions If remediation actions are required, identify the immediate next steps and corrective action plans. Remediation actions and next steps should be developed in cooperation with the process manager. Next Follow-up Date or Due Date A follow-up date is required for those issues that cannot be readily corrected. This date should not be more than two weeks from the date of the testing to ensure a timely response from the process manager. If the corrective action requires signifi cant process re-engineering plan on periodic meetings to ensure that the reengineering design corrects the control issues. A due date is preferable as the date the issue is corrected and ready for retesting. Allow time for the correction to be implemented and performance indicators prove that the correction has been deployed; then follow with a retest of the control objective. Available with the URL download, this worksheet is populated with the processes, control objectives and activities described in the test guides that follow. • • • • • C01c.indd 150C01c.indd 150 8/25/08 2:15:42 PM8/25/08 2:15:42 PM Internal Use Only Distributed to: Chief executive offi cer, chief fi nancial offi cer, executive team, and process owners Purpose: Consolidate the fi ndings from the Result of Control Activity Testing and report on the progress made to remediate open issues. Goal: Zero material weaknesses and zero signifi cant defi ciencies Testing is current as of Findings: Process Total # Controls Rating 1 SD Rating 2 MW Rating 3 RC Total Ratings are 1 to 4 defi ned as 1 for a signifi cant defi ciency (SD), 2 as a material weakness (MW), or 3 as a reportable condition (RC). Actions: Process Process Owner Remediation Actions Expected Completion Date CONTROL ACTIVITY PROGRAM TESTING GUIDES 151 Internal Control Procedure No. C01d Section: Accounting and Finance Page 1 of 2 Reporting Scorecard Company Location Financial Period Prepared by: Date Reviewed by: C01d.indd 151C01d.indd 151 8/25/08 2:16:29 PM8/25/08 2:16:29 PM Internal Use Only 152 PROCEDURE C01D Internal control comments or observations Internal Control Procedure No. C01d Section: Accounting and Finance Page 2 of 2 Reporting Scorecard Company Location Financial Period Prepared by: Date Reviewed by: C01d.indd 152C01d.indd 152 8/25/08 2:16:30 PM8/25/08 2:16:30 PM Internal Use Only CONTROL ACTIVITY PROGRAM TESTING GUIDES 153 Reference Policies and Procedures Accounts Payable––Request Payment to Third-Party Vendors Journal Entry Accrual Procurement Escheat Flowchart • • • • • Internal Controls Procedure No. C02 Section: Accounting and Finance Page 1 of 5 Accounts Payable – Disbursements Request Payment to Third Party Vendors Department Ownership Issue/Effective Date: Replaces previously issued In pu t Pr oc es s O ut pu t Invoices Received from Third Parties Routed to AP Representative, Match to Purchase System AP Module of the Purchasing System 3 Way Match or Okay to Pay? Okay to Pay, within Variance Limits Quantity or $ Variances Exceeded Okay to Pay, no Variances No Purchase Order or Goods Receipt Update to Purchasing System as Non PO Routed to Business Area for Review, Approval Okay to Pay? Business Area Investigate, Resolve with Vendor Update Purchasing System Release for Payment Run AP Reports Transaction Activity Aging Reports Accrual Key Metrics Payment to Vendor Prepare, Post Journal Entries Reconciliation Yes Yes No No Review of Invoice Due Analysis A A A C02.indd 153C02.indd 153 8/25/08 2:17:24 PM8/25/08 2:17:24 PM Internal Use Only 154 PROCEDURE C02 Readiness Checklist Are there documented policies and procedures? Have employees been trained as to the rules, regulations and information technology (IT) systems regarding the accounts payable (A/P) module within the procurement system? Is supporting documentation in the form of purchase orders, invoices, receiving reports avail- able to A/P representatives? Have samples of the three-way match input been traced back to the source documents and verifi ed as complete and accurate? Is there a strategy for collecting, reviewing the samples, and documenting the remediation plans and actions? Have samples of the activity that does not qualify as three-way match been traced to source documents and verifi ed as complete, accurate and authorized for payment? Is there a strategy for collecting, reviewing the samples, and documenting the remediation plans and actions? Are there system-related IIT controls embedded into the design of the feeds from Pro- curement and to/from the payment distribution system? Are the results of the reviews documented? Are vendor invoices reviewed for correctness including quantity, price, tax, terms, and calcula- tions prior to processing it for payment? Are there controls to ensure an invoice is not paid twice? Are debit balances detected and resolved on a timely basis? Are the roles and responsibilities segregated from those who establish or approve vendors, order products and/or services, receive products and/or services, receive and approve invoices for payment, and those who reconcile the activity? If A/P is outsourced, is there a valid SAS 70 on fi le with the A/P department? Has the com- pany conducted test sampling to ensure that controls, reviews and audits are performed at the outsourced location where the company’s A/P payments are processed? Are the results documented? Control Objectives and Activities Complete Only to those invoices and check requests that have been posted are included within the pay- ment run. Transactions are authorized and released for the payment run by the A/P manager. Review and observe the process. • • • • • • • • • • • Internal Controls Procedure No. C02 Section: Accounting and Finance Page 2 of 5 Accounts Payable – Disbursements Request Payment to Third Party Vendors Department Ownership Issue/Effective Date: Replaces previously issued C02.indd 154C02.indd 154 8/25/08 2:17:24 PM8/25/08 2:17:24 PM Internal Use Only CONTROL ACTIVITY PROGRAM TESTING GUIDES 155 Accurate There is a chart of accounts and instruction for assigning account distribution for accuracy in recording transactions and classifying expenses. Daily, peer-to-peer reviews are established. Test a sample of transactions for account coding accuracy. Vendors are paid in accordance with agreed terms and conditions. Select payments and con- fi rm with vendor payment terms. Peer-to-peer tests are performed and documented. Authorized Payments may only be made to preapproved vendors established within the vendor master database. Review variance and exception reports for remediation plans. All disbursements are reviewed and authorized as witnessed by signature and date. Review- ers and authorizers are as identifi ed within the delegation of authority. Review signatory list to ensure that they have appropriate levels of delegation. Disbursement of Funds For manual checks and wire transfers, only approved vendor invoices as identifi ed within the A/P system can be processed as a manual payment. A self-assessment checklist is completed for each wire transfer. Select a sample and trace payment back to source documentation. Reconciliation The A/P representative prepares a reconciliation of the monthly open payables report/ subledger to the general ledger A/P account and any variances are resolved in a timely manner. The A/P manager evidences the review and approval of the reconciliation by dated sign-off. Select a sample and review the supporting documentation and approval levels. Unmatched items or items that have been fl agged as partial receipt/payment are identifi ed and investigated. Review and observe how these are resolved; document control issues. Safeguarding Assets Assets used for processing payments (i.e., check stock, signing plates, wire transfer terminals, check signing machines) are stored in a physically secure area with restricted access to autho- rized personnel only. Review, observe, and document the safeguarding of assets. Segregation-of-duties tests are performed by observing roles and responsibilities and reviewing documented fl owcharts and/or procedures. Segregation of duties exists between employees who have access to: Vendor master data and maintenance (owned by procurement department) and employees who have access to process vendor invoices (A/P department) Create and maintain purchase orders (POs) (owned by procurement department) and employ- ees who have access to process vendor invoices • • • • • • • • • • Internal Controls Procedure No. C02 Section: Accounting and Finance Page 3 of 5 Accounts Payable – Disbursements Request Payment to Third Party Vendors Department Ownership Issue/Effective Date: Replaces previously issued C02.indd 155C02.indd 155 8/25/08 2:17:25 PM8/25/08 2:17:25 PM Internal Use Only 156 PROCEDURE C02 PO approval (performed by business area requesting the goods and/or services) and employ- ees who have access to process vendor invoices Process vendor invoices and employees who have access to goods receipt on a PO (performed by the receiving department or business area requesting the goods and/or services) Process vendor invoices and employees who have access to A/P payments Bank reconciliation (performed by treasury) and employees who have access to process vendor invoices Enter invoices into the A/P IT system and personnel authorized to sign checks and electronic funds transfers Information Technology Controls The A/P system is confi gured to automatically process for invoice payment with a price toler- ance limit of plus or minus 10% or $100 over the PO amount, whichever is less. Quantity must not exceed the total quantity of the PO. Variances in quantity or in price tolerance are blocked for payment in the system. In accordance with company policy and procedure, the IT system is confi gured to perform three-way matches. On a quarterly basis, the fi le share owner(s) perform a documented review of the A/P IT sys- tem and fi le share access to ensure access is restricted to authorized personnel: Process invoices against POs including ability to input, edit, or cancel invoices. Process invoices and payment requests that do not have a PO and/or goods receipt includ- ing the ability to input, edit, or cancel invoices. Release invoices for payment. Have access to enter manual payments. Unblock invoices that have been automatically blocked for payment. Additional A/P IT systems are designed with controls that: Do not allow processing of duplicate invoice numbers for the same vendor. Will not process payables transactions for inactive vendors. Track the remaining balance of blanket POs with recurring payments and closes the PO when the balance becomes zero. Controls are in place to ensure that recurring vendor payments are processed in according with contract terms. • • • • • • • • • • • • • • • • • • Internal Controls Procedure No. C02 Section: Accounting and Finance Page 4 of 5 Accounts Payable – Disbursements Request Payment to Third Party Vendors Department Ownership Issue/Effective Date: Replaces previously issued C02.indd 156C02.indd 156 8/25/08 2:17:25 PM8/25/08 2:17:25 PM Internal Use Only CONTROL ACTIVITY PROGRAM TESTING GUIDES 157 Key Measures Transaction analysis and exception reports to monitor and track the number of exceptions A/P aging reports to measure and monitor the days’ payable outstanding (DPO) metric Transactional reconciliation reports to monitor and track the number of invoices received and payments processed Bank reconciliation reports to monitor and track cash disbursements and outstanding checks This test guide is used as the internal control activity for: Process owner: Located at: Control activities conducted by: Date: • • • • Internal Controls Procedure No. C02 Section: Accounting and Finance Page 1 of 5 Accounts Payable – Disbursements Request Payment to Third Party Vendors Department Ownership Issue/Effective Date: Replaces previously issued C02.indd 157C02.indd 157 8/25/08 2:17:25 PM8/25/08 2:17:25 PM Internal Use Only 158 PROCEDURE C02A Reference Policies and Procedures Accounts receivable––Allowance for doubtful accounts Journal Entries Account reconciliation Flowchart • • • Internal Controls Procedure No. C02a Section: Accounting and Finance Page 1 of 4 Accounts Receivable – Allowance for Doubtful Accounts Department Ownership Issue/Effective Date: Replaces previously issued Supporting Documentation Invoices Cash Applications Returns Other Adjustments to Customer Accounts A/R Balances Customer Payment Terms and Conditions A/R Aging Report Peer and Management Testing of Source Data and Input Review and Analysis of Report Calculate Allowance Closing Balance and Required Journal Entries Company Policies and Procedures Peer and Management Testing Review and Analysis of Calculations Journal Entries Preparation, Review Posting to General Ledger Account Reconciliation Preparation and Review In pu t Pr oc es s O ut pu t Financial Statement Disclosure Management Discretion C02a.indd 158C02a.indd 158 8/25/08 2:18:34 PM8/25/08 2:18:34 PM Internal Use Only CONTROL ACTIVITY PROGRAM TESTING GUIDES 159 Readiness Checklist Are there documented policies and procedures? Has there been a change to the external rules and regulations regarding this topic? Have samples of the input been traced to source documents and verifi ed as complete and accurate? Has the process been analyzed and updated for noncompliance issues? Has there been a change to the calculation methodology for the allowance? If so, has the change been approved by the chief accounting offi cer (CAO) and communicated to external reporting? Is there documentation for the review and analysis of account receivable balances to determine valuation for the allowance and to identify those account balances that should be written off? Have the formulas within reports and/or spreadsheets been verifi ed as complete and accurate? Are peer reviews established to sample and validate that the calculation is complete and accu- rate? Are the results of the reviews documented? Are there management reviews and approvals for the output? Is the fi nal output signed by management? If end-user computing (EUC) spreadsheets are used, are they in compliance with EUC review and approval procedures? Control Objectives and Activities Complete A month-end accounts receivable (A/R) aging report is used to determine the month- end allowance for doubtful account balance and that customer A/R activity is current and complete. Review the effi ciency, that is, timeliness for updating customer A/R balances and input to the A/R aging report; measure the time from when sales orders have been shipped to updating the A/R balance and from when confi rmation that cash has been received to updating the A/R balance. Review the effectiveness, that is, defects of the information provided within the A/R aging report. Confi rm and reconcile company A/R balances with the customer’s A/P records. Accurate The allowance for doubtful accounts is appropriately calculated and presented in compliance with company policy, procedures, and accounting guidance. Establish management oversight, review and approval for data used, calculation, and reporting. • • • • • • • • • • • • Internal Controls Procedure No. C02a Section: Accounting and Finance Page 2 of 4 Accounts Receivable – Allowance for Doubtful Accounts Department Ownership Issue/Effective Date: Replaces previously issued C02a.indd 159C02a.indd 159 8/25/08 2:18:36 PM8/25/08 2:18:36 PM Internal Use Only 160 PROCEDURE C02A Validate that the most current A/R aging report is used to calculate the allowance. Validate the use of an approved template/spreadsheet to gather the input and test calculations. Validate that all relevant account balances, including those identifi ed by management dis- cretion, have been included within the allowance calculation. Reconciliation Review the monthly A/R reconciliation for completeness, accuracy, and to ensure that unrec- onciled items are promptly investigated and resolved. Ensure that reconciliations have been reviewed and approved by management. Authorize The allowance is correctly and accurately authorized and recorded in the general ledger. Review that the analysis and approval for the account reconciliation, journal entries, and supporting documentation have been properly authorized. The fi nance manager verifi es that the allowance for doubtful accounts is correctly recorded by comparing the balance in the general ledger to the approved calculation. The allowance is reviewed for compliance with and consistent application of company methodol- ogy. The VP Finance or corporate controller, reviews, signs, and dates the detailed schedules and fi nancial disclosures. Review the input for fi nancial disclosure and supporting documentation. Information Technology Controls Verify that system controls are designed into the programs and that they are executing as designed. System controls may include matching: the customer’s A/R input to other company information such as invoices; returns accepted by the company must equal the amount of returns posted to customer A/R accounts; cash application totals must equal cash applied to outstanding customer A/R balances. Key Measures Key fi nancial indicators: Allowance balance as a percent of net A/R Bad debt expense as a percent of net credit sales Process effi ciency indicators, that is, the time it takes to: Collect the input Calculate the allowance Gain appropriate reviews and approvals • • • • • • • • • • • • • • Internal Controls Procedure No. C02a Section: Accounting and Finance Page 3 of 4 Accounts Receivable – Allowance for Doubtful Accounts Department Ownership Issue/Effective Date: Replaces previously issued C02a.indd 160C02a.indd 160 8/25/08 2:18:37 PM8/25/08 2:18:37 PM Internal Use Only CONTROL ACTIVITY PROGRAM TESTING GUIDES 161 Process effectiveness indicators: Number of defects or times it takes to redo the allowance calculation before it is acceptable Bad debt expense and allowance for doubtful account forecast accuracy This test guide is used as the internal control activity for: Process owner: Located at: Control activities conducted by: Date: • • Internal Controls Procedure No. C02a Section: Accounting and Finance Page 4 of 4 Accounts Receivable – Allowance for Doubtful Accounts Department Ownership Issue/Effective Date: Replaces previously issued C02a.indd 161C02a.indd 161 8/25/08 2:18:37 PM8/25/08 2:18:37 PM Internal Use Only 162 PROCEDURE C02B Reference Policies and Procedures Accounts receivable Journal Entries Account reconciliation Escheat Flowchart Deposit Slip and Reconciliation In pu t Pr oc es s O ut pu t Lock Box Statements andChecks Received Adjustments to AR Balance On-line Feed Review IT Systems Control Totals, Match Input to Customer Balances Acceptable Match? Accept Lock box Input and Update AR System Investigate and Resolve No Match Issues Logged and Routed to Cash Applications Separate Checks from Invoice Statements and Photocopy Checks Prepare Bank Deposit and Deposit Checks Post Journal Entry, Update Cash Receipts Ledger Match Input to Customer Balances Acceptable Match? Update Customer A/R Balances Prepare Journal Entry Review for Approved Documentation Return Material Authorization Adjustment to AR Balance from Collections Match Input to Customer Balances Acceptable Match? Update Customer A/R Balances Updated A/R System A A Yes YesYes No No No Listing and Aging of Unmatched or Other Cash Application Issued • • • • Internal Controls Procedure No. C02b Section: Accounting and Finance Page 1 of 4 Accounts Receivable – Cash Applications Department Ownership Issue/Effective Date: Replaces previously issued C02b.indd 162C02b.indd 162 8/25/08 2:39:51 PM8/25/08 2:39:51 PM Internal Use Only CONTROL ACTIVITY PROGRAM TESTING GUIDES 163 Readiness Checklist Are there documented policies and procedures? Have employees been trained as to the rules, regulations, and information technology (IT) systems regarding this topic? Have samples of the input been traced to the source documents and verifi ed as complete and accurate? Is there a strategy for collecting and reviewing the samples? Are improvement and remediation actions and plans documented? Has there been a change to the methodology regarding the application of cash? If so, has the change been approved by the corporate controller and/or chief accounting offi cer (CAO)? Are peer reviews established to perform sample testing and validate that the input to the customer’s accounts receivable (A/R) balance is complete, accurate, and up to date? Are the results of the reviews documented? Are the cash application roles and responsibilities segregated from those who (1) establish or approve credit limits, (2) phone the customer to solicit collections, (3) collect payments and (4) reconcile customer A/R account balances? Are unapplied cash applications and unapplied adjustments treated as reconciling items, inves- tigated, monitored, and resolved on a timely basis? Are cash application employees organized and rotated so that from time to time they are given a different set of customer accounts to oversee? Control Objectives and Activities Compliance with Laws and Regulations The unmatched list is aged with a list of outstanding items more than 90 days old and the sup- porting documentation forwarded to the escheat manager to be included in escheat analysis. Review selected transactions within the escheat list. Complete For lockbox transactions, daily cash receipts are completely and accurately recorded in the appropriate period. The bank provides a service where they have access to the company’s A/R accounts and clears checks received with outstanding customer invoices. They are instructed to clear only those items that are matched exactly. Items that do not match exactly are directed to a clearing account; with resolution to be provided by the company’s cash applications team. Select samples and test by following cash applied back to the source documents (i.e., invoices and customer payment). For customer mail-in payments, daily checks are promptly deposited and cash is applied to the customer’s A/R outstanding invoices completely and accurately recorded in the appropriate • • • • • • • • • • Internal Controls Procedure No. C02b Section: Accounting and Finance Page 2 of 4 Accounts Receivable – Cash Applications Department Ownership Issue/Effective Date: Replaces previously issued C02b.indd 163C02b.indd 163 8/25/08 2:39:53 PM8/25/08 2:39:53 PM Internal Use Only 164 PROCEDURE C02B period. Select samples and test by following cash applied back to the source documents (i.e., invoices and customer payment). The treasury analyst prepares and gains approval for the journal entry to record the cash deposited into the cash ledger. Review journal entries for appropriate supporting documenta- tion, account coding, and approvals. There are documented rules (i.e., methodology) for applying cash by invoice number and dol- lar amount and these rules are communicated to cash application employees. Sample testing occurs to ensure the accuracy of the rule deployment. For cash register receipts, cash is recorded and deposited daily. Cash register programming is validated for accurate charging of discounts, sales and usage taxes and other cash register cal- culation functions. Cash register readings are reviewed and tested to ensure accuracy. Accurate For return merchandise adjustments, walk through and observe the request to return mer- chandise process and document control issues. Select a sample of return adjustments and trace them back to the request and physical return of merchandise. For all other adjustments to A/R balances, walk through and observe the process. Select a sample of adjustments and validate that they are in compliance with company policy, appropri- ately approved, and processed. Review peer review checklists. Review, observe, and document fi ndings for applying cash com- pletely and accurately and document fi ndings. Authorize Only authorized personnel may enter cash receipts. On a monthly basis, the A/R system access employee confi rms the list of those who should have access to cash applications with the cash applications manager. Reconciliation On a daily basis, the treasury analyst validates and reconciles the import of the electronic bank statements (EBS) as complete and accurate by comparing the before and after bank account balances. Review sample reconciliations by the treasury analyst. Daily, the cash applications manager prepares a reconciliation of the source documents received and the cash applied via the lockbox transactions, mail-in transactions, and the adjust- ments. Review sample reconciliations. Segregation-of-duties tests are performed by observing roles and responsibilities and reviewing documented fl owcharts and/or procedures. Segregation of duties exists between employees who: Prepare the bank reconciliation and personnel who can post cash or the general ledger or subledgers. • • • • • • • • • • Internal Controls Procedure No. C02b Section: Accounting and Finance Page 3 of 4 Accounts Receivable – Cash Applications Department Ownership Issue/Effective Date: Replaces previously issued C02b.indd 164C02b.indd 164 8/25/08 2:39:53 PM8/25/08 2:39:53 PM Internal Use Only CONTROL ACTIVITY PROGRAM TESTING GUIDES 165 Authorize customers to return products and/or materials, validate that the products and/or materials have been received, and those who apply cash or adjustment to the customer’s out- standing A/R balance. Provide authorization to adjust customer A/R balances and those who apply those adjustments to the customer’s outstanding A/R balance. Deposit cash receipts (must not have withdrawal privileges). Information Technology Controls IT and system controls are verifi ed to ensure complete and accurate processing of data and information. Review exception reports for the types of issues and resolutions. IT has implemented access controls to ensure that only authorized individuals may update a customer’s A/R balances. Key Measures Process effi ciency indicators: Number of transactions or dollar value of transactions posted by each employee Number of transactions or dollar value of transactions processed via the lockbox versus the amount of the lockbox service Number of days or number of phone calls to the customer it takes to resolve unmatched or open issues Process effectiveness indicators: Number of transactions or dollar value of unmatched transactions Number of transactions or dollar amount of transactions held in the clearing account Unmatched and unapplied items requiring resolution with the customer This test guide is used as the internal control activity for: Process owner: Located at: Control activities conducted by: Date: • • • • • • • • • • • Internal Controls Procedure No. C02b Section: Accounting and Finance Page 4 of 4 Accounts Payable – Cash Applications Department Ownership Issue/Effective Date: Replaces previously issued C02b.indd 165C02b.indd 165 8/25/08 2:39:53 PM8/25/08 2:39:53 PM Internal Use Only 166 PROCEDURE C02C Reference Policies and Procedures Accounts Receivable––credit, collection, and cash applications Allowance for Doubtful Accounts Flowchart In pu t Pr oc es s O ut pu t Credit Administration (e.g., Limits, Terms) Returns and Adjustments Cash Applications A/R DatabaseUpdated A/RDatabase Review Customer Balances Not Overdue, Slow or Partial Payments Overdue, Slow or Partial Payments Customer Relationship Building Letter Phone Call Follow up Customer Relationship Building Credit Watch/ Hold Allowance, Adjustment, Write Off Ok? Contact Sales, Legal NoYes Request Adjustments/ Write Off Update A/R Database • • Internal Controls Procedure No. C02c Section: Accounting and Finance Page 1 of 3 Accounts Receivable – Collections Department Ownership Issue/Effective Date: Replaces previously issued C02c.indd 166C02c.indd 166 8/25/08 2:41:35 PM8/25/08 2:41:35 PM Internal Use Only CONTROL ACTIVITY PROGRAM TESTING GUIDES 167 Readiness Checklist Are there documented policies and procedures? Is there a list of graduated alternatives and scripts given to collectors to solicit payments from customers? Has there been a change to the external rules and regulations regarding this topic? Have all collection employees undergone education and training as to the company’s policies and procedures and techniques for dealing with customers? Are peer reviews established to sample and validate collection techniques taken and updates to the accounts receivable (A/R) collection database? Are the results of the reviews documented? Are management reviews performed for requests for customer write offs or adjustments? Is management approval documented when customer write offs or adjustments are taken? If end-user computing (EUC) spreadsheets are used, are they in compliance with EUC review and approval procedures? Control Objectives and Activities Complete The A/R database is the single source of customer account receivable information containing customer contact information, customer A/R credit limits, terms and conditions, buying his- tory, collection history, payment history, and allowing for comments to be added each time the company’s A/R representative reaches out to the customer’s A/P representative. Observe to ensure that no other database or interim recording fi les are used to record A/R transactions. Accurate A/R collection problems are documented within the collections database (i.e., one central database). Select samples to validate that customer A/R balances are correct as reported in the A/R database and aging report. Authorize Select samples to verify that A/R management reviewed, authorized, and communi- cated adjustment to customer A/R balances in accordance with the company’s policies and procedures. Reconciliation Review reconciliations of customer A/R balances between the subledger and general ledger. Review and reconcile the aging report to the general ledger. • • • • • • • • • • Internal Controls Procedure No. C02c Section: Accounting and Finance Page 2 of 3 Accounts Receivable – Collections Department Ownership Issue/Effective Date: Replaces previously issued C02c.indd 167C02c.indd 167 8/25/08 2:41:37 PM8/25/08 2:41:37 PM Internal Use Only 168 PROCEDURE C02C Segregation-of-duties tests are performed by observing roles and responsibilities, reviewing documented fl owcharts and/or procedures. Segregation of duties exists between employees who have access to: The subsidiary records and those who have cash receipts and general ledger control account responsibilities. Authorize credit limits and A/R terms, with those who authorize adjustments to A/R account balances. Seek collection of payments and those who receive and/or post the cash application of pay- ments and those who reconcile A/R balances. Information Technology Controls The A/R database has access restrictions, which support the company’s segregation of duty roles and responsibilities. The A/R database is updated frequently to allow for collectors to have timely status reports. The A/R database contains system controls to identify a change in customer status and control totals to ensure accuracy of recording. Key Measures Days’ sales outstanding––representing the amount of time it takes to collect outstanding A/R A/R turnover––representing the amount of times A/R turns over during the year This test guide is used as the internal control activity for: Process owner: Located at: Control activities conducted by: Date: • • • • • • • • Internal Controls Procedure No. C02c Section: Accounting and Finance Page 3 of 3 Accounts Receivable – Collections Department Ownership Issue/Effective Date: Replaces previously issued C02c.indd 168C02c.indd 168 8/25/08 2:41:37 PM8/25/08 2:41:37 PM Internal Use Only CONTROL ACTIVITY PROGRAM TESTING GUIDES 169 Reference Policies and Procedures Accounts Receivable––credit, collection, and cash applications Allowance for Doubtful Accounts Flowchart In pu t Pr oc es s O ut pu t Request for New A/R or to Extend Credit Limits Customer Financial Review for Request AR Review Checklist OK? Notify Sales, Collections, Customer NOT OK for Credit Update AR Database AR Database Customer AR Master Data and T&C Suggest Cash, Letter of Credit, Financing Alternative Input from Collections re: Slow Paying, Non Payment Notify Sales, Customer OK for Credit Readiness Checklist Are there documented policies and procedures? Have employees been trained as to the rules, regulations, and information technology (IT) systems regarding this topic? Is there a checklist for credit administration employee to perform a fi nancial analysis and develop a customer accounts receivable (A/R) profi le? Has the checklist been aligned with • • • • Internal Controls Procedure No. C02d Section: Accounting and Finance Page 1 of 3 Accounts Receivable – Credit Administration Department Ownership Issue/Effective Date: Replaces previously issued C02d.indd 169C02d.indd 169 8/25/08 2:42:28 PM8/25/08 2:42:28 PM Internal Use Only 170 PROCEDURE C02D company sales and cash requirement goals and objectives? Has the checklist been approved by senior executives from sales, treasury, and fi nance? Are peer reviews established to sample and validate that the appropriate level of source docu- mentation, analysis, and decisions has been made regarding extending customer credit and completing customer profi les? Are the results of the reviews documented? Does the credit manager review monthly aging schedules or listings of past due customer accounts and investigate unusual items on a timely basis? Are management reviews performed for when there are requests to place a customer on credit hold or extend credit beyond approved limits? Control Objectives and Activities Complete Financial analysis performed to match customer A/R credit limits, terms, and conditions with customer fi nancial profi le. If not, provide alternatives to the customer in the form of a letter of credit and/or fi nancing arrangements. Update the A/R customer credit terms and conditions in the A/R database. When contacted by collections, fi nancial analysis performed on slow-paying customers to place on credit watch, provide for them as part of the allowance for doubtful accounts and/or write off. Update the A/R customer credit terms and conditions in the A/R database. Analyze the customer database to inactivate those customers’ credit limits where they have not had sales activity for one year or more. Authorize Only authorized personnel may review and approve a customer’s fi nancial profi le for A/R credit limits, terms, and conditions. At least on a quarterly basis the role owner reviews the list of employees who have access to the A/R database system to ensure that only authorized individu- als have access and that appropriate segregation of duties exists within A/R functional areas. Segregation of Duties Segregation of duties exists between employees who review a customer’s A/R profi le, establish A/R credit limits, and grant A/R terms, and those A/R employees who perform collection and/ or cash application. Key Measures A/R turnover measured as total sales on credit divided by average accounts receivable Percent of credit versus cash sales • • • • • • • • • • Internal Controls Procedure No. C02d Section: Accounting and Finance Page 2 of 3 Accounts Receivable – Credit Administration Department Ownership Issue/Effective Date: Replaces previously issued C02d.indd 170C02d.indd 170 8/25/08 2:42:29 PM8/25/08 2:42:29 PM Internal Use Only CONTROL ACTIVITY PROGRAM TESTING GUIDES 171 A list comparing existing customer credit limits granted compared to outstanding customer sales and allowance for doubtful accounts A root-cause analysis between the credit analysis performed and those customers whose A/R balances are provided for within the allowance for doubtful accounts and/or where customer A/R balances have been written off. This test guide is used as the internal control activity for: Process owner: Located at: Control activities conducted by: Date: • • Internal Controls Procedure No. C02d Section: Accounting and Finance Page 3 of 3 Accounts Receivable – Credit Administration Department Ownership Issue/Effective Date: Replaces previously issued C02d.indd 171C02d.indd 171 8/25/08 2:42:29 PM8/25/08 2:42:29 PM Internal Use Only 172 PROCEDURE C02E Reference Policies and Procedures Cash and Banking Cash and Marketable Securities Journal Entries Account Reconciliation Flowchart In pu t Pr oc es s O ut pu t Review Status of Cash in Banks Bank Reconciliations Forecasted Statement of Cash Flows Review Cash Requirements Excess Cash? Invest ExcessCash Continue to Monitor Cash Position List of Approved Investment Vehicles and Approvers Record and Monitor Investment Position Investment Portfolio Spreadsheet/ Database Journal Entries and Posting to General Ledger Month End Review, FMV Analysis Sell? Reconciliations and Quarter End Disclosures Update the Portfolio Database Deposit Cash in Bank and Update Cash Records Continue to Monitor Investment Position A A No No Yes Yes • • • • Internal Controls Procedure No. C02e Section: Accounting and Finance Page 1 of 4 Cash and Marketable Securities Department Ownership Issue/Effective Date: Replaces previously issued C02e.indd 172C02e.indd 172 8/25/08 2:42:59 PM8/25/08 2:42:59 PM Internal Use Only CONTROL ACTIVITY PROGRAM TESTING GUIDES 173 Readiness Checklist Are there defi ned cash and banking, investment and marketable securities policies and procedures? Are employees trained on cash and banking, investment and marketable securities policies and procedures? Is there clear delegation of authority from the treasurer to those who have authority to invest, monitor and dispose of excess cash? Are the banks given a list of authorized signatories and are promptly notifi ed when the list changes? Are there separate signatory lists for the deposit and withdrawal of funds? Are the banks instructed not to cash checks or other instruments from unauthorized individuals? Is there an authorized, defi ned, and documented database for the recording and monitoring of excess cash and marketable securities? Are there separate general ledger accounts or subaccounts for each bank account? Are bank accounts and marketable securities reconciled monthly? Are the differences in the reconciliation investigated and corrected on a timely basis? Are the reconciliations reviewed and approved by the appropriate level? If end-user computing (EUC) spreadsheets are used, are they in compliance with EUC review and approval procedures? Control Objectives and Activities Complete The investment portfolio spreadsheet monitors investment, changes in fair market value, movement of currency from one type of security to another, and disposal of investment. Observe the maintenance and use of the investment portfolio. All investments are recorded, monitored and tracked in the investment portfolio spreadsheet. Observe to ensure there are no side databases or repositories. Select a sample set of transac- tions to trace back to source documentation. Accurate At least monthly, the current fair market value of the investment portfolio is monitored and reviewed to ensure that decisions regarding changes in fair market value are made on a timely basis. Review fi ndings of peer reviews of the self-assessment checklists. Formula accuracy within the investment portfolio spreadsheet is validated each month as con- fi rmed with peer-to-peer reviews. Select the quarter-end spreadsheets for review and compli- ance with the end-user computing review and approval process. • • • • • • • • • • Internal Controls Procedure No. C02e Section: Accounting and Finance Page 2 of 4 Cash and Marketable Securities Department Ownership Issue/Effective Date: Replaces previously issued C02e.indd 173C02e.indd 173 8/25/08 2:43:00 PM8/25/08 2:43:00 PM Internal Use Only 174 PROCEDURE C02E Financial information is appropriately presented and all information that is necessary for fair presentation and compliance with generally accepted accounting principles (GAAP) includ- ing disclosure for realized and unrealized gains/losses, liquidation, and impaired marketable securities. Review the treasury policies and procedures to ensure they are complete, accurate, approved and communicated. Authorize Investments are authorized and are within established limits as defi ned by the delegation of authority. Excess cash is invested based on the limits as defi ned by cash and marketable secu- rities policy and procedures. Review monthly fi nancial reports and select a grave-to-cradle sample for review and audit. Once approved, delegated individuals may transfer excess cash to authorized marketable secu- rity accounts. All transactions must be authorized and documented. Review checklists for com- plete, accurate, and authorized transactions. The treasurer reviews and approves all investment-related journal entries and supporting doc- umentation, including transfers, purchases, sales, interest income, realized gains and losses, and unrealized gains and losses and the associated tax effect, evidenced by a signature and date. Review journal entries for accurate account coding, supporting documentation and timely processing. The treasurer reviews and approves the quarterly disclosures provided to external reporting for submission to the company’s 10Q and 10K. Review the quarter-end submission, supporting documentation, and audit trail. Reconciliation Monthly, the movement of cash between bank accounts and marketable security accounts is reconciled. Monthly, the investment portfolio account balance is reconciled to the trans- actional activity that occurred during the month. Select reconciliations to ensure appropriate analysis, supporting documentation, review, and approval signatures. At least on a quarterly basis, the treasurer reviews the investment portfolio, including money market funds, to ensure that it continues to comply with the investment limits as defi ned within the cash and marketable securities policy and procedure. Key Measures List and aging summary of the types of investments held by the company, country, and cur- rency of the investment Return on investment for the portfolio and each investment • • • • • • • • • Internal Controls Procedure No. C02e Section: Accounting and Finance Page 3 of 4 Cash and Marketable Securities Department Ownership Issue/Effective Date: Replaces previously issued C02e.indd 174C02e.indd 174 8/25/08 2:43:01 PM8/25/08 2:43:01 PM Internal Use Only CONTROL ACTIVITY PROGRAM TESTING GUIDES 175 Fair market value realized and unrealized gains and losses Gain and/or losses on disposal or movement of cash within marketable investments This test guide is used as the internal control activity for: Process owner: Located at: Control activities conducted by: Date: • • Internal Controls Procedure No. C02e Section: Accounting and Finance Page 4 of 4 Cash and Marketable Securities Department Ownership Issue/Effective Date: Replaces previously issued C02e.indd 175C02e.indd 175 8/25/08 2:43:01 PM8/25/08 2:43:01 PM Internal Use Only 176 PROCEDURE C02F Reference Policies and Procedures Financial Planning and Analysis Key Financial Indicators Flowchart • • In pu t Pr oc es s O ut pu t External Governance Economic Indicators BOD, Executive Management Direction, Priorities Industry and Competitive Comparisons Business Unit Strategic Direction, Plans Historic and Current Performance FP&A Assessment and Plan Guidance, Targets Rollout to Business Units Business Unit Assessment and Plan Input BU Approve? FP&A Consolidates the Input Meet Targets Consolidated Plan to Executive Management, BOD Approve To the Business Units to Update Reporting Systems A A A No No No Yes Yes Yes Internal Controls Procedure No. C02f Section: Accounting and Finance Page 1 of 3 Financial Planning and Analysis Department Ownership Issue/Effective Date: Replaces previously issued C02f.indd 176C02f.indd 176 8/25/08 2:43:26 PM8/25/08 2:43:26 PM Internal Use Only CONTROL ACTIVITY PROGRAM TESTING GUIDES 177 Readiness Checklist Are there documented policies and procedures for determining the plan guidance, instruc- tions, and targets? Have employees been trained as to the rules, regulations, and information technology (IT) systems regarding this topic? Is there a budget schedule with enough time allotted for adequate assessment and reviews before the plan has to be fi nalized? Are periodic meetings held to discuss the methodology and calculations to be used in estab- lishing departmental budgets and procedures for measuring performance? Are these meetings documented with an agenda, minutes, and action items? Are accounts properly categorized and classifi ed so that the summary of the details is consis- tent with fi nancial statements reporting? If end-user computing (EUC) spreadsheets are used, are they in compliance with EUC review and approval procedures? Control Objectives and Activities Complete Review process checklists to ensure that all business units, functional departments, and opera- tional business activities have submitted budget input. Account classifi cation and budget reports are consistent with other fi nancial statements and reports. Review variance analysis and sample selected accounts. Compare a list of approved capital project requests, whether in progress or not yet started, to ensure that they are included and properly classifi ed within the budget process. Accurate Review the budget instruction and guidance to ensure that it advises compliance with gen- erally accepted accounting principles (GAAP), period-over-period consistency, and use of current and historic performance and is normalized for one-time events. Monitor the effec- tiveness of budget and forecast accuracy, noting how feedback is used to improve the budget process. Review actual to plan variance analysis for reasonable explanations. Select sample variances to determine the accuracy of the explanations. Authorize Review business unit input to fi nancial planning and analysis to ensure that the business unit manager and his/her fi nancial controller have reviewed and approved the input prior to • • • • • • • • • • • Internal Controls Procedure No. C02f Section: Accounting and Finance Page 2 of 3 Financial Planning and Analysis Department Ownership Issue/Effective Date: Replaces previously issued C02f.indd 177C02f.indd 177 8/25/08 2:43:27 PM8/25/08 2:43:27 PM Internal Use Only 178 PROCEDURE C02F submission. Review the agendas, minutes, and memos of budget-related meetings to ensure an appropriate level of due diligence has been applied. To ensure that an appropriate level of due diligence has been applied before the budget is submitted to the board of directors for fi nal approval, review senior management agendas, minutes, and memos related to internal review and approval of the annual budget and quar- terly forecasts. Information Technology Controls Within the budgeting application, system control totals are used to ensure complete and accu- rate processing of budgeting input. Review the design of the application and match to the control totals. Key Measures Variance to plan and forecast accuracy by line item Achievement of budgeted performance and key performance indicators This test guide is used as the internal control activity for: Process owner: Located at: Control activities conducted by: Date: • • • • Internal Controls Procedure No. C02f Section: Accounting and Finance Page 3 of 3 Financial Planning and Analysis Department Ownership Issue/Effective Date: Replaces previously issued C02f.indd 178C02f.indd 178 8/25/08 2:43:28 PM8/25/08 2:43:28 PM Internal Use Only CONTROL ACTIVITY PROGRAM TESTING GUIDES 179 Reference Policies and Procedures Fixed Assets; Long-Lived Assets; Property, Plant and Equipment Physical Inventory Journal Entry Account Reconciliation Flowchart In pu t Pr oc es s O ut pu t Request for Additions, Deletions, Changes to the Fixed Asset File Review, Analysis Analysis of Fixed Asset File Review G/L Entries and Analysis of Construction in Progress Account Compliance with Policies and Procedure Documented Authorization, Correct Account Coding Okay to Update Fixed Asset Database? Process Updates to Fixed Asset Database Supporting Documentation Form the Business Unit Fixed Asset Database Resolve or Expense Inquiry, Reports and Analysis Journal Entries Analysis: FMV,ARO, Disclosure Reconciliation Measurements, Reports, Metrics, Disclosure Yes No Update Fixed Asset Database Inquiry, Reports and Analysis • • • • Internal Controls Procedure No. C02g Section: Accounting and Finance Page 1 of 4 Fixed Assets, Long Lived Assets, Property, Plant and Equipment Capitalized Assets Department Ownership Issue/Effective Date: Replaces previously issued C02g.indd 179C02g.indd 179 8/25/08 2:44:30 PM8/25/08 2:44:30 PM Internal Use Only 180 PROCEDURE C02G Readiness Checklist Are there documented company policies and procedures? Have differences between local jurisdictions and the company policy and procedure (e.g., differences due to generally accepted accounting principles [GAAP] and/or tax regulations) been documented, approved, monitored, and tracked? Since fi xed-asset recording affects all areas of the business, is there education and training for business unit representatives as well as accounting and fi nance employees? Are there approved forms for the addition, movement, and disposal of fi xed assets? Are peer reviews established to sample and validate collection techniques taken and updates to the fi xed-asset database? Are the results of the reviews documented? Is there a fi xed-asset physical inventory schedule to validate the existence of fi xed assets? Are management reviews and approvals performed for write-offs or adjustments? If end-user computing (EUC) spreadsheets are used, are they in compliance with EUC review and approval procedures? Control Objectives and Activities Complete To capture unrecorded fi xed assets, the fi xed-asset manager or designee reviews activity posted to specifi c general ledger expense accounts (e.g., offi ce, information technology [IT], and repair and maintenance) to identify activity that meets or exceeds local capitalization thresh- olds. The review is documented through a monthly signed journal entry with support of items that need to be capitalized. The fi xed-asset manager or designee reviews the construction in progress (CIP) and/or clear- ing account to determine whether purchase should be capitalized or expensed. Review the balance in the CIP account and the policy and procedure for capitalization versus expense. Accurate All transactions posted to the fi xed-assets subledger are valid, accurate and are reconciled to the general ledger. Peer-to-peer review of self-assessment checklists prepared by the fi xed- asset analyst to record additions, changes, and deletions from the fi xed-asset database. Select a sample of checklists to review for completeness, accuracy, and authorization. Capitalized amounts for fi xed assets are consistent with company-approved capitalization limits and policies. Review the company policy and procedure for fi xed assets for period- over-period comparison and compliance with GAAP. Review for consistency of application between geographic areas. • • • • • • • • • • • Internal Controls Procedure No. C02g Section: Accounting and Finance Page 2 of 4 Fixed Assets, Long Lived Assets, Property, Plant and Equipment Capitalized Assets Department Ownership Issue/Effective Date: Replaces previously issued C02g.indd 180C02g.indd 180 8/25/08 2:44:32 PM8/25/08 2:44:32 PM Internal Use Only CONTROL ACTIVITY PROGRAM TESTING GUIDES 181 Fixed assets are coded to the appropriate asset classifi cation account, and depreciation begins when the asset is in service. Review asset categories and the types of assets coded to the account. Review the depreciation schedule and compare it to company policy. Authorize The fi xed-asset department forwards a list of all CIP to the respective business unit areas (e.g., real estate, facilities, IT), which respond with a confi rmation of completed and placed in service. The review is evidenced by the fi xed-asset manager’s approval signature. Trace the responses received to the preparation and posting of journal entry reclassifi cation of assets. Select a grave-to-cradle sample set of transactions to trace back to source documentation. The fi xed-asset manager reviews and approves as evidenced by signing and dating the journal entries, which is used for posting depreciation entries to the general ledger. The fi xed-asset manager reviews and approves the quarterly disclosures provided to external reporting for submission to the company’s 10Q and 10K. Review the quarter-end submission, supporting documentation, and audit trail. Reconciliation Fixed-asset records include details as to description and identifi cation of the asset, location, acquisition date, vendor, date placed into service, cost of asset, depreciable life, tax depre- ciable life (if different), salvage or end-of-life value and appropriate general ledger accounts. Items that are incomplete are fl agged as reconciling items. Review the fi xed-asset database to ensure the complete and accurate recording of data. The fi xed-asset manager reviews, approves, signs, and dates the reconciliation of general ledger balances to the accumulated depreciation subledger on a monthly basis. Review recon- ciliations for accuracy, timeliness, and resolution of unreconciled items. Review the reconciliation of the CIP and/or clearing account. Select recently completed proj- ects and trace the transactional activity into CIP and from CIP to its fi nal account classifi cation. Safeguard Assets A physical inventory count process is documented, planned, communicated, and executed. Review the plan and results of the physical inventory. Sample test the physical inventory count. Fixed assets are reviewed for existence and valuation to reconcile book balances to the physi- cal asset balances. The fi xed-asset manager or designee conducts a periodic physical inventory count of fi xed assets and reconciles their fi ndings to the fi xed-asset subledger. Variances, if any, are researched, reviewed, approved, signed, and dated appropriately. • • • • • • • • • • Internal Controls Procedure No. C02g Section: Accounting and Finance Page 3 of 4 Fixed Assets, Long Lived Assets, Property, Plant and Equipment Capitalized Assets Department Ownership Issue/Effective Date: Replaces previously issued C02g.indd 181C02g.indd 181 8/25/08 2:44:32 PM8/25/08 2:44:32 PM Internal Use Only 182 PROCEDURE C02G The fi xed-asset manager or designee reviews and approves as evidenced by signing and dating the journal entries, which are used to record adjustments to the general ledger due to variances identifi ed during the physical inventory. Segregation of duties exists and is maintained between employees who have update or mainte- nance access to the fi xed-asset database and those employees who: Have access to process vendor invoices (i.e., accounts payable). Post goods receipts against the purchase order (i.e., receiving department, procurement, or the business area). Information Technology Controls Access is restricted to authorized personnel via a system feed from the human resource data- base, identifying those active employees who require access based on their job responsibilities and others as per management approval. Review the process to ensure that current HR data- base fi les are used. Validate and test the criteria used to assign responsibility and grant fi xed- asset database access. Key Measures Fixed assets aging fi le Fixed-asset rollover analysis identifying additions, deletions, depreciation, and adjustments to the fi xed-asset database Return on assets, return on investment This test guide is used as the internal control activity for: Process owner: Located at: Control activities conducted by: Date: • • • • • • • Internal Controls Procedure No. C02g Section: Accounting and Finance Page 4 of 4 Fixed Assets, Long Lived Assets, Property, Plant and Equipment Capitalized Assets Department Ownership Issue/Effective Date: Replaces previously issued C02g.indd 182C02g.indd 182 8/25/08 2:44:32 PM8/25/08 2:44:32 PM Internal Use Only CONTROL ACTIVITY PROGRAM TESTING GUIDES 183 Reference Policies and Procedures Intercompany Transactions Journal Entries Account Reconciliation Flowchart In pu t Pr oc es s O ut pu t Sending Entity Evaluates, Documents Transaction Negotiates with Receiving Entity Approved? Sending Entity Negotiates or Leaves Expense Where it is Receiving Entity Evaluates, Documents Transaction Sending Entity Prepares Intercompany Invoice Intercompany Invoice Intercompany Database Sending Entity Sends Invoice, Receiving Entity Assess Settlement Okay to Settle? Notify Treasury to Transfer Funds Journal Entries and Update Database Update Database Treasury Recommends Acctg Treatment Intercompany Financing or Change to Equity Intercompany Reports Distribution and Review Monthly Sending and Receiving Entities Reconcile Corporate Accounting: Reconciliation Consolidation and Elimination entries Corporate Accounting: Accounting Treatment Corporate Tax: Intercompany Uplifts, Invoices Corporate Treasury: Settlement and Recording Treatment Quarterly Corporate Accounting: Accounting Treatment, Disclosure A A Yes No Yes No • • • Internal Controls Procedure No. C02h Section: Accounting and Finance Page 1 of 4 Intercompany Transactions – Cross Charges Department Ownership Issue/Effective Date: Replaces previously issued C02h.indd 183C02h.indd 183 8/25/08 2:45:04 PM8/25/08 2:45:04 PM Internal Use Only 184 PROCEDURE C02H Readiness Checklist Are policies and procedures prepared, communicated, and tested for compliance? Are employees trained on the policies and procedures? Have corporate tax and corporate treasury reviewed and approved the intercompany policy, procedure, and guidance? Are transfer pricing uplifts included where and as necessary? Are intercompany invoices prepared for all intercompany transactions? Are the intercompany balances cleared as part of the closing process? Are intercompany charges settled promptly? Are withholding taxes and foreign exchange differences processed in accordance with com- pany policies and procedures? Control Objectives and Activities Compliance with Laws and Regulations Review and validate that intercompany agreements are established, reviewed, and approved where and as necessary with local laws and regulations. Review and analyze the Intercompany policy, procedure and instruction to ensure compliance with local laws, regulations and generally accepted accounting principles (GAAP). Validate cross-border treatment with corporate tax and import/export departments. Validate instruction with corporate treasury. Complete Review and analyze the intercompany account general ledger activity for the types and treat- ment of charges. Review corresponding business area activity to ensure the complete, accu- rate, and timely recognition of the intercompany account receivable and payable within both business entities. Local country controllers review account activity to ensure that items eligible for intercom- pany cross-charges are properly documented, reviewed, and approved prior to processing as an Intercompany transaction. Observe the local country controller procedure and review approval process. Review the instruction and checklist for transaction processing cutoffs, consolidation, and intercompany elimination entry processing. Observe and comment on the process. • • • • • • • • • • • Internal Controls Procedure No. C02h Section: Accounting and Finance Page 2 of 4 Intercompany Transactions – Cross Charges Department Ownership Issue/Effective Date: Replaces previously issued C02h.indd 184C02h.indd 184 8/25/08 2:45:04 PM8/25/08 2:45:04 PM Internal Use Only CONTROL ACTIVITY PROGRAM TESTING GUIDES 185 Accurate Review the process for and a select a sample of transactions to ensure that there are approvals and acceptance from the receiving entity prior to the charges being sent. Intercompany invoices are prepared by the entity sending the charge (i.e., the entity holding the intercompany accounts receivable) and submitted to the entity receiving the charge (i.e., the entity obligated for settling the intercompany accounts payable). Verify that information contained on invoices would satisfy custom and tax audit requirements. Review the instruction and observe the practice of clearing intercompany balances. Review the calculation and accounting treatment for withholding taxes and/or foreign exchange differences. Authorized Prior to posting intercompany journal entries or sending the intercompany invoice, the entity sending the charge must gain approval from the entity receiving the charge. Authorization is witnessed by signatures and dates. The various types of intercompany cross-charges and their related accounting and tax treatment are reviewed, including a source data check, integrity testing, and an output data check by the corporate tax, corporate treasury, corporate accounting, and fi nancial report- ing. Review the agendas, minutes from meetings, and remedial action items for policy and procedures. The intercompany activity is reviewed for compliance with and consistent application of com- pany methodology. The corporate controller reviews, signs, and dates the detailed schedules and fi nancial disclosures. Review the input for fi nancial disclosure and supporting documentation. Reconciliation Review intercompany account reconciliations to ensure account balances are correct with no residual effects due to uplift charges, foreign exchange, or other charges. Follow to ensure that disputes are resolved in a timely manner and adjustments are documented, approved, and signed. Information Technology Control As a system check, the intercompany database matches the details of the journal entries to ensure that both the sending and receiving entities use the same account classifi cation. Intercompany database access is restricted to authorized personnel. On a quarterly basis, the role owner reviews access to ensure that only authorized individuals have access to the inter- company database. • • • • • • • • • Internal Controls Procedure No. C02h Section: Accounting and Finance Page 3 of 4 Intercompany Transactions – Cross Charges Department Ownership Issue/Effective Date: Replaces previously issued C02h.indd 185C02h.indd 185 8/25/08 2:45:05 PM8/25/08 2:45:05 PM Internal Use Only 186 PROCEDURE C02H Key Measures Number and amount of intercompany transactions processed per period Number and aging of unreconciled or disputed items Time to reconcile adjustments or resolve disputes Time to settle and type of settlement (e.g., cash, fi nancing, equity) This test guide is used as the internal control activity for: Process owner: Located at: Control activities conducted by: Date: • • • • Internal Controls Procedure No. C02h Section: Accounting and Finance Page 4 of 4 Intercompany Transactions – Cross Charges Department Ownership Issue/Effective Date: Replaces previously issued C02h.indd 186C02h.indd 186 8/25/08 2:45:05 PM8/25/08 2:45:05 PM Internal Use Only CONTROL ACTIVITY PROGRAM TESTING GUIDES 187 Reference Policies and Procedures Raw Materials and Inventory Physical Count of Inventory Journal Entry Account Reconciliation Flowchart Receipt Packing Slip In pu t Pr oc es s Goods Received Match to PO and Validate Quantity, Quality, Amount Procurement Database OK?Contact Vendorand cc PO Contact Store Inventory InventoryDatabase Update Procurement and Inventory Databases for Goods Received Yes No • • • • Internal Controls Procedure No. C02i Section: Accounting and Finance Page 1 of 7 Raw Materials and Inventory Receipt, Movement, Shipping Department Ownership Issue/Effective Date: Replaces previously issued C02i.indd 187C02i.indd 187 8/25/08 2:50:47 PM8/25/08 2:50:47 PM Internal Use Only 188 PROCEDURE C02I Movement Materials Movement Request In pu t Pr oc es s Request to Move Materials Confirm Materials Available for Movement OK?Contact Requester Arrange for Materials Movement Inventory Database Update Inventory Database Yes No Shipping Sales Order In pu t Pr oc es s Request to Ship Goods Confirm Sales Order and Materials Available for Shipment Sales Order Database OK? Contact Production, Notify Sales Representative or Customer Goods on Back Order Arrange for Goods to be Shipped Inventory Database Update Sales and Inventory Databases Yes No Internal Controls Procedure No. C02i Section: Accounting and Finance Page 2 of 7 Raw Materials and Inventory Receipt, Movement, Shipping Department Ownership Issue/Effective Date: Replaces previously issued C02i.indd 188C02i.indd 188 8/25/08 2:51:13 PM8/25/08 2:51:13 PM Internal Use Only CONTROL ACTIVITY PROGRAM TESTING GUIDES 189 Physical Count Physical Count Schedule In pu t Pr oc es s Physical Count Program re: Schedule or Request Execute the Physical Count Process Document Results Investigate and Reconcile Inventory Database Document and Update Inventory Database OK? Yes No Disposition In pu t Pr oc es s Identified Excess and Obsolete Evaluate Ready for Disposal OK?Identified Waste and Scrap Physically Dispose of the Product Inventory Database Update Inventory Database Segregate Inventory and Update Database Yes No Internal Controls Procedure No. C02i Section: Accounting and Finance Page 3 of 7 Raw Materials and Inventory Receipt, Movement, Shipping Department Ownership Issue/Effective Date: Replaces previously issued C02i.indd 189C02i.indd 189 8/25/08 2:51:14 PM8/25/08 2:51:14 PM Internal Use Only 190 PROCEDURE C02I Readiness Checklist Are there documented company policies and procedures that address the purchase of raw materials and inventory, maintaining materials and inventory, material and inventory move- ment, material and inventory disposition? Are related personnel appropriately trained as to their roles and responsibilities? If end-user computing (EUC) spreadsheets are used, are they in compliance with EUC review and approval procedures? Are only approved employees allowed access to the inventory database? Do all materials and inventory received have an approved purchase order? When materials and inventory is received, is it reviewed for quality, quantity, and accuracy with the purchase order? Is the materials and inventory database promptly updated to refl ect receipt and storage location? Are nonconforming materials and Inventory rejected for receipt or returned to the vendor as soon as practicable? Is material and inventory movement through the production and distribution cycles accurately and promptly recorded? Are physical counts of the inventory conducted throughout the year and in accordance with company procedures? Do all goods shipped have an approved shipping order? Prior to materials and inventory being shipped, is it reviewed for quality, quantity, and accuracy with the shipping order? Is the mate- rials and inventory database updated to refl ect goods shipped? Are defective, excess, and obsolete materials and inventory properly segregated prior to dis- posal? Is the materials and inventory database updated promptly? Is the inventory management process evaluated for effectiveness and effi ciency of operations? Are certifi cates of destruction retained for material and inventory disposal? Are peer or self-assessment checklists used for inspecting and receiving materials and inventory, and for shipping and outgoing materials and inventory? Control Objectives and Activities Complete Review inspection reports for completeness, accuracy, and timely processing of goods received. Review peer-to-peer checklists for the review and acceptance of incoming products. • • • • • • • • • • • • • • Internal Controls Procedure No. C02i Section: Accounting and Finance Page 4 of 7 Raw Materials and Inventory Receipt, Movement, Shipping Department Ownership Issue/Effective Date: Replaces previously issued C02i.indd 190C02i.indd 190 8/25/08 2:51:14 PM8/25/08 2:51:14 PM Internal Use Only CONTROL ACTIVITY PROGRAM TESTING GUIDES 191 Review and observe the treatment of non-company-owned inventory, e.g., materials and inventory held on consignment or on behalf of a customer is recorded. Review and observe that materials and inventory identifi ed for waste or scrap is segregated and recorded. Outgoing inventory must be inspected for quality and consistency with the sales order/ shipping request prior to shipment. Review peer-to-peer checklists for the review of outgoing products. Review certifi cates of destruction or disposal and confi rm that the inventory has been relieved from the inventory records in accordance with approved procedures. Accurate Review the accuracy and completeness of inventory records to trace inventory movement from cradle to grave. Inventory records shall include the product or identifying number, product name or description, vendor, date received, purchase order reference, quantity, price per unit, identifi er of the person receiving the inventory and warehouse location where the inventory is stored. Within the materials movement module of the inventory database information is col- lected about who requests the move, the date and the new location of the product. Within the outgoing module of the inventory database, each inventory record is updated to refl ect the customer name and/or customer number, date quantity shipped, shipping carrier, or reference number and sales order reference. Timeliness Observe the use of bar code scanning equipment, to collect and record information within the inventory database. Review and observe that inventory received by the company at the end of the accounting cycle and not recorded in the inventory database is accrued according to the company’s accrual policy and procedure. Sample test-end and beginning-of-the-month materials and inventory receipts to ensure appropriate period recognition and timing. Information Technology Controls Access to the inventory database is controlled. Control totals are used to ensure complete recording of transactions. Ensure that the instruc- tion for and the actual use of control totals are incorporated at appropriate control points and serve as appropriate control indicators. Increases and decreases to inventory volumes and values trigger reports used in journal entry preparation. Where and as possible, there is an automated process to record incoming and out- going inventory tracking. Where and as possible, there is an automated process to record materi- als and inventory movement through the production cycle. Select a sample to review, trace, and match materials and inventory movement through data processing and journal entry reports. • • • • • • • • • • Internal Controls Procedure No. C02i Section: Accounting and Finance Page 5 of 7 Raw Materials and Inventory Receipt, Movement, Shipping Department Ownership Issue/Effective Date: Replaces previously issued C02i.indd 191C02i.indd 191 8/25/08 2:51:14 PM8/25/08 2:51:14 PM Internal Use Only 192 PROCEDURE C02I Reconciliation Review and analyze reconciliations of inventory identifying incoming, movement, disposition, and shipment by product class and amount. Review and analyze reconciliations between cost of goods sold (i.e., inventory database) and the shipment of inventory (i.e., sales order database). Review and analyze reconciliations between incoming packing slips (i.e., goods receipt in the procurement database) and inventory received and recorded in the inventory database and with approved and completed purchase orders. Review and analyze reconciliations between (1) outgoing shipping reports and inventory shipped and (2) inventory recorded in the inventory database and approved sales orders. Segregation-of-duties tests are performed by observing roles and responsibilities and review- ing documented fl owcharts and/or procedures. Segregation of duties exists between employ- ees who: Authorize the acquisition of materials and inventory and those who receive it, have custody over it Receive and have custody over materials and inventory and those who authorize the acquisi- tion, movement, or disposal of it Have physical custody of materials and inventory and those who are responsible for the accounting, record keeping, and reconciling of it Safeguarding Assets Observe the designated receiving area and process to ensure the complete and accurate recording of the transaction into the appropriate databases. Observe the designated shipping area and process to ensure the complete and accurate recording of the transaction into the appropriate databases. Review and observe the physical and accounting treatment for materials and inventory as they are: received as incoming, moved between departments or warehouses, released for shipment or outgoing. Observe the physical counting of inventory and sample check the counts. Confi rm that materials and inventory is properly insured by the company and that materials and inventory held on behalf of vendors and/or customers is included within the company’s insurance. Observe and confi rm that access to the warehouse is secure. Confi rm that the inventory is properly protected against damage, theft, and misappropriation. • • • • • • • • • • • • • Internal Controls Procedure No. C02i Section: Accounting and Finance Page 6 of 7 Raw Materials and Inventory Receipt, Movement, Shipping Department Ownership Issue/Effective Date: Replaces previously issued C02i.indd 192C02i.indd 192 8/25/08 2:51:14 PM8/25/08 2:51:14 PM Internal Use Only CONTROL ACTIVITY PROGRAM TESTING GUIDES 193 Key Measures Inventory aging and status reports Inventory movement compared with sales forecast Shipped not billed Billed not shipped Reserve and actual units and amounts assigned to excess and obsolete materials and inventory Reserve and actual units and amounts assigned to scrap and waste materials and inventory This test guide is used as the internal control activity for: Process owner: Located at: Control activities conducted by: Date: • • • • • • Internal Controls Procedure No. C02i Section: Accounting and Finance Page 7 of 7 Raw Materials and Inventory Receipt, Movement, Shipping Department Ownership Issue/Effective Date: Replaces previously issued C02i.indd 193C02i.indd 193 8/25/08 2:51:15 PM8/25/08 2:51:15 PM Internal Use Only 194 PROCEDURE C02J Reference Policies and Procedures Journal Entries and Nonroutine Transactions Account Reconciliation Flowchart In pu t Pr oc es s O ut pu t Yes Operational, Transactional Source Data Assess Need for Journal Entry Ok? Accounting Guidance, Policies and Procedures, Account Codes No Accounting Entry is Required, Document and File Match the Acctg Guidance? Conduct Research and Document Findings Gain Approval for Accounting Treatment from Chief Acctg Officer Approved? A A Prepare and Submit Journal Entry for Approval Document Supporting Evidence Ok? Post to General Ledger Document, Update Accounting Guidance Conduct Additional Research or Clarify Source Data YesYes Yes No No No No B B Source Documents/ Data • • Internal Controls Procedure No. C02j Section: Accounting and Finance Page 1 of 3 Journal Entries and Non-Routine Transactions Department Ownership Issue/Effective Date: Replaces previously issued C02j.indd 194C02j.indd 194 8/25/08 2:54:20 PM8/25/08 2:54:20 PM Internal Use Only CONTROL ACTIVITY PROGRAM TESTING GUIDES 195 Readiness Checklist Are there documented policies and procedures? Have employees been trained as to the rules, regulations, and information technology (IT) systems regarding this topic? Does the company have a chart of accounts with defi nitions and instructional guidance as to accounting treatment for each account? Does the company map accounts at the detail level to classifi cation and presentation within the fi nancial statements? Is there review and approval control over the establishment, change, and withdrawal of accounts? Is the accounting guidance, including a chart of account and account codes, made available to employees who have to assess, prepare, review, and/or approve journal entries? If end-user computing (EUC) spreadsheets are used, are they in compliance with EUC review and approval procedures? Do all journal entries include review, approval, and supporting documentation? Control Objectives and Activities Complete The completion, existence, and accuracy of journal entries, including standard and nonstan- dard journal entries and other adjustments, are accurate. Select a sample of journal entries and review them for completeness and accuracy, including the attachment or reference to sup- porting documentation. Review peer-to-peer documented reviews of selected journal entries. Management shall ensure that these journal entries are initiated, authorized, recorded, and processed appropriately in the general ledger. Select a sample of journal entries and review them for management review and authorization. Selected sample of account balances are traced back (i.e., grave-to-cradle sampling), to the source documentation to ensure accurate, complete and timely reporting. An accounting schedule is communicated to those who have to prepare, review, and approve journal entries. Review accounting instructions and guidance for completeness, accuracy, and compliance with GAAP. Accurate All journal entries are balanced with debits equaling credits. Only valid and authorized account codes are eligible and accessible for use. Select a test sample of journal entries and review to ensure appropriate level of supporting documentation, review, and approval was performed. • • • • • • • • • • • • Internal Controls Procedure No. C02j Section: Accounting and Finance Page 2 of 3 Journal Entries and Non-Routine Transactions Department Ownership Issue/Effective Date: Replaces previously issued C02j.indd 195C02j.indd 195 8/25/08 2:54:21 PM8/25/08 2:54:21 PM Internal Use Only 196 PROCEDURE C02J Journal entries are accurate, initiated, authorized, recorded, and processed appropriately in the general ledger. Accruals are adequate, accurate, have adequate support and approvals, and are recorded in the appropriate accounting period. Select a sample and review calculations and accounting treatment. Authorized Only authorized employees have access to prepare, review, approve, and/or post journal entries. A list of approved employees is maintained by fi nancial reporting. Reconciliation Accounts are reconciled or analyzed in detail to ensure that account balances are correct and recorded in the proper period. Information Technology If journal entries are prepared using IT applications, there are controls to ensure that only complete, accurate, and timely journal entries are processed for a given period. Select a sam- ple and conduct a walkthrough of transaction through the technology process. Ensure that only accurate account codes are used for journal entries. Review and analyze the company’s chart of accounts and general ledger. Data entry loads or journal entries are accurate, initiated, authorized, recorded, and processed appropriately in the general ledger. Key Measures Control totals are reconciled when the fi nancial statements are prepared. Clearing accounts and suspense accounts are reconciled prior to the closing of the fi nancial statements Timing of journal entry recording is compared to the accounting schedule Journal entry volumes and amounts are monitored and tracked Number of journal entries per authorized preparer and approver Volume, amount of standard recurring journal entries, correcting entries This test guide is used as the internal control Activity for: Process owner: Located at: Control activities conducted by: Date: • • • • • • • • • • • • Internal Controls Procedure No. C02j Section: Accounting and Finance Page 3 of 3 Journal Entries and Non-Routine Transactions Department Ownership Issue/Effective Date: Replaces previously issued C02j.indd 196C02j.indd 196 8/25/08 2:54:22 PM8/25/08 2:54:22 PM Internal Use Only CONTROL ACTIVITY PROGRAM TESTING GUIDES 197 Reference Policies and Procedures Account Reconciliation Bank Reconciliation Cash and banking Payroll/Salary and Payment Authorization Escheat Flowchart In pu t Pr oc es s Input from Human Resources Input from Tax Department Input/Funding from Treasury Employee Information Tax Jurisdiction Information Input/Output Controls Payroll Processing Input/Output Controls Updates to Employee Files Payroll Disbursement Journal Entries Payroll Processing Reports Exception are Manual Payroll O ut pu t Controls, Review, Reconcile, Investigate Posting to General Ledger Controls, Reconciliation, Investigate Data Changes, Controls, Reconcile Investigate Controls, Reconciliation, Investigate Payroll Disbursed to Employees • • • • • Internal Controls Procedure No. C02k Section: Accounting and Finance Page 1 of 4 Payroll Department Ownership Issue/Effective Date: Replaces previously issued C02k.indd 197C02k.indd 197 8/25/08 2:55:11 PM8/25/08 2:55:11 PM Internal Use Only 198 PROCEDURE C02K Readiness Checklist Are there documented policies and procedures? Have employees been trained as to the rules, regulations and information technology (IT) systems regarding this topic? Have samples of the input been traced back to the source documents and verifi ed as complete and accurate? Is there a strategy for collecting and reviewing the samples and for document- ing the remediation plans and actions? Are there system-related IT controls embedded into the design of the feeds from human resources and to/from the payroll calculation and payment system? Are the results of the reviews documented? If end-user computing (EUC) spreadsheets are used, are they in compliance with EUC review and approval procedures? Are the roles and responsibilities segregated from those who (1) establish or approve payroll for those eligible for payroll, and (2) process payments? If payroll is outsourced, is there a valid SAS 70 on fi le with the payroll department? Has the company conducted test sampling to ensure that controls, reviews, and audits are per- formed at the outsourced location where the company’s payroll is processed? Are results documented? Are employees asked to verify payroll and banking information at least annually? Are employee payroll disputes logged, monitored, and resolved in a timely manner? Control Objectives and Activities Compliance with Laws and Regulations Review process to ensure appropriate accounting treatment and reporting of those payroll checks required to be segregated for escheat treatment. Review accounting treatment and escheat reporting. Review processing procedures where local jurisdictional laws and regulations are different than company standard practice. Review and reconcile tax and jurisdictional reporting with actual payroll amounts. Ensure the appropriate recording and payment of nonstandard requirements. Complete, Accurate, and Timely Payroll processed or paid is accurate and complete. Payroll calculated based on approved rates and formulas input to the payroll system, including additional pay and deductions. • • • • • • • • • • • • • Internal Controls Procedure No. C02k Section: Accounting and Finance Page 2 of 4 Payroll Department Ownership Issue/Effective Date: Replaces previously issued C02k.indd 198C02k.indd 198 8/25/08 2:55:12 PM8/25/08 2:55:12 PM Internal Use Only CONTROL ACTIVITY PROGRAM TESTING GUIDES 199 Review and analyze period-over-period control totals and variances to planned spending. Select samples and follow the process from time recording to calculation to payroll disbursement. Review and analyze the timing of funds transfer between company bank accounts to cover payroll. Review employee dispute logs to ensure timely, accurate resolution and root-cause analysis and continuous improvement to the payroll process. Authorize Review and analyze payroll policy, procedures, and instructions for processing payments. Manual checks are authorized and approved by two authorized signatories as named within the treasury guidelines. Observe and review the manual check process. Select a sample of checks and validate the calculation, management review, and authorized signatories. Review all journal entry methodology including expense, liabilities, and cash produced for payroll processing. Select sample journal entries for review of supporting documentation and processing of the transactions. Reconciliation Bank reconciliation of the payroll processing account is performed after each payroll check run. Select bank reconciliation and review for accuracy, management review, and authoriza- tion and appropriate journal entry treatment. Review the processing and reconciliation trail by following totals and selected sampling through the transaction, review and approval cycle. For example, review the process which calculates and disburses payroll through to the recording and posting of journal entries and fi nally the clearing of cashed payroll checks to the bank statements. Safeguard Assets Check paper stock and signature plates are retained in a locked safe with limited access by authorized personnel. Perform a physical inspection of these assets. Segregation-of-duties tests are performed by observing roles and responsibilities, reviewing docu- mented fl owcharts and/or procedures. Segregation of duties exists between employees who: Have access to systems and those who process the data Have access to employee master data, identifying eligible employees and approved pay rates Authorize and input data Approve and oversee change data or system maintenance and those who input or process the data Review and reconcile reports • • • • • • • • • • • • • Internal Controls Procedure No. C02k Section: Accounting and Finance Page 3 of 4 Payroll Department Ownership Issue/Effective Date: Replaces previously issued C02k.indd 199C02k.indd 199 8/25/08 2:55:12 PM8/25/08 2:55:12 PM Internal Use Only 200 PROCEDURE C02K Information Technology Controls Review access controls and the list of authorized employees between the company’s payroll system and human resource employee records. IT processing and calculation controls are built into the payroll calculation, which identifi es amounts in excess of approved thresholds. Review and analyze IT control logs. Review and analyze selected system control reports and follow the process to resolve issues on exception reports. If any part of the process is outsourced, review the SAS 70 report provided to the company to ensure that the outsource provider has adequate internal controls in place. Select samples to ensure consistent processing of information. Key Measures Establish payroll processing performance measures (e.g., number of payroll checks processed versus number of payroll employees) Number of payroll-related processing errors per run Number and percent of manual or out-of-process checks issued This test guide is used as the internal control activity for: Process owner: Located at: Control Activities conducted by: Date: • • • • • • • Internal Controls Procedure No. C02k Section: Accounting and Finance Page 4 of 4 Payroll Department Ownership Issue/Effective Date: Replaces previously issued C02k.indd 200C02k.indd 200 8/25/08 2:55:13 PM8/25/08 2:55:13 PM Internal Use Only CONTROL ACTIVITY PROGRAM TESTING GUIDES 201 Reference Policies and Procedures Procurement Accounts Payable––request payment to third-Party vendors Flowchart Purchase Order In pu t Pr oc es s O ut pu t Approved Purchase Order Procurement Evaluates Vendor Ok? Vendor Master Module Place Order Catalog Match? Catalog Module Research, Evaluate, Negotiate with New Vendor Research, Evaluate, Negotiate Product and/or Services RFP Required?Request for Price Process Purchase Order Module Goods Receipt Recorded by Requester Update Database Yes Yes Yes No No No Readiness Checklist Are there documented policies and procedures? Have employees been trained as to the rules, regulations, and IT systems regarding the procurement system? Are procurement transactions supported by appropriate documentation purchase requisition, purchase order, receiving reports, evidence to support price competition? • • • • Internal Controls Procedure No. C02l Section: Accounting and Finance Page 1 of 4 Procurement Department Ownership Issue/Effective Date: Replaces previously issued C02l.indd 201C02l.indd 201 8/25/08 2:56:41 PM8/25/08 2:56:41 PM Internal Use Only 202 PROCEDURE C02L Do vendors undergo a qualifi cation and review process before being accepted as a company- approved vendor? Does the review include a review of their fi nancial position, quality of their product, and/or service performance and approval of the vendor contract terms and conditions, if different than the company’s terms and conditions? Are there system-related IT controls embedded into the design of system feeds from procure- ment to/from the payment distribution system? Are the results of the reviews documented? Are purchase orders or remaining balances on purchase orders cleared at least annually? If procurement activity is outsourced, is there a valid SAS 70 on fi le? Has the company conducted test sampling to ensure that controls, reviews, and audits are performed at the outsourced location where the company’s procurement activity occurs? Are the results documented? Are incomplete and unfi lled purchase orders (POs) aged and tracked for resolution or closure? Control Objectives and Activities Compliance with Laws and Regulations Review the process to ensure that vendor qualifi cation requires processing through the gov- ernment databases to ensure the company may conduct business with and provide payment to the approved vendor. Compliance with Contract Terms and Conditions Review and ensure all vendors have valid procurement contracts and where there are nonstan- dard terms and conditions, those contracts have additional fi nance and legal approval. Complete Walk through and observe the purchase requisition to purchase order process. Select a sample of approved POs and review for accuracy, completeness, and timeliness of processing. Walk through and observe the goods receipting process and closing of open POs by request- ing departments. Select a sample and review for accuracy, completeness, and timeliness of processing. Accurate Review procurement activity reports and performance measures to ensure accurate, complete, timely reporting. Review remediation actions and plans. Review the chart of accounts and the application of the account assignment on approved POs. • • • • • • • • • • • • Internal Controls Procedure No. C02l Section: Accounting and Finance Page 2 of 4 Procurement Department Ownership Issue/Effective Date: Replaces previously issued C02l.indd 202C02l.indd 202 8/25/08 2:56:43 PM8/25/08 2:56:43 PM Internal Use Only CONTROL ACTIVITY PROGRAM TESTING GUIDES 203 Review exception reports from accounts payable (A/P) signaling quantity and quality differ- ences between the PO and the invoice. Select a sample and review for resolution, remedia- tion, and action plans. Authorized Select a sample of POs and review for completeness, accuracy, and authorization. Review that POs are placed with qualifi ed and approved vendors. Select a sample of changes to POs and validate accuracy and preauthorization. Review exception reports and remediation plans for POs are placed after the goods and/or services have been received. Observe and walk through the vendor qualifi cation process. Review and analyze vendor performance reports, vendor site visit reports, and remediation action plans. Review exception reports and remediation plans for POs placed with unqualifi ed vendors or for unauthorized products or services. Segregation-of-duties tests are performed by observing roles and responsibilities and reviewing documented fl owcharts and/or procedures. Segregation of duties exists between employees who have access to: Vendor master data and maintenance (owned by procurement department) and employees who have access to process vendor invoices (A/P department) Request goods and/or services via a PO (owned by procurement department) and employees who place the order with the vendor PO approval (performed by business area requesting the goods and/or services) and employ- ees who have access to process vendor invoices The procurement professionals who negotiate the contract terms and conditions with the vendor are separate from the employee who requests the goods and/or services Process vendor invoices and employees who have access to goods receipt on a PO (performed by the receiving department or business area requesting the goods and/or services) Information Technology Controls In accordance with company policy and procedure and at least quarterly, the fi le share owner(s) perform a documented review of the procurement system and fi le share access to ensure access is restricted to authorized personnel. Additional procurement system controls are designed which: Do not allow for changes to the purchase order during the goods receipt process (e.g., changes to products or services orders, quantities, and/or amounts as previously approved). • • • • • • • • • • • • • • Internal Controls Procedure No. C02l Section: Accounting and Finance Page 3 of 4 Procurement Department Ownership Issue/Effective Date: Replaces previously issued C02l.indd 203C02l.indd 203 8/25/08 2:56:43 PM8/25/08 2:56:43 PM Internal Use Only 204 PROCEDURE C02L Tracks the remaining balance of blanket purchase orders with recurring payments and closes the PO when the balance becomes zero. Key Measures Procurement process performance measures Number of qualifi ed vendors per purchasing category, including vendor performance measures Number and frequency of POs compared to amount per purchase order This test guide is used as the internal control activity for: Process owner: Located at: Control activities conducted by: Date: • • • • Internal Controls Procedure No. C02l Section: Accounting and Finance Page 4 of 4 Procurement Department Ownership Issue/Effective Date: Replaces previously issued C02l.indd 204C02l.indd 204 8/25/08 2:56:44 PM8/25/08 2:56:44 PM Internal Use Only CONTROL ACTIVITY PROGRAM TESTING GUIDES 205 Reference Policies and Procedures Revenue Recognition Delegation of Authority Journal Entry Flowchart Sales Quote/ Sales Order In pu t Pr oc es s O ut pu t Yes Sales Representative and/or Customer Sales Order Sales Operations Evaluation Revenue Recognition Checklist Approved Customer? Sent by an Approved Customer Contact Credit Analysis Approved Products? Product Availability Contact Manufacturing Approved Pricing? Pricing DatabaseContact Pricing Approved Terms and Conditions? Legal Sales T&C DatabaseContact Legal Company Accepts? Accepted Sales Order Release for Product/Service Fulfillment Okay to Recognize Revenue? Record in Compliance with Revenue Cut Off Dates Cost of Sales Journal Entries Revenue Recognition Journal Entries OK? OK? OK? OK? Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No No No No No No No No No • • • Internal Controls Procedure No. C02m Section: Accounting and Finance Page 1 of 4 Revenue Recognition Department Ownership Issue/Effective Date: Replaces previously issued C02m.indd 205C02m.indd 205 8/25/08 2:57:15 PM8/25/08 2:57:15 PM Internal Use Only 206 PROCEDURE C02M Readiness Checklist Are there documented policies and procedures? Have employees been trained as to the rules, regulations, and information technology (IT) systems regarding the revenue? Has there been a change to the external rules and regulations regarding this topic? Are there suitable chart of accounts, standard journal entries, control accounts and subsidiary records for recording, classifying, and summarizing revenues based on product or service clas- sifi cation and geographic location? If end-user computing (EUC) spreadsheets are used, are they in compliance with EUC review and approval procedures? Is a revenue recognition checklist established to assist with addressing specifi c revenue recog- nition concerns? Are peer reviews established to validate the application and use of the revenue recognition checklist? Is revenue, sales, and cost of sales analysis performed by product and geographic segment? Control Objectives and Activities Compliance with Contract Terms All customers have a valid and approved contract. Customers requesting nonstandard contract terms and conditions require additional fi nancial and legal approval. Review exception report for customers without valid contracts and remediate for resolution. Review customer dissatisfaction and escalation reports to identify the types of issues customers are having with the Company’s products and/or services. Analyze how the company investigates the root cause of these issues, improves the process, and resolves the issue with the customer. Complete All sales orders are input to the sales database and once accepted by the company, the sales order is released to distribution for fulfi llment. Review exception reports and follow up with remedia- tion plans. Select and sample to test sales orders for complete, accurate, and timely processing. Zero-dollar sales orders are reviewed for accuracy of revenue and inventory accounting treat- ment. Review the zero-dollar sales report and validate the reasons provided for zero-dollar fulfi llment. Select a sample and test accuracy of reason classifi cation. Completed sales orders are reconciled to the original contract with differences explained, authorized, and documented. Contract and supporting documentation including approvals are retained and maintained with the customer fi le according to sales order. Review peer-to-peer • • • • • • • • • • • • Internal Controls Procedure No. C02m Section: Accounting and Finance Page 2 of 4 Revenue Recognition Department Ownership Issue/Effective Date: Replaces previously issued C02m.indd 206C02m.indd 206 8/25/08 2:57:16 PM8/25/08 2:57:16 PM Internal Use Only CONTROL ACTIVITY PROGRAM TESTING GUIDES 207 or self-assessment checklists. Select a sample and verify reconciliation reports and remediation plans. Timeliness Instructions as to revenue cutoff periods are communicated prior to each month-end closing. Review communications and schedules. Accurate Review and analyze the company’s policy and procedure for revenue recognition. Select a sample of revenue recognition checklists to ensure that the revenue recognition criteria have been met. For a selected sample of transactions, review and follow cradle-to-grave supporting documentation, including customer contract, sales orders, shipping and fulfi llment orders, and customer correspondence. Review and analyze estimate and reserve accounts for compliance with company policies and procedures, accuracy of calculation, and timeliness of processing. Recalculate estimate and reserve amounts for accuracy and consistency. Authorize Select a sample of sales orders and review for completeness, accuracy, and authorization prior to processing. The revenue segmentation reporting by product and geography is reviewed for compliance with consistent application of company methodology. The fi nance VP or corporate controller reviews, signs, and dates the detailed schedules and fi nancial disclosures. Reconciliation Account analysis and reconciliation is performed between the: Sales order database and revenue booked and recognized Accounts receivable and recognized revenue Sales and use tax and revenue Intercompany revenue and intercompany receivables Revenue and royalty payable Sales orders, revenue, and incentive compensation Segregation-of-duties tests are performed by observing roles and responsibilities and reviewing documented fl owcharts and/or procedures. Segregation of duties exists between employees who: Prepare, enter and fulfi ll the sales orders and those who record the related accounting transactions • • • • • • • • • • • • • Internal Controls Procedure No. C02m Section: Accounting and Finance Page 3 of 4 Revenue Recognition Department Ownership Issue/Effective Date: Replaces previously issued C02m.indd 207C02m.indd 207 8/25/08 2:57:17 PM8/25/08 2:57:17 PM Internal Use Only 208 PROCEDURE C02M Internal Controls Procedure No. C02m Section: Accounting and Finance Page 4 of 4 Revenue Recognition Department Ownership Issue/Effective Date: Replaces previously issued Invoice the customer and those who collect and process customer payment Record the accounting transactions and those who reconcile the accounts Key Measures Period-over-period revenue movement Vertical income statement analysis with each income statement summary line expressed as a percent of revenue and compared with period-over-period percentages Volume and amount of sales orders To be processed (i.e., waiting for company review and acceptance) In backlog (i.e., accepted and not yet fi lled) Processed (i.e., delivered and recorded for accounting purposes) Sales, revenue, and adjustments to revenue by product segment and geographic location This test guide is used as the internal control activity for: Process owner: Located at: Control activities conducted by: Date: • • • • • • • • • C02m.indd 208C02m.indd 208 8/25/08 2:57:17 PM8/25/08 2:57:17 PM Internal Use Only CONTROL ACTIVITY PROGRAM TESTING GUIDES 209 Reference Policies and Procedures Distribution and Fulfi llment Inventory Product Pricing Revenue Recognition Flowchart In pu t Pr oc es s O ut pu t Product and Price Lists Purchase Order from Partner Convert and Evaluate as Sales Order Okay to Proceed? Compare Sales Order to Partner Approved T&C, Products, Prices Reject and Contact the Partner Update Sales System Sales Database Distribution/ Fulfillment Center Okay to Process Ship Goods and Update Inventory Database Inventory Database Send Invoice and Update Sales Database Prepare Journal Entries for Revenue and Cost of Goods Sold Place on Back Order and Notify the Partner Partner Database A A B B No No Yes Yes • • • • Internal Controls Procedure No. C02n Section: Accounting and Finance Page 1 of 4 Retail Sales Orders to Business Partners Department Ownership Issue/Effective Date: Replaces previously issued C02n.indd 209C02n.indd 209 8/25/08 2:59:30 PM8/25/08 2:59:30 PM Internal Use Only 210 PROCEDURE C02N Readiness Checklist Are there documented policies and procedures? Have employees been trained as to the rules, regulations, and information technology (IT) systems regarding this topic? Do business partners undergo a qualifi cation and review process before being accepted as a company-approved retail partner? Do all business partners have valid and current contracts? Are retail sales orders produced from accurate and current product and pricing books? Have samples of the input been traced back to the source documents and verifi ed as complete and accurate? Is there a strategy for collecting and reviewing the samples and for document- ing remediation plans and actions? Are there system-related IT controls embedded into the design of the feeds to/from the sales order system? Are the results of the reviews documented? If end-user computing (EUC) spreadsheets are used, are they in compliance with EUC review and approval procedures? Are the roles and responsibilities reviewed to ensure appropriate segregation of duties? Control Objectives and Activities Compliance with Contract Terms Retail partner list is complete and accurate and represents authorized retail partners who have valid master sales agreements with the company. All business partners have a valid and approved contract. Business partners requesting nonstandard contract terms and conditions require additional fi nancial and legal approval. Complete Business partner product and pricing lists are complete and accurate and represent products the company is authorized to sell to retail partners. Review the product and pricing list for authorization, communication, and to refl ect these products and prices are included within business partner orders. The sales order manager reviews and approves sales orders prior to forwarding the sales order to distribution for fulfi llment. Review the completed sales order checklists to ensure that the company may fulfi ll requested product quantities at quoted prices and validate calculation extensions. Select a sample and test supporting documentation. • • • • • • • • • • • Internal Controls Procedure No. C02n Section: Accounting and Finance Page 2 of 4 Retail Sales Orders to Business Partners Department Ownership Issue/Effective Date: Replaces previously issued C02n.indd 210C02n.indd 210 8/25/08 2:59:31 PM8/25/08 2:59:31 PM Internal Use Only CONTROL ACTIVITY PROGRAM TESTING GUIDES 211 Accurate All shipments are recorded accurately, in a timely manner, and in the appropriate period. Review shipping reports and select a sample to review supporting documentation. Walk and observe the process from when the company receives and processes the sales order to fulfi lling and shipping the order to recording journal entries. Document control issues and fi ndings. Authorized Business partners are qualifi ed and preapproved and undergo credit authorization. In accordance with company policy and procedures, as these require additional review and approval, sales order reports are generated to identify those sales orders less than or greater than general sales order volumes and amounts. Review and analyze these reports for addi- tional management review, approval, and supporting documentation. Reconciliation Reconciliations are prepared, reviewed, and approved between sales orders received and orders fulfi lled; unreconciled items are aged for resolution. Select reconciliations, review source data, recalculate and validate approvals. Reconcile fulfi lled sales orders and business partner account receivable data fl ow. Select a sample; review calculations, approvals, and supporting documentation. Segregation-of-duties tests are performed by observing roles and responsibilities and reviewing documented fl owcharts and/or procedures. Segregation of duties exists between employees who have access to: Evaluating and approving business partners and those processing sales orders, shipping product, or accounts receivable processing. Information Technology Controls The system automatically monitors customer credit limits and designates a customer as “hold over credit limit” if the customer purchase order exceeds the approved credit limit in the system. Only valid and accurate purchase orders are entered into the systems. Orders are reviewed for accuracy and validity prior to entry into the system as evidenced by sign-off of the purchase order. Key Measures Sales order volumes; quantity by product, contract value segmented by business partner Status of sales orders in sales order administration e.g., (inaccurate or incomplete information), customer on credit hold, approved and forwarded to distribution, no charge sales • • • • • • • • • • • Internal Controls Procedure No. C02n Section: Accounting and Finance Page 3 of 4 Retail Sales Orders to Business Partners Department Ownership Issue/Effective Date: Replaces previously issued C02n.indd 211C02n.indd 211 8/25/08 2:59:31 PM8/25/08 2:59:31 PM Internal Use Only 212 PROCEDURE C02N Internal Controls Procedure No. C02n Section: Accounting and Finance Page 4 of 4 Retail Sales Orders to Business Partners Department Ownership Issue/Effective Date: Replaces previously issued Status of sales orders in fulfi llment (e.g., back order, partially fulfi lled, fulfi lled) Revenue and profi t by business partner This test guide is used as the internal control activity for: Process owner: Located at: Control activities conducted by: Date: • • C02n.indd 212C02n.indd 212 8/25/08 2:59:32 PM8/25/08 2:59:32 PM Internal Use Only CONTROL ACTIVITY PROGRAM TESTING GUIDES 213 Reference Policies and Procedures Tax Preparation Journal Entries Account Reconciliation Flowchart In pu t Pr oc es s O ut pu t Federal Tax Regulations Assess and Implement with Company Tax Instructions Assess Data and Information Reconcile with Financial Statements BU Controllers Submit Results, Tax Input Form and Support Select Data and Information Relevant for Tax Calculation Previous Tax Returns and Tax Audit Findings Calculate Tax and Compare with Previous Returns/Results OK for Tax Submission? Prepare Tax Return, Submit for Review and Approval OK from BU? Prepare and Gain Approval for and Post Journal Entry Analyze Financial Statement Impact and Prepare Disclosures OK? Submit Return and Disclosures Yes Yes Yes No No No A B A Send Tax Instructions to Business Unit (BU) Controllers Other Governance Related Sources: SEC, PCAOB, FASB B Clarify Instructions and Address Concerns Address Deficiencies • • • Internal Controls Procedure No. C02o Section: Accounting and Finance Page 1 of 4 Income Tax Department Ownership Issue/Effective Date: Replaces previously issued C02o.indd 213C02o.indd 213 8/25/08 3:01:54 PM8/25/08 3:01:54 PM Internal Use Only 214 PROCEDURE C02O Readiness Checklist Are there documented policies and procedures? Have employees been trained as to the rules, regulations and information technology (IT) systems and applications regarding this topic? Have instructions been communicated to business unit controllers or designates who provide input to the tax department? Are there programs or applications used by the tax department that reconcile business unit input to fi nancial statement input? Are accounting records used in tax preparation reconciled with the accounting records used for fi nancial reporting? Do income tax calculations comply with taxing authority rules and regulations? Are income tax calculations based on actual company transactions and supported by the appro- priate source level documentation? Is an income tax calculation, preparation, and approval checklist deployed within the tax department? If end-user computing (EUC) spreadsheets are used, are they in compliance with EUC review and approval procedures? If tax preparation is outsourced, is there a valid SAS 70 on fi le with the tax department? Has the company conducted test sampling to ensure that controls, reviews, and audits are per- formed at the outsourced location where the company’s tax obligations are processed? Are results documented? Control Objectives and Activities Compliance with Laws and Regulations Tax schedules are prepared that represent the company’s jurisdictional obligations for income tax preparation and fi ling. The tax department can demonstrate adherence to the schedule. Review and analyze the list of jurisdictional fi lings. Tax research is documented, identifying company-specifi c procedures to implement tax requirements into operational and tax processes. Review the list of tax items researched and assessment as to whether the researched item needs to be incorporated into the company’s policies and procedures. Senior executives are assured that all available and appropriate tax advantages are included within income tax preparation, tax submissions, and disclosures. Complete There are established lines of communication between the tax function and the functional and geographic business units, providing clear instruction as to required input for income tax preparation. Review policies and procedures for inclusion of tax considerations where and as appropriate. • • • • • • • • • • • Internal Controls Procedure No. C02o Section: Accounting and Finance Page 2 of 4 Income Tax Department Ownership Issue/Effective Date: Replaces previously issued C02o.indd 214C02o.indd 214 8/25/08 3:01:55 PM8/25/08 3:01:55 PM Internal Use Only CONTROL ACTIVITY PROGRAM TESTING GUIDES 215 The tax management compares the forecasted pretax income with the tax provision work papers. Review peer-to-peer or self-assessment checklists to determine if the work papers are complete. Verify the use of the income tax checklist and supporting documentation. Accurate The tax provision calculation is properly documented, accurately determined, supported, and recorded in the general ledger. Review the assumptions and process used to calculate, review, and approve tax provisions. Select sample calculations for recalculation. Sales and use tax liabilities are captured and recorded completely and accurately with pay- ments submitted in a timely manner. Review and analyze sales and use tax work papers and presentation of liabilities. Business unit and tax management verify the integrity and completeness of gathered data. The tax function performs timely recalculations to assess the accuracy and reasonableness of com- putations. Internal controls reviews the data input and tax calculations. To serve as a check and balance and for purposes of accuracy, those who prepare income tax computations/work products and those who review and approve tax submissions and those who approve and/or reconcile journal entries. Walk through and observe the process from receiv- ing data input to preparing journal entries and from tax submissions and disbursement of taxes payable. Authorize The tax VP reviews and approves the income tax rate that must be used for budget and fore- casting purposes. This rate is reconciled to the actual calculated year-end rate. The tax VP reviews and approves the income tax journal entries and classifi cation between current and deferred, short- and long-term obligations. The tax VP reviews and approves the blended statutory state income tax rate. The chief fi nancial offi cer (CFO) quarterly reviews and approves the contingency reserve, not- ing support in accordance with SFAS 5 and the related effects on the tax accounts. Company policies and procedures (e.g., intercompany transactions, cross-border and transfer product pricing) are adequately reviewed and approved for income tax implications. The income tax provisions, presentations, and disclosure requirements are reviewed for completeness, accuracy, and compliance laws and regulations. The fi nance VP or corporate controller reviews, signs, and dates the detailed schedules and fi nancial disclosures. Review the disclosure and supporting documentation. Reconciliation Reconciliations are performed between the fi nancial data submitted by the business units and the information submitted to the tax department. Review and analyze selected reconciliations. • • • • • • • • • • • • Internal Controls Procedure No. C02o Section: Accounting and Finance Page 3 of 4 Income Tax Department Ownership Issue/Effective Date: Replaces previously issued C02o.indd 215C02o.indd 215 8/25/08 3:01:55 PM8/25/08 3:01:55 PM Internal Use Only 216 PROCEDURE C02O Internal Controls Procedure No. C02o Section: Accounting and Finance Page 4 of 4 Income Tax Department Ownership Issue/Effective Date: Replaces previously issued The tax VP reviews and approves the roll-forward schedule and analysis, which includes current taxes payable, deferred taxes, and the tax provision. Review and analyze selected reconciliations. The tax VP reviews the reconciliation of the requested tax entries to the balances refl ected on the general ledger to confi rm that the information was posted accurately and that the tax accounts are correctly stated. Review and analyze selected reconciliations. The accrual for sales and use tax contingencies is reconciled monthly to supporting schedules or general ledger to ensure the accrual is complete and accurate. Review and analyze selected reconciliations. Key Measures Period-over-period and overall and individual business unit tax rates for the profi t-and-loss and balance sheet tax accounts Company income tax rates compared to the industry leaders This test guide is used as the internal control activity for: Process owner: Located at: Control activities conducted by: Date: • • • • • C02o.indd 216C02o.indd 216 8/25/08 3:01:56 PM8/25/08 3:01:56 PM 217 Appendix Internal Control Planning, Testing and Remediation Worksheet Process/Account Using a top-down assessment approach, list the signifi cant processes and accounts which require testing. Control Objective / Risk Identify the control objective or risk element that must be documented or tested. Designate your own control objectives, or use the ones identifi ed and defi ned within Testing Guides presented in the manual. Control Activity Identify the planned control activity that must be documented or tested. Design your own control activities, or use the ones identifi ed and defi ned within Testing Guides presented in the manual. Remember that the Control Activity must demonstrate that the internal control representative has defi ned a substantive activity which will produce suffi cient evidence that the control is working. Supporting evidence shall be included or referenced on the Internal Control – Result of Testing form. Sample Size and Results of Testing Describe the approach used to determine the sample size, identify the sample size and describe the fi ndings which result. This worksheet is an excel based program which has been pre-populated with informa- tion from the testing guides so as to serve as a planning, testing, documentation and remediation tool when conducting SOX testing. This section is made up of The Worksheet Result of the control activity form Reporting Scorecard The Worksheet Following is a description of each of the columns. There is an example at the beginning of the worksheet, so you can see how it is to be completed. • • • bapp01.indd 217bapp01.indd 217 8/25/08 3:02:51 PM8/25/08 3:02:51 PM 218 APPENDIX Reference the Internal Control – Results of testing checklist and the supporting evidence collected. Remember to note where the control objective is working as designed and when there are no fi ndings. Even if not an immediate control exposure, remember to include areas of concern which may lead to control exposures or where process effectiveness and effi ciency opportunities may exist. Control in Place Identify Yes or No as to whether the control objective is in place and proved by the control activity. If No, then describe the issue and rate the control as assessment refers to your evaluation as to whether the control is working as it should be. Rate as 1 to 4 with each rating defi ned as 1 as a signifi cant defi ciency, 2 as a material weakness, 3 as a reportable condition or 4 as an effective control. Process Owner Those items rated as 1, 2 or 3 require a process owner to oversee the remediation efforts. This column is to identify the name of the process owner or person responsible for remediation. Remediation Actions If remediation actions are required, identify the immediate next steps and corrective action plans. Remediation actions and next steps should be developed in cooperation with the Process Manager. Next Follow Up Date or Due Date A follow up date is required for those issues which cannot be readily corrected. This date should not be more than two weeks from the date of the testing to ensure a timely response from the Process Manager. If the corrective action requires signifi cant process re-engineering plan on periodic meetings to ensure that the re-engineering design corrects the control issues. A due date is preferable as the date the issue is corrected and ready for re-testing. Allow time for the correction to be implemented and performance indicators prove that the correction has been deployed; then follow with a retest of the control objective. Internal Control – Result of Control Activity Testing As the Internal Control representative tests each control objective, they should keep track of the tests and results by completing the Result of Control Activity form. This form serves as the cover sheet for evidence collected to support the assertion made about the control objective. The results of each test, whether positive or negative, must be recorded to demonstrate that the internal control representative exercised an appropriate level of due diligence when reviewing the process. In addition, those items which indicate a defi ciency need to be identifi ed and classifi ed for remedial action. Internal Control – Reporting Scorecard The Internal Controls – Reporting Scorecard is presented at the end of this chapter and is one way to easily report and communicate on the Company’s Internal Control status. bapp01.indd 218bapp01.indd 218 8/25/08 3:02:52 PM8/25/08 3:02:52 PM 219 A pp en di x: I nt er na l C on tr ol P la nn in g, T es ti ng , a nd R em ed ia ti on W or ks he et P ro ce ss /A cc ou nt C on tr ol O bj ec ti ve o r R is k C on tr ol A ct iv it y or T es t Sa m pl e Si ze a nd R es ul ts of T es ti ng C on tr ol in P la ce ( Y/ N ) if N o Ty pe o f E xp os ur e P ro ce ss O w ne r R em ed ia ti on A ct io ns N ex t F ol lo w up / D ue D at e A cc ou nt s Pa ya bl e A cc ur at e T he re is a c ha rt o f a cc ou nt s an d in st ru ct io n fo r as si gn in g ac co un t di st ri bu tio n fo r ac cu ra cy in r ec or di ng tr an sa ct io ns a nd c la ss ify in g ex pe ns es . D ai ly , p ee r- to -p ee r re vi ew s ar e es ta bl is he d. T es t a s am pl e of tr an sa ct io ns fo r ac co un t c od in g ac cu ra cy . Ve ri fi e d th at th er e ar e in st ru ct io ns a nd a v al id ch ar t o f a cc ou nt s av ai la bl e fo r co di ng tr an sa ct io ns ; ho w ev er , t he re w er e er ro rs . S am pl e si ze o f 50 tr an sa ct io ns fr om a ll le ve ls o f t ra ns ac tio n do lla r th re sh ol ds . A c he ck lis t w as a va ila bl e fo r pe er -t o- pe er r ev ie w s. T he re w er e la ps es in th e pe er -t o- pe er re vi ew s w ith th e m os t m at er ia l t ra ns ac tio n no t fu lly r ev ie w ed . E rr or s w er e m in or a nd d id n ot a ff ec t fi n an ci al r ep or tin g da ta o r in fo rm at io n. Ye s, 3 . T he co nt ro l i s ge ne ra lly in pl ac e; h ow ev er , th er e is op po rt un ity fo r im pr ov em en t. Ja m ie D oe 1) A ut om at e ex pe ns e co di ng in to th e A /P sy st em . 2 ) P re pa re th re sh ol ds fo r pe er -t o- pe er r ev ie w s in cl ud in g al l t ra ns ac tio ns o ve r a ce rt ai n si ze (e .g ., $2 0, 00 0) a nd 5 0% ra nd om ly s el ec te d sa m pl e fo r tr an sa ct io ns be tw ee n $5 ,0 00 a nd $2 0, 00 0 an d 20 % r ev ie w sa m pl e si ze fo r th os e le ss th an $ 5, 00 0. R at he r th an d ai ly r ev ie w s, co ns id er im pl em en tin g pe er -t o- pe er r ev ie w s on ce a w ee k an d co ve ri ng th e w ee kl y ac tiv ity . M an ag em en t i s to s el ec t a s am pl e fr om ea ch c at eg or y to r ev ie w . 1) I nv es tm en t an al ys is an d ch an ge re qu es t an al ys is fo r A /P s ys te m in 5 d ay s; 2) 5 d ay s to re vi ew a nd up da te th e pe er -t o- pe er ch ec kl is t a nd im m ed ia te ly th er ea ft er re in st at e th e pe er -t o- pe er re vi ew s w ith m an ag em en t si gn o ff . A /R – C ol le ct io ns R ec on ci lia tio n R ev ie w r ec on ci lia tio n of c us to m er A /R ba la nc es b et w ee n th e su bl ed ge r an d ge ne ra l l ed ge r. R ev ie w a nd r ec on ci le th e ag in g re po rt to th e ge ne ra l l ed ge r. R ev ie w ed a nd a na ly ze d th e re co nc ili at io n pr ep ar ed ea ch m on th o f t he q ua rt er . F ur th er a na ly si s on un re co gn iz ed a m ou nt s in cl ud ed a r ec ur ri ng co nd iti on w he re r ed uc tio ns to p ri ce w er e ro ut in el y gr an te d to c us to m er s w ho w er e no t s at is fi e d w ith th e pr od uc t’s p er fo rm an ce . T he se r ed uc tio ns w er e no t re fl e ct ed a s an a dj us tm en t to r ev en ue b ut r at he r re co gn iz ed w ith in th e al lo w an ce fo r do ub tf ul ac co un ts . N o, 2 . al th ou gh th e re co nc ili at io ns w er e pr ep ar ed , th ey w er e no t ap pr op ri at el y an al yz ed , do cu m en te d or a pp ro ve d. R ev en ue is n ot ap pr op ri at el y re co gn iz ed . Te rr y D oe R ev ie w th e C om pa ny ’s po lic ie s an d pr oc ed ur es to e ns ur e th at th e fo llo w in g is in cl ud ed : ap pr op ri at e fi n an ci al an d le ga l a pp ro va l i s re qu ir ed fo r an y an d al l po st c on tr ac t c ha ng es . E ns ur e th e al lo w an ce is on ly u se d fo r ba d de bt ex pe ns es , w he re th e cu st om er is u na bl e to pa y de bt s ow ed to th e C om pa ny . W ee kl y re vi ew s un til th is is su e is re so lv ed , t he po lic ie s an d pr oc ed ur es ar e cl ea r. F ol lo w u p w ith tr ai ni ng fo r A /R s ta ff . (C on ti nu ed ) bapp01.indd 219bapp01.indd 219 8/25/08 3:02:52 PM8/25/08 3:02:52 PM 220 P ro ce ss / A cc ou nt C on tr ol O bj ec ti ve o r R is k C on tr ol A ct iv it y or T es t Sa m pl e Si ze a nd R es ul ts of T es ti ng C on tr ol in P la ce ( Y/ N ) if N o Ty pe o f E xp os ur e P ro ce ss O w ne r R em ed ia ti on A ct io ns N ex t F ol lo w up / D ue D at e R ev en ue C om pl ia nc e w ith C on tr ac t Te rm s A ll cu st om er s ha ve a v al id a nd ap pr ov ed c on tr ac t. C us to m er s re qu es tin g no n- st an da rd c on tr ac t te rm s an d co nd iti on s re qu ir e ad di tio na l fi n an ci al a nd le ga l a pp ro va l. R ev ie w ex ce pt io n re po rt fo r cu st om s w ith ou t va lid c on tr ac ts a nd r em ed ia te fo r re so lu tio n. Sa m pl e si ze 1 00 % o f a ll cu st om er c on tr ac ts o ve r $1 00 ,0 00 , 5 0% r an do m sa m pl e fo r th os e co nt ra ct s be tw ee n $5 0, 00 0 an d $1 00 ,0 00 a nd 1 0% fo r th os e co nt ra ct s le ss th an $ 50 ,0 00 . C us to m er s ig ns s ta nd ar d te rm s an d co nd iti on s, ho w ev er s id e ag re em en ts ar e pr es en t i nd ic at in g th at if th e cu st om er is “ no t h ap py ,” th e cu st om er m ay r et ur n th e pr od uc t o r ac ce pt a n ad ju st m en t t o th e am ou nt ow ed th e co m pa ny . N o, 1 . T hi s is a si gn ifi ca nt de fi c ie nc y. T he re a re un ap pr ov ed si de ag re em en ts w ith ac ce pt an ce cl au se s an d re ve nu e is im pr op er ly re co gn iz ed be ca us e th e pr ic e is n ot fi x ed n or de te rm in ab le . M ik e D oe R ev ie w th e R ev en ue R ec og ni tio n po lic ie s an d pr oc ed ur es to e ns ur e th is to pi c is a de qu at el y ad dr es se d. T ho se n ot in c om pl ia nc e w ith co m pa ny p ol ic y m ay be te rm in at ed . A ss es s cu rr en t c on tr ac ts to de te rm in e th e ex te nt of th is is su e. P ri or pe ri od r es ta te m en t an d di sc lo su re to th e SE C m ay b e re qu ir ed . In st itu te a p ro ce ss fo r m on ito ri ng c on tr ac ts an d si de a gr ee m en ts , tr ai ni ng sa le s f or ce , s al es ad m in is tr at io n, le ga l a nd fi n an ce a s to r ev en ue re co gn iti on is su es a nd co ns eq ue nc es . W ith in 2 da ys , a ss es s co nt ra ct s w ith th is c la us e. W ith in 5 d ay s, de ve lo p a re m ed ia tio n pl an a nd ac tio n. A cc ou nt s Pa ya bl e C om pl et e O nl y to th os e in vo ic es a nd c he ck re qu es ts th at h av e be en p os te d ar e in cl ud ed w ith in th e pa ym en t r un . Tr an sa ct io ns a re a ut ho ri ze d an d re le as ed fo r th e pa ym en t r un b y ac co un ts p ay ab le (A /P ) m an ag er . R ev ie w a nd o bs er ve th e pr oc es s. A cc ou nt s Pa ya bl e A cc ur at e T he re is a c ha rt o f a cc ou nt s an d in st ru ct io n fo r as si gn in g ac co un t di st ri bu tio n fo r ac cu ra cy in r ec or di ng tr an sa ct io ns a nd c la ss ify in g ex pe ns es . D ai ly , p ee r- to -p ee r re vi ew s ar e es ta bl is he d. T es t a s am pl e of tr an sa ct io ns fo r ac co un t c od in g ac cu ra cy . bapp01.indd 220bapp01.indd 220 8/25/08 3:02:53 PM8/25/08 3:02:53 PM 221 A cc ou nt s Pa ya bl e A cc ur at e Ve nd or s ar e pa id in a cc or da nc e w ith ag re ed te rm s an d co nd iti on s. S el ec t pa ym en ts a nd c on fi r m w ith v en do r pa ym en t t er m s. P ee r- to -p ee r te st s ar e pe rf or m ed a nd d oc um en te d. A cc ou nt s Pa ya bl e A ut ho ri ze Pa ym en ts m ay o nl y be m ad e to p re - ap pr ov ed v en do rs e st ab lis he d w ith in th e Ve nd or M as te r da ta ba se . R ev ie w va ri an ce a nd e xc ep tio n re po rt s fo r re m ed ia tio n pl an s. A cc ou nt s Pa ya bl e A ut ho ri ze A ll di sb ur se m en ts a re r ev ie w ed a nd au th or iz ed a s w itn es se d by s ig na tu re an d da te . R ev ie w er s an d au th or iz er s ar e as id en tifi e d w ith in th e D el eg at io n of A ut ho ri ty . R ev ie w s ig na to ry li st to en su re th ey h av e ap pr op ri at e le ve ls o f de le ga tio n. A cc ou nt s Pa ya bl e D is bu rs em en t of F un ds F or m an ua l c he ck s an d w ir e tr an sf er s, on ly a pp ro ve d ve nd or in vo ic es a s id en tifi e d w ith in th e A /P s ys te m c an be p ro ce ss ed a s a m an ua l p ay m en t. A se lf- as se ss m en t c he ck lis t i s co m pl et ed fo r ea ch w ir e tr an sf er . S el ec t a s am pl e an d tr ac e pa ym en t b ac k to s ou rc e do cu m en ta tio n. A cc ou nt s Pa ya bl e R ec on ci lia tio n T he A /P r ep re se nt at iv e pr ep ar es a re co nc ili at io n of th e m on th ly o pe n pa ya bl es r ep or t / su bl ed ge r to th e ge ne ra l l ed ge r A /P a cc ou nt a nd a ny va ri an ce s ar e re so lv ed in a ti m el y m an ne r. T he A /P M an ag er e vi de nc es th e re vi ew a nd a pp ro va l o f t he re co nc ili at io n by d at ed s ig n- of f. Se le ct a sa m pl e an d re vi ew th e su pp or tin g do cu m en ta tio n an d ap pr ov al le ve ls . A cc ou nt s Pa ya bl e R ec on ci lia tio n U nm at ch ed it em s or it em s w hi ch h av e be en fl ag ge d as p ar tia l r ec ei pt / pa ym en t a re id en tifi e d an d in ve st ig at ed . R ev ie w a nd o bs er ve h ow th es e ar e re so lv ed , d oc um en t c on tr ol is su es . (C on ti nu ed ) bapp01.indd 221bapp01.indd 221 8/25/08 3:02:53 PM8/25/08 3:02:53 PM 222 P ro ce ss / A cc ou nt C on tr ol O bj ec ti ve o r R is k C on tr ol A ct iv it y or T es t Sa m pl e Si ze a nd R es ul ts of T es ti ng C on tr ol in P la ce ( Y/ N ) if N o Ty pe o f E xp os ur e P ro ce ss O w ne r R em ed ia ti on A ct io ns N ex t F ol lo w up / D ue D at e A cc ou nt s Pa ya bl e Sa fe gu ar di ng A ss et s A ss et s us ed fo r pr oc es si ng p ay m en ts (i. e. , c he ck s to ck , s ig ni ng p la te s, w ir e tr an sf er te rm in al s, c he ck si gn in g m ac hi ne s) a re s to re d in a ph ys ic al ly s ec ur e ar ea w ith r es tr ic te d ac ce ss to a ut ho ri ze d pe rs on ne l o nl y. R ev ie w , o bs er ve a nd d oc um en t t he sa fe gu ar di ng o f a ss et s. A cc ou nt s Pa ya bl e Se gr eg at io n of D ut ie s Se gr eg at io n of D ut ie s te st s ar e pe rf or m ed b y ob se rv in g ro le s an d re sp on si bi lit ie s, r ev ie w in g do cu m en te d fl o w ch ar ts a nd /o r pr oc ed ur es . Se gr eg at io n of D ut ie s ex is ts b et w ee n em pl oy ee s w ho h av e ac ce ss to : A cc ou nt s Pa ya bl e Se gr eg at io n of D ut ie s Ve nd or m as te r da ta a nd m ai nt en an ce (o w ne d by P ro cu re m en t d ep ar tm en t) an d em pl oy ee s w ho h av e ac ce ss to pr oc es s ve nd or in vo ic es (A cc ou nt s Pa ya bl e de pa rt m en t) . A cc ou nt s Pa ya bl e Se gr eg at io n of D ut ie s C re at e an d m ai nt ai n Pu rc ha se O rd er s (P O ) ( ow ne d by P ro cu re m en t D ep ar tm en t) a nd e m pl oy ee s w ho h av e ac ce ss to p ro ce ss v en do r in vo ic es . A cc ou nt s Pa ya bl e Se gr eg at io n of D ut ie s PO a pp ro va l ( pe rf or m ed b y bu si ne ss ar ea r eq ue st in g th e go od s an d/ or se rv ic es ) a nd e m pl oy ee s w ho h av e ac ce ss to p ro ce ss v en do r in vo ic es . A cc ou nt s Pa ya bl e Se gr eg at io n of D ut ie s Pr oc es s ve nd or in vo ic es a nd e m pl oy ee s w ho h av e ac ce ss to G oo ds R ec ei pt on a P O (p er fo rm ed b y th e re ce iv in g de pa rt m en t o r bu si ne ss a re a re qu es tin g th e go od s an d/ or s er vi ce s) . A cc ou nt s Pa ya bl e Se gr eg at io n of D ut ie s Pr oc es s ve nd or in vo ic es a nd e m pl oy ee s w ho h av e ac ce ss to A /P P ay m en ts . bapp01.indd 222bapp01.indd 222 8/25/08 3:02:54 PM8/25/08 3:02:54 PM 223 A cc ou nt s Pa ya bl e Se gr eg at io n of D ut ie s B an k R ec on ci lia tio n (p er fo rm ed b y Tr ea su ry ) a nd e m pl oy ee s w ho h av e ac ce ss to p ro ce ss v en do r in vo ic es A cc ou nt s Pa ya bl e Se gr eg at io n of D ut ie s E nt er in vo ic es in to th e A /P I T s ys te m an d pe rs on ne l a ut ho ri ze d to s ig n ch ec ks a nd e le ct ro ni c fu nd s tr an sf er s A cc ou nt s Pa ya bl e In fo rm at io n Te ch no lo gy C on tr ol s T he A /P s ys te m is c on fi g ur ed to au to m at ic al ly p ro ce ss fo r in vo ic e pa ym en t w ith a p ri ce to le ra nc e lim it of p lu s or m in us 1 0% o r $1 00 o ve r th e Pu rc ha se O rd er (P O ) a m ou nt , w hi ch ev er is le ss . Q ua nt ity m us t no t e xc ee d th e to ta l q ua nt ity o f t he PO . V ar ia nc es in q ua nt ity o r in p ri ce to le ra nc e ar e bl oc ke d fo r pa ym en t i n th e sy st em . A cc ou nt s Pa ya bl e In fo rm at io n Te ch no lo gy C on tr ol s In a cc or da nc e w ith C om pa ny p ol ic y an d pr oc ed ur e, th e IT s ys te m is co nfi g ur ed to p er fo rm 3 -w ay m at ch es . A cc ou nt s Pa ya bl e In fo rm at io n Te ch no lo gy C on tr ol s O n a qu ar te rl y ba si s, th e fi l e sh ar e ow ne rs p er fo rm a d oc um en te d re vi ew of th e A /P I T s ys te m a nd fi le s ha re ac ce ss to e ns ur e ac ce ss is r es tr ic te d to au th or iz ed p er so nn el . A cc ou nt s Pa ya bl e In fo rm at io n Te ch no lo gy C on tr ol s Pr oc es s in vo ic es a ga in st P O s in cl ud in g ab ili ty to in pu t, ed it or c an ce l i nv oi ce s. A cc ou nt s Pa ya bl e In fo rm at io n Te ch no lo gy C on tr ol s Pr oc es s in vo ic es a nd p ay m en t r eq ue st s th at d o no t h av e a PO a nd /o r go od s re ce ip t i nc lu di ng th e ab ili ty to in pu t, ed it or c an ce l i nv oi ce s. A cc ou nt s Pa ya bl e In fo rm at io n Te ch no lo gy C on tr ol s R el ea se in vo ic es fo r pa ym en t. A cc ou nt s Pa ya bl e In fo rm at io n Te ch no lo gy C on tr ol s H av e ac ce ss to e nt er m an ua l p ay m en ts . (C on ti nu ed ) bapp01.indd 223bapp01.indd 223 8/25/08 3:02:54 PM8/25/08 3:02:54 PM 224 P ro ce ss / A cc ou nt C on tr ol O bj ec ti ve o r R is k C on tr ol A ct iv it y or T es t Sa m pl e Si ze a nd R es ul ts of T es ti ng C on tr ol in P la ce ( Y/ N ) if N o Ty pe o f E xp os ur e P ro ce ss O w ne r R em ed ia ti on A ct io ns N ex t F ol lo w up / D ue D at e A cc ou nt s Pa ya bl e In fo rm at io n Te ch no lo gy C on tr ol s U nb lo ck in vo ic es th at h av e be en au to m at ic al ly b lo ck ed fo r pa ym en t. A cc ou nt s Pa ya bl e In fo rm at io n Te ch no lo gy C on tr ol s A dd iti on al A /P I T s ys te m a re d es ig ne d w ith c on tr ol s th at : A cc ou nt s Pa ya bl e In fo rm at io n Te ch no lo gy C on tr ol s D o no t a llo w p ro ce ss in g of d up lic at e in vo ic e nu m be rs fo r th e sa m e ve nd or . A cc ou nt s Pa ya bl e In fo rm at io n Te ch no lo gy C on tr ol s W ill n ot p ro ce ss p ay ab le tr an sa ct io ns fo r in ac tiv e ve nd or s. A cc ou nt s Pa ya bl e In fo rm at io n Te ch no lo gy C on tr ol s Tr ac ks th e re m ai ni ng b al an ce o f bl an ke t p ur ch as e or de rs w ith r ec ur ri ng pa ym en ts a nd c lo se s th e PO w he n th e ba la nc e be co m es z er o. A cc ou nt s Pa ya bl e In fo rm at io n Te ch no lo gy C on tr ol s C on tr ol s ar e in p la ce to e ns ur e th at re cu rr in g ve nd or p ay m en ts a re pr oc es se d in a cc or di ng w ith c on tr ac t te rm s. A /R – C re di t A dm in is tr at io n C om pl et e F in an ci al a na ly si s pe rf or m ed to m at ch cu st om er A /R c re di t l im its , t er m s an d co nd iti on s w ith c us to m er fi na nc ia l pr ofi le . I f n ot , p ro vi de a lte rn at iv es to th e cu st om er in th e fo rm o f a le tt er o f cr ed it, a nd /o r fi n an ci ng a rr an ge m en ts . U pd at e th e A /R c us to m er c re di t t er m s an d co nd iti on s in th e A /R d at ab as e. A /R – C re di t A dm in is tr at io n C om pl et e W he n co nt ac te d by C ol le ct io ns , fi n an ci al a na ly si s pe rf or m ed o n sl ow pa yi ng c us to m er s to p la ce o n cr ed it w at ch , p ro vi de fo r th em a s pa rt o f t he al lo w an ce fo r do ub tf ul a cc ou nt s an d/ or w ri te of f. U pd at e th e A /R c us to m er cr ed it te rm s an d co nd iti on s in th e A /R da ta ba se . bapp01.indd 224bapp01.indd 224 8/25/08 3:02:56 PM8/25/08 3:02:56 PM 225 A /R – C re di t A dm in is tr at io n C om pl et e A na ly ze th e cu st om er d at ab as e to in ac tiv at e th os e cu st om er ’s cr ed it lim its w he re th ey h av e no t h ad s al es a ct iv ity fo r on e ye ar o r m or e. A /R – C re di t A dm in is tr at io n A ut ho ri ze O nl y au th or iz ed p er so nn el m ay r ev ie w an d ap pr ov e a C us to m er ’s fi n an ci al pr ofi le fo r A /R c re di t l im its , t er m s an d co nd iti on s. A t l ea st o n a qu ar te rl y ba si s th e ro le o w ne r re vi ew s th e lis t of e m pl oy ee s w ho h av e ac ce ss to A cc ou nt s R ec ei va bl e da ta ba se s ys te m to e ns ur e on ly a ut ho ri ze d in di vi du al s ha ve a cc es s an d th at a pp ro pr ia te se gr eg at io n of d ut ie s ex is t w ith in A /R fu nc tio na l a re as . A /R – C re di t A dm in is tr at io n Se gr eg at io n of D ut ie s Se gr eg at io n of d ut ie s ex is ts b et w ee n em pl oy ee s w ho r ev ie w a C us to m er ’s A /R p ro fi l e, e st ab lis h A /R c re di t l im its an d gr an t A /R te rm s an d th os e A /R em pl oy ee s w ho p er fo rm c ol le ct io n an d/ or c as h ap pl ic at io ns . A /R – C ol le ct io ns C om pl et e T he A /R d at ab as e is th e si ng le s ou rc e of c us to m er a cc ou nt r ec ei va bl e in fo rm at io n co nt ai ni ng : c us to m er co nt ac t i nf or m at io n, c us to m er A /R cr ed it lim its , t er m s an d co nd iti on s, bu yi ng h is to ry , c ol le ct io n hi st or y, pa ym en t h is to ry , a nd a llo w in g fo r co m m en ts to b e ad de d ea ch ti m e th e co m pa ny ’s A /R r ep re se nt at iv e re ac he s ou t t o th e cu st om er ’s A /P re pr es en ta tiv e. O bs er ve to e ns ur e no o th er d at ab as e or in te ri m re co rd in g fi l es a re u se d to r ec or d A /R tr an sa ct io ns . A /R – C ol le ct io ns A cc ur at e A cc ou nt s re ce iv ab le c ol le ct io n pr ob le m s ar e do cu m en te d w ith in th e co lle ct io ns d at ab as e, i. e. , o ne c en tr al da ta ba se . S el ec t s am pl es to v al id at e th at c us to m er A /R b al an ce s ar e co rr ec t as r ep or te d in th e A /R d at ab as e an d ag in g re po rt . (C on ti nu ed ) bapp01.indd 225bapp01.indd 225 8/25/08 3:02:56 PM8/25/08 3:02:56 PM 226 P ro ce ss / A cc ou nt C on tr ol O bj ec ti ve o r R is k C on tr ol A ct iv it y or T es t Sa m pl e Si ze a nd R es ul ts of T es ti ng C on tr ol in P la ce ( Y/ N ) if N o Ty pe o f E xp os ur e P ro ce ss O w ne r R em ed ia ti on A ct io ns N ex t F ol lo w up / D ue D at e A /R – C ol le ct io ns A ut ho ri ze Se le ct s am pl es to v er ify th at A /R m an ag em en t r ev ie w ed , a ut ho ri ze d an d co m m un ic at ed a dj us tm en t t o cu st om er A /R b al an ce s in a cc or da nc e w ith th e C om pa ny ’s po lic ie s an d pr oc ed ur es . A /R – C ol le ct io ns R ec on ci lia tio n R ev ie w r ec on ci lia tio n of c us to m er A /R ba la nc es b et w ee n th e su bl ed ge r an d ge ne ra l l ed ge r. R ev ie w a nd r ec on ci le th e ag in g re po rt to th e ge ne ra l l ed ge r. A /R – C ol le ct io ns Se gr eg at io n of D ut ie s Se gr eg at io n of D ut ie s te st s ar e pe rf or m ed b y ob se rv in g ro le s an d re sp on si bi lit ie s, r ev ie w in g do cu m en te d fl o w ch ar ts a nd /o r pr oc ed ur es . Se gr eg at io n of D ut ie s ex is ts b et w ee n em pl oy ee s w ho h av e ac ce ss to : A /R – C ol le ct io ns Se gr eg at io n of D ut ie s T he s ub si di ar y re co rd s an d th os e w ho ha ve c as h re ce ip ts a nd g en er al le dg er co nt ro l a cc ou nt r es po ns ib ili tie s. A /R – C ol le ct io ns Se gr eg at io n of D ut ie s A ut ho ri ze c re di t l im its a nd A /R te rm s, w ith th os e w ho a ut ho ri ze a dj us tm en ts to A /R a cc ou nt b al an ce s. A /R – C ol le ct io ns Se gr eg at io n of D ut ie s Se ek c ol le ct io n of p ay m en ts a nd th os e w ho r ec ei ve a nd /o r po st th e ca sh ap pl ic at io n of p ay m en ts a nd th os e w ho re co nc ile A /R b al an ce s. A /R – C ol le ct io ns In fo rm at io n Te ch no lo gy C on tr ol s T he A /R d at ab as e ha s ac ce ss re st ri ct io ns , w hi ch s up po rt th e co m pa ny ’s se gr eg at io n of d ut y ro le s an d re sp on si bi lit ie s. A /R – C ol le ct io ns In fo rm at io n Te ch no lo gy C on tr ol s T he A /R d at ab as e is u pd at ed fr eq ue nt ly to a llo w fo r co lle ct or s to ha ve ti m el y st at us r ep or ts . A /R – C ol le ct io ns In fo rm at io n Te ch no lo gy C on tr ol s T he A /R d at ab as e co nt ai ns s ys te m co nt ro ls to id en tif y a ch an ge in cu st om er s ta tu s an d co nt ro l t ot al s to en su re a cc ur ac y of r ec or di ng . bapp01.indd 226bapp01.indd 226 8/25/08 3:02:57 PM8/25/08 3:02:57 PM 227 A /R – C as h A pp lic at io ns C om pl ia nc e w ith la w s an d re gu la tio ns T he u nm at ch ed li st is a ge d w ith a li st of o ut st an di ng it em s m or e th an 9 0 da ys ol d an d th e su pp or tin g do cu m en ta tio n fo rw ar de d to th e es ch ea t m an ag er to b e in cl ud ed in e sc he at a na ly si s. R ev ie w s el ec te d tr an sa ct io ns w ith in th e es ch ea t l is t. A /R – C as h A pp lic at io ns C om pl et e F or lo ck bo x tr an sa ct io ns , d ai ly c as h re ce ip ts a re c om pl et el y an d ac cu ra te ly re co rd ed in th e ap pr op ri at e pe ri od . T he b an k pr ov id es a s er vi ce w he re th ey h av e ac ce ss to th e co m pa ny ’s A /R ac co un ts a nd c le ar s ch ec ks r ec ei ve d w ith o ut st an di ng c us to m er in vo ic es . T he y ar e in st ru ct ed to c le ar o nl y th os e ite m s w hi ch a re m at ch ed e xa ct ly . It em s w hi ch d o no t m at ch e xa ct ly ar e di re ct ed to a c le ar in g ac co un t; w ith r es ol ut io n to b e pr ov id ed b y th e co m pa ny ’s C as h A pp lic at io ns te am . Se le ct s am pl es a nd te st b y fo llo w in g ca sh a pp lie d ba ck to th e so ur ce do cu m en ts (i .e ., in vo ic es a nd c us to m er pa ym en t) . A /R – C as h A pp lic at io ns C om pl et e F or c us to m er m ai l-i n pa ym en ts , d ai ly ch ec ks a re p ro m pt ly d ep os ite d an d ca sh is a pp lie d to th e cu st om er ’s A /R ou ts ta nd in g in vo ic es c om pl et el y an d ac cu ra te ly r ec or de d in th e ap pr op ri at e pe ri od . S el ec t s am pl es a nd te st b y fo llo w in g ca sh a pp lie d ba ck to th e so ur ce d oc um en ts (i .e ., in vo ic es a nd cu st om er p ay m en t) . A /R – C as h A pp lic at io ns C om pl et e T he T re as ur y an al ys t p re pa re s an d ga in s ap pr ov al fo r th e jo ur na l e nt ry to r ec or d th e ca sh d ep os ite d in to th e ca sh le dg er . R ev ie w jo ur na l e nt ri es fo r ap pr op ri at e su pp or tin g do cu m en ta tio n, ac co un t c od in g an d ap pr ov al s. (C on ti nu ed ) bapp01.indd 227bapp01.indd 227 8/25/08 3:02:57 PM8/25/08 3:02:57 PM 228 P ro ce ss / A cc ou nt C on tr ol O bj ec ti ve o r R is k C on tr ol A ct iv it y or T es t Sa m pl e Si ze a nd R es ul ts of T es ti ng C on tr ol in P la ce ( Y/ N ) if N o Ty pe o f E xp os ur e P ro ce ss O w ne r R em ed ia ti on A ct io ns N ex t F ol lo w up / D ue D at e A /R – C as h A pp lic at io ns C om pl et e T he re a re d oc um en te d ru le s (i. e. , m et ho do lo gy ) f or a pp ly in g ca sh b y in vo ic e nu m be r an d do lla r am ou nt a nd th es e ru le s ar e co m m un ic at ed to c as h ap pl ic at io n em pl oy ee s. S am pl e te st in g oc cu rs to e ns ur e th e ac cu ra cy o f t he ru le d ep lo ym en t. A /R – C as h A pp lic at io ns C om pl et e F or C as h re gi st er r ec ei pt s, c as h is re co rd ed a nd d ep os ite d da ily . C as h re gi st er p ro gr am m in g is v al id at ed fo r ac cu ra te c ha rg in g of d is co un ts , s al es an d us ag e ta xe s an d ot he r ca sh r eg is te r ca lc ul at io n fu nc tio ns . C as h re gi st er re ad in gs a re r ev ie w ed a nd te st ed to en su re a cc ur ac y. A /R – C as h A pp lic at io ns A cc ur at e F or r et ur n m er ch an di se a dj us tm en ts , w al k th ro ug h an d ob se rv e th e re qu es t to r et ur n m er ch an di se p ro ce ss a nd do cu m en t c on tr ol is su es . S el ec t a sa m pl e of r et ur n ad ju st m en ts a nd tr ac e th em b ac k to th e re qu es t a nd p hy si ca l re tu rn o f m er ch an di se . A /R – C as h A pp lic at io ns A cc ur at e F or a ll ot he r ad ju st m en ts to A /R ba la nc es , w al k th ro ug h an d ob se rv e th e pr oc es s. S el ec t a s am pl e of ad ju st m en ts a nd v al id at e th at th ey a re in c om pl ia nc e w ith c om pa ny p ol ic y, ap pr op ri at el y ap pr ov ed a nd p ro ce ss ed . A /R – C as h A pp lic at io ns A cc ur at e R ev ie w p ee r re vi ew c he ck lis ts . R ev ie w , ob se rv e an d do cu m en t fi n di ng s fo r ap pl yi ng c as h co m pl et el y an d ac cu ra te ly a nd d oc um en t fi n di ng s. A /R – C as h A pp lic at io ns A ut ho ri ze O nl y au th or iz ed p er so nn el m ay e nt er ca sh r ec ei pt s. bapp01.indd 228bapp01.indd 228 8/25/08 3:02:57 PM8/25/08 3:02:57 PM 229 A /R – C as h A pp lic at io ns R ec on ci lia tio n O n a da ily b as is , t he T re as ur y an al ys t va lid at es a nd r ec on ci le s th e im po rt o f th e el ec tr on ic b an k st at em en ts (E B S) as c om pl et e an d ac cu ra te b y co m pa ri ng th e be fo re a nd a ft er b an k ac co un t ba la nc es . R ev ie w s am pl e re co nc ili at io n by th e tr ea su ry a na ly st . A /R – C as h A pp lic at io ns R ec on ci lia tio n D ai ly , t he c as h ap pl ic at io ns m an ag er pr ep ar es a r ec on ci lia tio n of th e so ur ce d oc um en ts r ec ei ve d an d th e ca sh a pp lie d vi a th e lo ck bo x tr an sa ct io ns , m ai l-i n tr an sa ct io ns , an d th e ad ju st m en ts . R ev ie w s am pl e re co nc ili at io n. A /R – C as h A pp lic at io ns Se gr eg at io n of D ut ie s Se gr eg at io n of d ut ie s te st s ar e pe rf or m ed b y ob se rv in g ro le s an d re sp on si bi lit ie s, r ev ie w in g do cu m en te d fl o w ch ar ts a nd /o r pr oc ed ur es . Se gr eg at io n of d ut ie s ex is ts b et w ee n em pl oy ee s w ho : A /R – C as h A pp lic at io ns Se gr eg at io n of D ut ie s Pr ep ar e th e ba nk r ec on ci lia tio n an d pe rs on ne l w ho c an p os t c as h to th e ge ne ra l l ed ge r or s ub le dg er s. A /R – C as h A pp lic at io ns Se gr eg at io n of D ut ie s A ut ho ri ze d cu st om er s to r et ur ne d pr od uc ts a nd /o r m at er ia ls , v al id at e th e pr od uc ts a nd /o r m at er ia ls h av e be en r ec ei ve d an d th os e w ho a pp ly ca sh o r ad ju st m en t t o th e cu st om er ’s ou ts ta nd in g A /R b al an ce . A /R – C as h A pp lic at io ns Se gr eg at io n of D ut ie s Pr ov id e au th or iz at io n to a dj us t cu st om er A /R b al an ce s an d th os e w ho a pp ly th os e ad ju st m en ts to th e cu st om er ’s ou ts ta nd in g A /R b al an ce . A /R – C as h A pp lic at io ns Se gr eg at io n of D ut ie s D ep os it ca sh r ec ei pt s m us t n ot h av e w ith dr aw al p ri vi le ge s. A /R – C as h A pp lic at io ns In fo rm at io n Te ch no lo gy C on tr ol s IT a nd s ys te m c on tr ol s ar e ve ri fi e d to e ns ur e co m pl et e an d ac cu ra te pr oc es si ng o f d at a an d in fo rm at io n. R ev ie w e xc ep tio n re po rt s fo r th e ty pe s of is su es a nd r es ol ut io n. (C on ti nu ed ) bapp01.indd 229bapp01.indd 229 8/25/08 3:02:58 PM8/25/08 3:02:58 PM 230 P ro ce ss / A cc ou nt C on tr ol O bj ec ti ve o r R is k C on tr ol A ct iv it y or T es t Sa m pl e Si ze a nd R es ul ts of T es ti ng C on tr ol in P la ce ( Y/ N ) if N o Ty pe o f E xp os ur e P ro ce ss O w ne r R em ed ia ti on A ct io ns N ex t F ol lo w up / D ue D at e A /R – C as h A pp lic at io ns In fo rm at io n Te ch no lo gy C on tr ol s IT h as im pl em en te d ac ce ss c on tr ol s to en su re th at o nl y au th or iz ed in di vi du al s m ay u pd at e a cu st om er ’s A /R b al an ce s. A /R – A llo w an ce fo r D ou bt fu l A cc ou nt s C om pl et e A m on th e nd A /R a gi ng r ep or t i s us ed to d et er m in e th e m on th -e nd a llo w an ce fo r do ub tf ul a cc ou nt b al an ce a nd th at cu st om er A /R a ct iv ity is c ur re nt a nd co m pl et e. A /R – A llo w an ce fo r D ou bt fu l A cc ou nt s C om pl et e R ev ie w th e ef fi c ie nc y, th at is , tim el in es s fo r up da tin g cu st om er A /R ba la nc es a nd in pu t t o th e A /R a gi ng re po rt ; m ea su re th e tim e fr om w he n sa le s or de rs h av e be en s hi pp ed to up da tin g th e A /R b al an ce a nd fr om w he n co nfi r m at io n th at c as h ha s be en re ce iv ed to u pd at in g th e A /R b al an ce . A /R – A llo w an ce fo r D ou bt fu l A cc ou nt s C om pl et e R ev ie w th e ef fe ct iv en es s, i. e. , d ef ec ts of th e in fo rm at io n pr ov id ed w ith in th e A /R a gi ng r ep or t. C on fi r m a nd re co nc ile c om pa ny A /R b al an ce s w ith th e cu st om er ’s A /P r ec or ds . A /R – A llo w an ce fo r D ou bt fu l A cc ou nt s A cc ur at e T he a llo w an ce fo r do ub tf ul a cc ou nt s is ap pr op ri at el y ca lc ul at ed a nd p re se nt ed in c om pl ia nc e w ith C om pa ny p ol ic y, pr oc ed ur es a nd a cc ou nt in g gu id an ce . E st ab lis h m an ag em en t o ve rs ig ht , re vi ew a nd a pp ro va l f or d at a us ed , ca lc ul at io n an d re po rt in g. A /R – A llo w an ce fo r D ou bt fu l A cc ou nt s A cc ur at e Va lid at e th at th e m os t c ur re nt A /R ag in g re po rt is u se d to c al cu la te th e al lo w an ce . A /R – A llo w an ce fo r D ou bt fu l A cc ou nt s A cc ur at e Va lid at e th e us e of a n ap pr ov ed te m pl at e/ sp re ad sh ee t t o ga th er th e in pu t a nd te st c al cu la tio ns . bapp01.indd 230bapp01.indd 230 8/25/08 3:02:58 PM8/25/08 3:02:58 PM 231 A /R – A llo w an ce fo r D ou bt fu l A cc ou nt s A cc ur at e Va lid at e th at a ll re le va nt a cc ou nt ba la nc es in cl ud in g th os e id en tifi e d by m an ag em en t d is cr et io n ha ve b ee n in cl ud ed w ith in th e al lo w an ce c al cu la tio n. A /R – A llo w an ce fo r D ou bt fu l A cc ou nt s R ec on ci lia tio n R ev ie w th e m on th ly a cc ou nt s r ec ei va bl e re co nc ili at io n fo r c om pl et en es s an d ac cu ra cy a nd to e ns ur e th at un re co nc ile d ite m s a re p ro m pt ly in ve st ig at ed a nd re so lv ed . E ns ur e th at re co nc ili at io ns h av e be en re vi ew ed a nd ap pr ov ed b y m an ag em en t. A /R – A llo w an ce fo r D ou bt fu l A cc ou nt s A ut ho ri ze T he a llo w an ce is c or re ct ly a nd ac cu ra te ly a ut ho ri ze d an d re co rd ed in th e ge ne ra l l ed ge r. A /R – A llo w an ce fo r D ou bt fu l A cc ou nt s A ut ho ri ze R ev ie w th at th e an al ys is a nd a pp ro va l fo r th e ac co un t r ec on ci lia tio n, jo ur na l en tr ie s, a nd s up po rt in g do cu m en ta tio n ha s be en p ro pe rl y au th or iz ed . A /R – A llo w an ce fo r D ou bt fu l A cc ou nt s A ut ho ri ze T he fi na nc e m an ag er v er ifi es th at th e al lo w an ce fo r do ub tf ul a cc ou nt s is co rr ec tly r ec or de d by c om pa ri ng th e ba la nc e in th e ge ne ra l l ed ge r to th e ap pr ov ed c al cu la tio n. A /R – A llo w an ce fo r D ou bt fu l A cc ou nt s A ut ho ri ze T he a llo w an ce is re vi ew ed fo r co m pl ia nc e w ith a nd c on si st en t ap pl ic at io n of c om pa ny m et ho do lo gy . T he V P of F in an ce o r c or po ra te co nt ro lle r r ev ie w s, si gn s, an d da te s th e de ta ile d sc he du le s a nd fi na nc ia l di sc lo su re s. R ev ie w th e in pu t f or fi n an ci al d is cl os ur e an d su pp or tin g do cu m en ta tio n. A /R – A llo w an ce fo r D ou bt fu l A cc ou nt s In fo rm at io n Te ch no lo gy C on tr ol s Ve rif y th at sy st em c on tr ol s a re d es ig ne d in to th e pr og ra m s a nd th at th ey a re ex ec ut in g as d es ig ne d. S ys te m c on tr ol s m ay in cl ud e: m at ch in g th e cu st om er ’s A /R in pu t t o ot he r c om pa ny in fo rm at io n su ch a s i nv oi ce s; re tu rn s a cc ep te d by th e co m pa ny m us t e qu al th e am ou nt of re tu rn s p os te d to c us to m er A /R ac co un ts ; c as h ap pl ic at io n to ta ls m us t eq ua l c as h ap pl ie d to o ut st an di ng cu st om er A /R b al an ce s. (C on ti nu ed ) bapp01.indd 231bapp01.indd 231 8/25/08 3:02:59 PM8/25/08 3:02:59 PM 232 P ro ce ss / A cc ou nt C on tr ol O bj ec ti ve o r R is k C on tr ol A ct iv it y or T es t Sa m pl e Si ze a nd R es ul ts of T es ti ng C on tr ol in P la ce ( Y/ N ) if N o Ty pe o f E xp os ur e P ro ce ss O w ne r R em ed ia ti on A ct io ns N ex t F ol lo w up / D ue D at e C as h an d Se cu ri tie s C om pl et e T he in ve st m en t p or tf ol io s pr ea ds he et m on ito rs in ve st m en t, ch an ge s in fa ir m ar ke t v al ue , m ov em en t o f c ur re nc y fr om o ne ty pe o f s ec ur ity to a no th er , an d di sp os al o f i nv es tm en t. O bs er ve th e m ai nt en an ce a nd u se o f t he in ve st m en t p or tf ol io . C as h an d Se cu ri tie s C om pl et e A ll in ve st m en ts a re r ec or de d, m on ito re d, a nd tr ac ke d in th e in ve st m en t p or tf ol io s pr ea ds he et . O bs er ve to e ns ur e th at th er e ar e no si de d at ab as es o r re po si to ri es . S el ec t a sa m pl e se t o f t ra ns ac tio ns to tr ac e ba ck to s ou rc e do cu m en ta tio n. C as h an d Se cu ri tie s A cc ur at e A t l ea st m on th ly , t he c ur re nt fa ir m ar ke t v al ue o f t he in ve st m en t p or tf ol io is m on ito re d an d re vi ew ed to e ns ur e th at d ec is io ns r eg ar di ng c ha ng es in fa ir m ar ke t v al ue a re m ad e on a ti m el y ba si s. R ev ie w fi nd in gs o f p ee r re vi ew s of th e se lf- as se ss m en t c he ck lis ts . C as h an d Se cu ri tie s A cc ur at e F or m ul a ac cu ra cy w ith in th e in ve st m en t po rt fo lio sp re ad sh ee t i s v al id at ed e ac h m on th a s c on fi r m ed w ith p ee r- to -p ee r re vi ew s. Se le ct th e qu ar te r e nd sp re ad sh ee ts fo r r ev ie w a nd c om pl ia nc e w ith th e E nd U se r C om pu tin g re vi ew an d ap pr ov al p ro ce ss . C as h an d Se cu ri tie s A cc ur at e F in an ci al in fo rm at io n is a pp ro pr ia te ly pr es en te d an d al l i nf or m at io n th at is ne ce ss ar y fo r fa ir p re se nt at io n an d co m pl ia nc e w ith G A A P in cl ud in g di sc lo su re fo r re al iz ed a nd u nr ea liz ed ga in s/ lo ss es , l iq ui da tio n, a nd im pa ir ed m ar ke ta bl e se cu ri tie s. R ev ie w th e tr ea su ry p ol ic ie s an d pr oc ed ur es to en su re th ey a re c om pl et e, a cc ur at e, ap pr ov ed , a nd c om m un ic at ed . bapp01.indd 232bapp01.indd 232 8/25/08 3:02:59 PM8/25/08 3:02:59 PM 233 C as h an d Se cu ri tie s A ut ho ri ze In ve st m en ts a re a ut ho ri ze d an d ar e w ith in e st ab lis he d lim its a s de fi n ed by th e de le ga tio n of a ut ho ri ty . E xc es s ca sh is in ve st ed b as ed o n th e lim its as d efi n ed b y ca sh a nd m ar ke ta bl e se cu ri tie s po lic y an d pr oc ed ur es . R ev ie w m on th ly fi na nc ia l r ep or ts a nd se le ct a g ra ve -t o- cr ad le s am pl e fo r re vi ew a nd a ud it. C as h an d Se cu ri tie s A ut ho ri ze O nc e ap pr ov ed , d el eg at ed in di vi du al s m ay tr an sf er e xc es s ca sh to a ut ho ri ze d m ar ke ta bl e se cu ri ty a cc ou nt s. A ll tr an sa ct io ns m us t b e au th or iz ed a nd do cu m en te d. R ev ie w c he ck lis ts fo r co m pl et e, a cc ur at e an d au th or iz ed tr an sa ct io ns . C as h an d Se cu ri tie s A ut ho ri ze T he T re as ur er r ev ie w s an d ap pr ov es a ll in ve st m en t r el at ed jo ur na l e nt ri es a nd su pp or tin g do cu m en ta tio n in cl ud in g tr an sf er s, p ur ch as es , s al es , i nt er es t in co m e, r ea liz ed g ai ns a nd lo ss es , a nd un re al iz ed g ai ns a nd lo ss es a nd th e as so ci at ed ta x ef fe ct , e vi de nc ed b y a si gn at ur e an d da te . R ev ie w jo ur na l en tr ie s fo r ac cu ra te a cc ou nt c od in g, su pp or tin g do cu m en ta tio n an d tim el y pr oc es si ng . C as h an d Se cu ri tie s A ut ho ri ze T he T re as ur er r ev ie w s an d ap pr ov es th e qu ar te rl y di sc lo su re s pr ov id ed to ex te rn al r ep or tin g fo r su bm is si on to th e C om pa ny ’s 10 Q a nd 1 0K . R ev ie w th e qu ar te r en d su bm is si on , s up po rt in g do cu m en ta tio n an d au di t t ra il. C as h an d Se cu ri tie s R ec on ci lia tio n M on th ly , t he m ov em en t o f c as h be tw ee n ba nk a cc ou nt s an d m ar ke ta bl e se cu ri ty a cc ou nt s is r ec on ci le d. M on th ly , t he in ve st m en t p or tf ol io ac co un t b al an ce is r ec on ci le d to th e tr an sa ct io na l a ct iv ity w hi ch o cc ur re d du ri ng th e m on th . S el ec t r ec on ci lia tio n to e ns ur e ap pr op ri at e an al ys is , su pp or tin g do cu m en ta tio n, r ev ie w a nd ap pr ov al s ig na tu re s. (C on ti nu ed ) bapp01.indd 233bapp01.indd 233 8/25/08 3:03:00 PM8/25/08 3:03:00 PM 234 P ro ce ss / A cc ou nt C on tr ol O bj ec ti ve o r R is k C on tr ol A ct iv it y or T es t Sa m pl e Si ze a nd R es ul ts of T es ti ng C on tr ol in P la ce ( Y/ N ) if N o Ty pe o f E xp os ur e P ro ce ss O w ne r R em ed ia ti on A ct io ns N ex t F ol lo w up / D ue D at e C as h an d Se cu ri tie s R ec on ci lia tio n A t l ea st o n a qu ar te rl y ba si s, th e Tr ea su re r re vi ew s th e in ve st m en t po rt fo lio , i nc lu di ng m on ey m ar ke t fu nd s, to e ns ur e th at it c on tin ue s to co m pl y w ith th e in ve st m en t l im its as d efi n ed w ith in th e C as h an d M ar ke ta bl e Se cu ri tie s po lic y an d pr oc ed ur e. F in an ci al P la nn in g an d A na ly si s C om pl et e R ev ie w p ro ce ss c he ck lis ts to e ns ur e th at a ll bu si ne ss u ni ts , f un ct io na l de pa rt m en ts a nd o pe ra tio na l b us in es s ac tiv iti es h av e su bm itt ed b ud ge t i np ut . F in an ci al P la nn in g an d A na ly si s C om pl et e A cc ou nt c la ss ifi ca tio n an d bu dg et re po rt s ar e co ns is te nt w ith o th er fi n an ci al s ta te m en ts a nd r ep or ts . R ev ie w v ar ia nc e an al ys is a nd s am pl e se le ct ed a cc ou nt s. F in an ci al P la nn in g an d A na ly si s C om pl et e C om pa re a li st o f a pp ro ve d ca pi ta l pr oj ec t r eq ue st s w he th er in p ro gr es s or n ot y et s ta rt ed , t o en su re th ey a re in cl ud ed a nd p ro pe rl y cl as si fi e d w ith in th e bu dg et p ro ce ss . F in an ci al P la nn in g an d A na ly si s A cc ur at e R ev ie w th e bu dg et in st ru ct io n an d gu id an ce to e ns ur e th at it a dv is es co m pl ia nc e w ith G A A P, p er io d ov er pe ri od c on si st en cy , u se o f c ur re nt a nd hi st or ic p er fo rm an ce a nd is n or m al iz ed fo r on e tim e ev en ts . M on ito r th e ef fe ct iv en es s of b ud ge t a nd fo re ca st ac cu ra cy , n ot in g ho w fe ed ba ck is u se d to im pr ov e th e bu dg et p ro ce ss . F in an ci al P la nn in g an d A na ly si s A cc ur at e R ev ie w a ct ua l t o pl an v ar ia nc e an al ys is fo r re as on ab le e xp la na tio ns . S el ec t sa m pl e va ri an ce s to d et er m in e th e ac cu ra cy o f t he e xp la na tio ns . bapp01.indd 234bapp01.indd 234 8/25/08 3:03:00 PM8/25/08 3:03:00 PM 235 F in an ci al P la nn in g an d A na ly si s A ut ho ri ze R ev ie w b us in es s un it in pu t t o F P& A to en su re th at th e bu si ne ss u ni t m an ag er an d hi s/ he r fi n an ci al c on tr ol le r ha ve re vi ew ed a nd a pp ro ve d th e in pu t p ri or to s ub m is si on . R ev ie w th e ag en da s, m in ut es , a nd m em os o f b ud ge t- re la te d m ee tin gs to e ns ur e th at a n ap pr op ri at e le ve l o f d ue d ili ge nc e ha s be en a pp lie d. F in an ci al P la nn in g an d A na ly si s A ut ho ri ze To e ns ur e th at a n ap pr op ri at e le ve l o f du e di lig en ce h as b ee n ap pl ie d be fo re th e bu dg et is s ub m itt ed to th e bo ar d of d ir ec to rs fo r fi n al a pp ro va l, re vi ew se ni or m an ag em en t a ge nd as , m in ut es , an d m em os r el at ed to in te rn al r ev ie w an d ap pr ov al o f t he a nn ua l b ud ge t a nd qu ar te rl y fo re ca st s. F in an ci al P la nn in g an d A na ly si s In fo rm at io n Te ch no lo gy co nt ro ls W ith in th e bu dg et in g ap pl ic at io n, sy st em c on tr ol to ta ls a re u se d to e ns ur e co m pl et e an d ac cu ra te p ro ce ss in g of bu dg et in g in pu t. R ev ie w th e de si gn of th e ap pl ic at io n an d m at ch to th e co nt ro l t ot al s. F ix ed A ss et s, L on g- L iv ed A ss et s C om pl et e To c ap tu re u nr ec or de d fi x ed a ss et s, th e fi x ed -a ss et m an ag er o r de si gn ee re vi ew s ac tiv ity p os te d to s pe ci fi c ge ne ra l l ed ge r ex pe ns e ac co un ts (e .g ., of fi c e, I T, a nd r ep ai r an d m ai nt en an ce ) to id en tif y ac tiv ity th at m ee ts o r ex ce ed s lo ca l c ap ita liz at io n th re sh ol ds . T he r ev ie w is d oc um en te d th ro ug h a m on th ly s ig ne d jo ur na l e nt ry w ith su pp or t o f i te m s th at n ee d to b e ca pi ta liz ed . F ix ed A ss et s, L on g- L iv ed A ss et s C om pl et e T he fi xe d- as se t m an ag er o r de si gn ee re vi ew s th e co ns tr uc tio n in p ro gr es s (C IP ) a nd /o r cl ea ri ng a cc ou nt to de te rm in e w he th er p ur ch as e sh ou ld be c ap ita liz ed o r ex pe ns ed . R ev ie w th e ba la nc e in th e C IP a cc ou nt a nd th e po lic y an d pr oc ed ur e fo r ca pi ta liz at io n ve rs us e xp en se . (C on ti nu ed ) bapp01.indd 235bapp01.indd 235 8/25/08 3:03:00 PM8/25/08 3:03:00 PM 236 P ro ce ss / A cc ou nt C on tr ol O bj ec ti ve o r R is k C on tr ol A ct iv it y or T es t Sa m pl e Si ze a nd R es ul ts of T es ti ng C on tr ol in P la ce ( Y/ N ) if N o Ty pe o f E xp os ur e P ro ce ss O w ne r R em ed ia ti on A ct io ns N ex t F ol lo w up / D ue D at e F ix ed A ss et s, L on g- L iv ed A ss et s A cc ur at e A ll tr an sa ct io ns p os te d to th e fi x ed as se ts s ub le dg er a re v al id , a cc ur at e, an d ar e re co nc ile d to th e ge ne ra l le dg er . P ee r- to -p ee r re vi ew o f s el f- as se ss m en t c he ck lis ts . F ix ed A ss et s, L on g- L iv ed A ss et s A cc ur at e C ap ita liz ed a m ou nt s fo r fi x ed as se ts a re c on si st en t w ith c om pa ny ap pr ov ed c ap ita liz at io n lim its a nd po lic ie s. R ev ie w th e co m pa ny p ol ic y an d pr oc ed ur e fo r fi x ed a ss et fo r pe ri od -o ve r- pe ri od c om pa ri so n an d co m pl ia nc e w ith G A A P. R ev ie w fo r co ns is te nc y of a pp lic at io n be tw ee n ge og ra ph ic a re as . F ix ed A ss et s, L on g- L iv ed A ss et s A cc ur at e F ix ed a ss et s ar e co de d to th e ap pr op ri at e as se t c la ss ifi ca tio n ac co un t an d de pr ec ia tio n be gi ns w he n th e as se t is in s er vi ce . R ev ie w a ss et c at eg or ie s an d th e ty pe s of a ss et s co de d to th e ac co un t. R ev ie w d ep re ci at io n sc he du le an d co m pa re it to c om pa ny p ol ic y. F ix ed A ss et s, L on g- L iv ed A ss et s A ut ho ri ze T he F ix ed A ss et d ep ar tm en t f or w ar ds a lis t o f a ll C on st ru ct io n in P ro ce ss to th e re sp ec tiv e bu si ne ss u ni t a re as (e .g ., re al e st at e, fa ci lit ie s, I nf or m at io n Te ch no lo gy ) w hi ch r es po ns es w ith a co nfi r m at io n of c om pl et ed a nd p la ce d in s er vi ce . T he r ev ie w is e vi de nc ed th ro ug h by th e F ix ed A ss et M an ag er ap pr ov al s ig na tu re . T ra ce th e re sp on se s re ce iv ed to th e pr ep ar at io n an d po st in g of jo ur na l e nt ry r ec la ss ifi ca tio n of as se ts . S el ec t a g ra ve to c ra dl e sa m pl e se t o f t ra ns ac tio ns to tr ac e ba ck to so ur ce d oc um en ta tio n. F ix ed A ss et s, L on g- L iv ed A ss et s A ut ho ri ze T he F ix ed A ss et M an ag er r ev ie w s an d ap pr ov es a s ev id en ce d by s ig ni ng a nd da tin g th e Jo ur na l e nt ri es w hi ch is u se d fo r po st in g de pr ec ia tio n en tr ie s to th e G en er al L ed ge r. bapp01.indd 236bapp01.indd 236 8/25/08 3:03:01 PM8/25/08 3:03:01 PM 237 F ix ed A ss et s, L on g- L iv ed A ss et s A ut ho ri ze T he F ix ed A ss et M an ag er r ev ie w s an d ap pr ov es th e qu ar te rl y di sc lo su re s pr ov id ed to e xt er na l r ep or tin g fo r su bm is si on to th e C om pa ny ’s 10 Q an d 10 K . R ev ie w th e qu ar te r en d su bm is si on , s up po rt in g do cu m en ta tio n an d au di t t ra il. F ix ed A ss et s, L on g- L iv ed A ss et s R ec on ci lia tio n F ix ed a ss et r ec or ds in cl ud e de ta ils a s to : d es cr ip tio n an d id en tifi c at io n of th e as se t, lo ca tio n, a cq ui si tio n da te , ve nd or , d at e pl ac ed in to s er vi ce , c os t o f as se t, de pr ec ia bl e lif e, ta x de pr ec ia bl e lif e (if d iff er en t) , s al va ge o r en d of lif e va lu e an d ap pr op ri at e ge ne ra l le dg er a cc ou nt s. I te m s w hi ch a re in co m pl et e ar e fl a gg ed a s re co nc ili ng ite m s. R ev ie w th e fi x ed a ss et d at ab as e to e ns ur e th e co m pl et e an d ac cu ra te re co rd in g of d at a. F ix ed A ss et s, L on g- L iv ed A ss et s R ec on ci lia tio n T he F ix ed A ss et M an ag er r ev ie w s, ap pr ov es , s ig ns a nd d at es th e re co nc ili at io n of G en er al L ed ge r ba la nc es to th e ac cu m ul at ed de pr ec ia tio n su b- le dg er o n a m on th ly ba si s. R ev ie w r ec on ci lia tio n fo r ac cu ra cy , t im el in es s an d re so lu tio n of un re co nc ile d ite m s. F ix ed A ss et s, L on g- L iv ed A ss et s R ec on ci lia tio n R ev ie w th e re co nc ili at io n of th e C on st ru ct io n in P ro gr es s (C IP ) a nd / or c le ar in g ac co un t. Se le ct r ec en tly co m pl et ed p ro je ct s an d tr ac e th e tr an sa ct io na l a ct iv ity in to C IP a nd fr om C IP to it s fi n al a cc ou nt c la ss ifi ca tio n. F ix ed A ss et s, L on g- L iv ed A ss et s Sa fe gu ar d A ss et s A p hy si ca l i nv en to ry c ou nt p ro ce ss is do cu m en te d, p la nn ed , c om m un ic at ed an d ex ec ut ed . R ev ie w th e pl an a nd re su lts o f t he p hy si ca l i nv en to ry . Sa m pl e te st th e ph ys ic al in ve nt or y co un t. F ix ed A ss et s, L on g- L iv ed A ss et s Sa fe gu ar d A ss et s F ix ed A ss et s ar e re vi ew ed fo r ex is te nc e an d va lu at io n to r ec on ci le b oo k ba la nc es to th e ph ys ic al a ss et b al an ce s. (C on ti nu ed ) bapp01.indd 237bapp01.indd 237 8/25/08 3:03:02 PM8/25/08 3:03:02 PM 238 P ro ce ss / A cc ou nt C on tr ol O bj ec ti ve o r R is k C on tr ol A ct iv it y or T es t Sa m pl e Si ze a nd R es ul ts of T es ti ng C on tr ol in P la ce ( Y/ N ) if N o Ty pe o f E xp os ur e P ro ce ss O w ne r R em ed ia ti on A ct io ns N ex t F ol lo w up / D ue D at e F ix ed A ss et s, L on g- L iv ed A ss et s Sa fe gu ar d A ss et s T he F ix ed A ss et M an ag er o r de si gn ee co nd uc ts a p er io di c ph ys ic al in ve nt or y co un t o f F ix ed A ss et s an d re co nc ile s th ei r fi n di ng s to th e F ix ed A ss et s su b le dg er . V ar ia nc e if an y ar e re se ar ch ed , re vi ew ed , a pp ro ve d, s ig ne d an d da te d ap pr op ri at el y. F ix ed A ss et s, L on g- L iv ed A ss et s Sa fe gu ar d A ss et s T he F ix ed A ss et M an ag er o r de si gn ee re vi ew s an d ap pr ov es a s ev id en ce d by si gn in g an d da tin g th e Jo ur na l e nt ri es w hi ch a re u se d to r ec or d ad ju st m en ts to th e G en er al L ed ge r du e to v ar ia nc es id en tifi e d du ri ng th e ph ys ic al in ve nt or y. F ix ed A ss et s, L on g- L iv ed A ss et s Se gr eg at io n of D ut ie s Se gr eg at io n of d ut ie s ex is ts a nd is m ai nt ai ne d be tw ee n em pl oy ee s w ho ha ve u pd at e or m ai nt en an ce a cc es s to th e fi x ed -a ss et d at ab as e an d th os e em pl oy ee s w ho h av e ac ce ss to p ro ce ss ve nd or in vo ic es (i .e ., A /P ) p os t g oo ds re ce ip ts a ga in st th e pu rc ha se o rd er (i .e ., re ce iv in g de pa rt m en t, pr oc ur em en t o r th e bu si ne ss a re a) . F ix ed A ss et s, L on g- L iv ed A ss et s In fo rm at io n Te ch no lo gy C on tr ol s A cc es s is r es tr ic te d to a ut ho ri ze d pe rs on ne l v ia a s ys te m fe ed fr om th e hu m an r es ou rc e da ta ba se id en tif yi ng th os e ac tiv e em pl oy ee s w ho r eq ui re ac ce ss b as ed o n th ei r j ob re sp on si bi lit ie s an d ot he rs a s pe r m an ag em en t ap pr ov al . R ev ie w th e pr oc es s to e ns ur e th at c ur re nt H R d at ab as e fi l es a re u se d. Va lid at e an d te st th e cr ite ri a us ed to as si gn r es po ns ib ili ty a nd g ra nt fi xe d- as se t d at ab as e ac ce ss . In te rc om pa ny Tr an sa ct io ns C om pl ia nc e w ith la w s an d re gu la tio ns R ev ie w a nd v al id at e th at I nt er co m pa ny ag re em en ts a re e st ab lis he d, r ev ie w ed an d ap pr ov ed w he re a nd a s ne ce ss ar y w ith lo ca l l aw s an d re gu la tio ns . bapp01.indd 238bapp01.indd 238 8/25/08 3:03:02 PM8/25/08 3:03:02 PM 239 In te rc om pa ny Tr an sa ct io ns C om pl ia nc e w ith la w s an d re gu la tio ns R ev ie w a nd a na ly ze th e In te rc om pa ny po lic y, p ro ce du re a nd in st ru ct io n to en su re c om pl ia nc e w ith lo ca l l aw s, re gu la tio ns a nd G A A P. V al id at e cr os s bo rd er tr ea tm en t w ith C or po ra te T ax an d Im po rt / E xp or t d ep ar tm en ts . Va lid at e in st ru ct io n w ith C or po ra te Tr ea su ry . In te rc om pa ny Tr an sa ct io ns C om pl et e R ev ie w a nd a na ly ze th e In te rc om pa ny ac co un t g en er al le dg er a ct iv ity fo r th e ty pe s an d tr ea tm en t o f c ha rg es . R ev ie w co rr es po nd in g bu si ne ss a re a ac tiv ity to e ns ur e th e co m pl et e, a cc ur at e an d tim el y re co gn iti on o f t he I nt er co m pa ny ac co un t r ec ei va bl e an d pa ya bl e w ith in bo th b us in es s en tit ie s. In te rc om pa ny Tr an sa ct io ns C om pl et e L oc al c ou nt ry c on tr ol le rs r ev ie w ac co un t a ct iv ity to e ns ur e th at it em s el ig ib le fo r in te rc om pa ny c ro ss -c ha rg es ar e pr op er ly d oc um en te d, r ev ie w ed , an d ap pr ov ed p ri or to p ro ce ss in g as an in te rc om pa ny tr an sa ct io n. O bs er ve lo ca l c ou nt ry c on tr ol le r pr oc ed ur e an d re vi ew a pp ro va l p ro ce ss . In te rc om pa ny Tr an sa ct io ns C om pl et e R ev ie w th e in st ru ct io n an d ch ec kl is t fo r tr an sa ct io n pr oc es si ng c ut of fs , co ns ol id at io n, a nd in te rc om pa ny el im in at io n en tr y pr oc es si ng . O bs er ve an d co m m en t o n th e pr oc es s. In te rc om pa ny Tr an sa ct io ns A cc ur at e R ev ie w th e pr oc es s fo r an d a se le ct a sa m pl e of tr an sa ct io ns to e ns ur e th at th er e ar e ap pr ov al s an d ac ce pt an ce fr om th e re ce iv in g en tit y pr io r to th e ch ar ge b ei ng s en t. In te rc om pa ny in vo ic es a re p re pa re d by th e en tit y se nd in g th e ch ar ge (i .e ., th e en tit y ho ld in g th e in te rc om pa ny a cc ou nt s re ce iv ab le ) a nd s ub m itt ed to th e en tit y re ce iv in g th e ch ar ge (i .e ., th e en tit y ob lig at ed fo r se tt lin g th e in te rc om pa ny a cc ou nt s pa ya bl e) . V er ify th at in fo rm at io n co nt ai ne d on in vo ic es w ou ld s at is fy c us to m a nd ta x au di t re qu ir em en ts . (C on ti nu ed ) bapp01.indd 239bapp01.indd 239 8/25/08 3:03:02 PM8/25/08 3:03:02 PM 240 P ro ce ss / A cc ou nt C on tr ol O bj ec ti ve o r R is k C on tr ol A ct iv it y or T es t Sa m pl e Si ze a nd R es ul ts of T es ti ng C on tr ol in P la ce ( Y/ N ) if N o Ty pe o f E xp os ur e P ro ce ss O w ne r R em ed ia ti on A ct io ns N ex t F ol lo w up / D ue D at e In te rc om pa ny Tr an sa ct io ns A cc ur at e R ev ie w th e in st ru ct io n an d ob se rv e th e pr ac tic e of c le ar in g In te rc om pa ny ba la nc es . In te rc om pa ny Tr an sa ct io ns A cc ur at e R ev ie w th e ca lc ul at io n an d ac co un tin g tr ea tm en t f or w ith ho ld in g ta xe s an d / or fo re ig n ex ch an ge d iff er en ce s. In te rc om pa ny Tr an sa ct io ns A ut ho ri ze d Pr io r to p os tin g In te rc om pa ny jo ur na l en tr ie s or s en di ng th e In te rc om pa ny in vo ic e, th e en tit y se nd in g th e ch ar ge m us t g ai n ap pr ov al fr om th e en tit y re ce iv in g th e ch ar ge . A ut ho ri za tio n is w itn es se d by s ig na tu re s an d da te s. In te rc om pa ny Tr an sa ct io ns A ut ho ri ze d T he v ar io us ty pe s of in te rc om pa ny cr os s- ch ar ge s an d th ei r re la te d ac co un tin g an d ta x tr ea tm en t a re re vi ew ed in cl ud in g a so ur ce d at a ch ec k, in te gr ity te st in g, a nd a n ou tp ut d at a ch ec k by th e co rp or at e ta x, c or po ra te tr ea su ry , c or po ra te ac co un tin g, a nd fi na nc ia l r ep or tin g. R ev ie w th e ag en da s, m in ut es fr om m ee tin gs , a nd r em ed ia l a ct io n ite m s fo r po lic y an d pr oc ed ur es . In te rc om pa ny Tr an sa ct io ns A ut ho ri ze d T he I nt er co m pa ny a ct iv ity is r ev ie w ed fo r co m pl ia nc e w ith a nd c on si st en t ap pl ic at io n of c om pa ny m et ho do lo gy . T he C or po ra te C on tr ol le r, re vi ew s, si gn s an d da te s th e de ta ile d sc he du le s an d fi n an ci al d is cl os ur es . R ev ie w th e in pu t f or fi na nc ia l d is cl os ur e an d su pp or tin g do cu m en ta tio n. In te rc om pa ny Tr an sa ct io ns R ec on ci lia tio n R ev ie w in te rc om pa ny a cc ou nt re co nc ili at io n to e ns ur e ac co un t ba la nc es a re c or re ct w ith n o re si du al ef fe ct s du e to u pl ift c ha rg es , f or ei gn ex ch an ge , o r ot he r ch ar ge s. F ol lo w to en su re th at d is pu te s ar e re so lv ed in a tim el y m an ne r an d ad ju st m en ts a re do cu m en te d, a pp ro ve d, a nd s ig ne d. bapp01.indd 240bapp01.indd 240 8/25/08 3:03:03 PM8/25/08 3:03:03 PM 241 In te rc om pa ny Tr an sa ct io ns In fo rm at io n Te ch no lo gy C on tr ol A s a sy st em c he ck , t he I nt er co m pa ny da ta ba se m at ch es th e de ta ils o f t he jo ur na l e nt ri es to e ns ur e th at b ot h th e se nd in g an d re ce iv in g en tit ie s us e th e sa m e ac co un t c la ss ifi ca tio n. In te rc om pa ny Tr an sa ct io ns In fo rm at io n Te ch no lo gy C on tr ol In te rc om pa ny d at ab as e ac ce ss is re st ri ct ed to a ut ho ri ze d pe rs on ne l. O n a qu ar te rl y ba si s, th e ro le o w ne r re vi ew s ac ce ss to e ns ur e th at o nl y au th or iz ed in di vi du al s ha ve a cc es s to th e In te rc om pa ny d at ab as e. R aw M at er ia ls a nd In ve nt or y C om pl et e R ev ie w in sp ec tio n re po rt s fo r co m pl et en es s, a cc ur ac y an d tim el y pr oc es si ng o f g oo ds r ec ei ve d. R ev ie w pe er -t o- pe er c he ck lis ts fo r th e re vi ew an d ac ce pt an ce o f i nc om in g pr od uc ts . R aw M at er ia ls a nd In ve nt or y C om pl et e R ev ie w a nd o bs er ve th e tr ea tm en t of n on -c om pa ny -o w ne d in ve nt or y (e .g ., m at er ia ls a nd in ve nt or y he ld on c on si gn m en t o r on b eh al f o f a cu st om er ) i s re co rd ed . R aw M at er ia ls a nd In ve nt or y C om pl et e R ev ie w a nd o bs er ve th at m at er ia ls a nd in ve nt or y id en tifi e d fo r w as te o r sc ra p is s eg re ga te d an d re co rd ed . R aw M at er ia ls a nd In ve nt or y C om pl et e O ut go in g in ve nt or y m us t b e in sp ec te d fo r qu al ity a nd c on si st en cy w ith th e sa le s or de r/ sh ip pi ng r eq ue st p ri or to s hi pm en t. R ev ie w p ee r- to -p ee r ch ec kl is ts fo r th e re vi ew o f o ut go in g pr od uc ts . R aw M at er ia ls a nd In ve nt or y C om pl et e R ev ie w c er tifi c at es o f d es tr uc tio n or di sp os al a nd c on fi r m th at th e in ve nt or y ha s be en r el ie ve d fr om th e in ve nt or y re co rd s in a cc or da nc e w ith a pp ro ve d pr oc ed ur es . (C on ti nu ed ) bapp01.indd 241bapp01.indd 241 8/25/08 3:03:03 PM8/25/08 3:03:03 PM 242 P ro ce ss / A cc ou nt C on tr ol O bj ec ti ve o r R is k C on tr ol A ct iv it y or T es t Sa m pl e Si ze a nd R es ul ts of T es ti ng C on tr ol in P la ce ( Y/ N ) if N o Ty pe o f E xp os ur e P ro ce ss O w ne r R em ed ia ti on A ct io ns N ex t F ol lo w up / D ue D at e R aw M at er ia ls a nd In ve nt or y A cc ur ac y R ev ie w th e ac cu ra cy a nd c om pl et en es s of in ve nt or y re co rd s to tr ac e in ve nt or y m ov em en t f ro m c ra dl e to g ra ve . In ve nt or y re co rd s sh al l i nc lu de th e pr od uc t o r id en tif yi ng n um be r, pr od uc t na m e or d es cr ip tio n, v en do r, da te re ce iv ed , p ur ch as e or de r re fe re nc e, qu an tit y, p ri ce p er u ni t, id en tifi e r of th e pe rs on r ec ei vi ng th e in ve nt or y an d w ar eh ou se lo ca tio n w he re th e in ve nt or y is s to re d. W ith in th e m at er ia ls m ov em en t m od ul e of th e in ve nt or y da ta ba se in fo rm at io n is co lle ct ed a bo ut w ho r eq ue st s th e m ov e, th e da te a nd th e ne w lo ca tio n of th e pr od uc t. W ith in th e ou tg oi ng m od ul e of th e in ve nt or y da ta ba se , e ac h in ve nt or y re co rd is u pd at ed to r efl e ct th e cu st om er n am e an d/ or c us to m er nu m be r, da te q ua nt ity s hi pp ed , sh ip pi ng c ar ri er o r re fe re nc e nu m be r an d sa le s or de r re fe re nc e. R aw M at er ia ls a nd In ve nt or y Ti m el in es s O bs er ve th e us e of b ar c od e sc an ni ng eq ui pm en t, to c ol le ct a nd r ec or d in fo rm at io n w ith in th e in ve nt or y da ta ba se . R aw M at er ia ls a nd In ve nt or y Ti m el in es s R ev ie w a nd o bs er ve th at in ve nt or y re ce iv ed b y th e co m pa ny a t t he e nd o f th e ac co un tin g cy cl e an d no t r ec or de d in th e in ve nt or y da ta ba se is a cc ru ed ac co rd in g to th e co m pa ny ’s ac cr ua l po lic y an d pr oc ed ur e. S am pl e te st -e nd an d be gi nn in g- of -t he -m on th m at er ia ls an d in ve nt or y re ce ip ts to e ns ur e ap pr op ri at e pe ri od r ec og ni tio n an d tim in g. R aw M at er ia ls a nd In ve nt or y In fo rm at io n Te ch no lo gy C on tr ol s A cc es s to th e in ve nt or y da ta ba se is co nt ro lle d. bapp01.indd 242bapp01.indd 242 8/25/08 3:03:04 PM8/25/08 3:03:04 PM 243 R aw M at er ia ls a nd In ve nt or y In fo rm at io n Te ch no lo gy C on tr ol s C on tr ol to ta ls a re u se d to e ns ur e co m pl et e re co rd in g of tr an sa ct io ns . R ev ie w th e in st ru ct io n fo r an d th e ac tu al u se o f c on tr ol to ta ls a re in co rp or at ed a t a pp ro pr ia te c on tr ol po in ts a nd s er ve a s ap pr op ri at e co nt ro l in di ca to rs . R aw M at er ia ls a nd In ve nt or y In fo rm at io n Te ch no lo gy C on tr ol s In cr ea se s an d de cr ea se s to in ve nt or y vo lu m es a nd v al ue s tr ig ge r re po rt s us ed in jo ur na l e nt ry p re pa ra tio n. W he re a nd a s po ss ib le th er e is a n au to m at ed p ro ce ss to r ec or d in co m in g an d ou tg oi ng in ve nt or y tr ac ki ng . W he re a nd a s po ss ib le , t he re is a n au to m at ed p ro ce ss to r ec or d m at er ia ls an d in ve nt or y m ov em en t t hr ou gh th e pr od uc tio n cy cl e. S el ec t a s am pl e to re vi ew , t ra ce a nd m at ch m at er ia ls a nd in ve nt or y m ov em en t t hr ou gh d at a pr oc es si ng a nd jo ur na l e nt ry r ep or ts . R aw M at er ia ls a nd In ve nt or y R ec on ci lia tio n R ev ie w a nd a na ly ze r ec on ci lia tio n of in ve nt or y id en tif yi ng in co m in g, m ov em en t, di sp os iti on a nd s hi pm en t by p ro du ct c la ss a nd a m ou nt . R aw M at er ia ls a nd In ve nt or y R ec on ci lia tio n R ev ie w a nd a na ly ze r ec on ci lia tio n be tw ee n co st o f g oo ds s ol d, i. e. , in ve nt or y da ta ba se a nd th e sh ip m en t o f in ve nt or y i.e ., sa le s or de r da ta ba se . R aw M at er ia ls a nd In ve nt or y R ec on ci lia tio n R ev ie w a nd a na ly ze r ec on ci lia tio n be tw ee n in co m in g pa ck in g sl ip s, i. e. , go od s re ce ip t i n th e pr oc ur em en t da ta ba se a nd in ve nt or y re ce iv ed a nd re co rd ed in th e in ve nt or y da ta ba se a nd w ith a pp ro ve d an d co m pl et ed p ur ch as e or de rs . R aw M at er ia ls a nd In ve nt or y R ec on ci lia tio n R ev ie w a nd a na ly ze r ec on ci lia tio n be tw ee n (a ) o ut go in g sh ip pi ng re po rt s an d in ve nt or y sh ip pe d an d (b ) i nv en to ry r ec or de d in th e in ve nt or y da ta ba se a nd a pp ro ve d sa le s or de rs . (C on ti nu ed ) bapp01.indd 243bapp01.indd 243 8/25/08 3:03:04 PM8/25/08 3:03:04 PM 244 P ro ce ss / A cc ou nt C on tr ol O bj ec ti ve o r R is k C on tr ol A ct iv it y or T es t Sa m pl e Si ze a nd R es ul ts of T es ti ng C on tr ol in P la ce ( Y/ N ) if N o Ty pe o f E xp os ur e P ro ce ss O w ne r R em ed ia ti on A ct io ns N ex t F ol lo w up / D ue D at e R aw M at er ia ls a nd In ve nt or y Se gr eg at io n of D ut ie s Se gr eg at io n- of -d ut ie s te st s ar e pe rf or m ed b y ob se rv in g ro le s an d re sp on si bi lit ie s, r ev ie w in g do cu m en te d fl o w ch ar ts a nd /o r pr oc ed ur es . Se gr eg at io n of d ut ie s ex is ts b et w ee n em pl oy ee s w ho h av e ac ce ss to : R aw M at er ia ls a nd In ve nt or y Se gr eg at io n of D ut ie s A ut ho ri zi ng th e ac qu is iti on o f m at er ia ls an d in ve nt or y an d th os e w ho r ec ei ve it , ha ve c us to dy o ve r it R aw M at er ia ls a nd In ve nt or y Se gr eg at io n of D ut ie s R ec ei ve a nd h av e cu st od y ov er m at er ia ls a nd in ve nt or y an d th os e w ho au th or iz e th e ac qu is iti on , m ov em en t o r di sp os al o f i t R aw M at er ia ls a nd In ve nt or y Se gr eg at io n of D ut ie s Ph ys ic al c us to dy o f m at er ia ls an d in ve nt or y an d th os e w ho a re re sp on si bl e fo r th e ac co un tin g, re co rd ke ep in g an d re co nc ili ng o f i t R aw M at er ia ls a nd In ve nt or y Sa fe gu ar di ng A ss et s O bs er ve th e de si gn at ed r ec ei vi ng ar ea a nd p ro ce ss to e ns ur e th e co m pl et e an d ac cu ra te r ec or di ng o f th e tr an sa ct io n in to th e ap pr op ri at e da ta ba se s. R aw M at er ia ls a nd In ve nt or y Sa fe gu ar di ng A ss et s O bs er ve th e de si gn at ed s hi pp in g ar ea a nd p ro ce ss to e ns ur e th e co m pl et e an d ac cu ra te r ec or di ng o f th e tr an sa ct io n in to th e ap pr op ri at e da ta ba se s. R aw M at er ia ls a nd In ve nt or y Sa fe gu ar di ng A ss et s R ev ie w a nd o bs er ve th e ph ys ic al a nd ac co un tin g tr ea tm en t f or m at er ia ls an d in ve nt or y as th ey a re : r ec ei ve d as in co m in g, m ov ed b et w ee n de pa rt m en ts o r w ar eh ou se s, r el ea se d fo r sh ip m en t o r ou tg oi ng . R aw M at er ia ls a nd In ve nt or y Sa fe gu ar di ng A ss et s O bs er ve th e ph ys ic al c ou nt in g of in ve nt or y an d sa m pl e ch ec k th e co un ts . bapp01.indd 244bapp01.indd 244 8/25/08 3:03:05 PM8/25/08 3:03:05 PM 245 R aw M at er ia ls a nd In ve nt or y Sa fe gu ar di ng A ss et s C on fi r m th at m at er ia ls a nd in ve nt or y is p ro pe rl y in su re d by th e co m pa ny an d th at m at er ia ls a nd in ve nt or y he ld on b eh al f o f v en do rs a nd /o r cu st om er s is in cl ud ed w ith in th e C om pa ny ’s in su ra nc e. R aw M at er ia ls a nd In ve nt or y Sa fe gu ar di ng A ss et s O bs er ve a nd c on fi r m th at a cc es s to th e w ar eh ou se is s ec ur e. C on fi r m th at th e in ve nt or y is p ro pe rl y pr ot ec te d ag ai ns t da m ag e, th ef t, an d m is ap pr op ri at io n. Jo ur na l E nt ri es C om pl et e T he c om pl et io n, e xi st en ce , a nd ac cu ra cy o f j ou rn al e nt ri es , i nc lu di ng st an da rd a nd n on st an da rd jo ur na l en tr ie s an d ot he r ad ju st m en ts , ar e ac cu ra te . S el ec t a s am pl e of jo ur na l e nt ri es a nd r ev ie w th em fo r co m pl et en es s an d ac cu ra cy in cl ud in g th e at ta ch m en t o r re fe re nc e to su pp or tin g do cu m en ta tio n. R ev ie w pe er -t o- pe er d oc um en te d re vi ew s of se le ct ed jo ur na l e nt ri es . Jo ur na l E nt ri es C om pl et e M an ag em en t s ha ll en su re th at th es e jo ur na l e nt ri es a re in iti at ed , au th or iz ed , r ec or de d an d pr oc es se d ap pr op ri at el y in th e ge ne ra l l ed ge r. Se le ct a s am pl e of jo ur na l e nt ri es a nd re vi ew th em fo r m an ag em en t r ev ie w an d au th or iz at io n. Jo ur na l E nt ri es C om pl et e Se le ct ed s am pl e of a cc ou nt b al an ce s ar e tr ac ed b ac k (i. e. , g ra ve -t o- cr ad le sa m pl in g) to th e so ur ce d oc um en ta tio n to e ns ur e ac cu ra te , c om pl et e, a nd tim el y re po rt in g. Jo ur na l E nt ri es C om pl et e A n ac co un tin g sc he du le is co m m un ic at ed to th os e w ho h av e to pr ep ar e, r ev ie w a nd a pp ro ve jo ur na l en tr ie s. R ev ie w a cc ou nt in g in st ru ct io ns an d gu id an ce fo r co m pl et en es s, ac cu ra cy a nd c om pl ia nc e w ith G A A P. (C on ti nu ed ) bapp01.indd 245bapp01.indd 245 8/25/08 3:03:05 PM8/25/08 3:03:05 PM 246 P ro ce ss / A cc ou nt C on tr ol O bj ec ti ve o r R is k C on tr ol A ct iv it y or T es t Sa m pl e Si ze a nd R es ul ts of T es ti ng C on tr ol in P la ce ( Y/ N ) if N o Ty pe o f E xp os ur e P ro ce ss O w ne r R em ed ia ti on A ct io ns N ex t F ol lo w up / D ue D at e Jo ur na l E nt ri es A cc ur at e A ll jo ur na l e nt ri es a re b al an ce d w ith de bi ts e qu al in g cr ed its . O nl y va lid a nd au th or iz ed a cc ou nt c od es a re e lig ib le an d ac ce ss ib le fo r us e. S el ec t a te st sa m pl e of jo ur na l e nt ri es a nd r ev ie w to en su re a pp ro pr ia te le ve l o f s up po rt in g do cu m en ta tio n, r ev ie w a nd a pp ro va l w as p er fo rm ed . Jo ur na l E nt ri es A cc ur at e Jo ur na l e nt ri es a re a cc ur at e, in iti at ed , au th or iz ed , r ec or de d an d pr oc es se d ap pr op ri at el y in th e ge ne ra l l ed ge r. Jo ur na l E nt ri es A cc ur at e A cc ru al s a re a de qu at e, a cc ur at e, h av e ad eq ua te su pp or t a nd a pp ro va ls , a nd a re re co rd ed in th e ap pr op ri at e ac co un tin g pe ri od . S el ec t a sa m pl e an d re vi ew ca lc ul at io ns a nd a cc ou nt in g tr ea tm en t. Jo ur na l E nt ri es A ut ho ri ze O nl y au th or iz ed e m pl oy ee s ha ve a cc es s to p re pa re , r ev ie w , a pp ro ve a nd /o r po st jo ur na l e nt ri es . A li st o f a pp ro ve d em pl oy ee s is m ai nt ai ne d by fi na nc ia l re po rt in g. Jo ur na l E nt ri es R ec on ci lia tio n A cc ou nt s ar e re co nc ile d or a na ly ze d in d et ai l t o en su re a cc ou nt b al an ce s ar e co rr ec t a nd r ec or de d in th e pr op er pe ri od . Jo ur na l E nt ri es In fo rm at io n Te ch no lo gy If jo ur na l e nt ri es a re p re pa re d us in g In fo rm at io n Te ch no lo gy a pp lic at io ns , th er e ar e co nt ro ls to e ns ur e th at o nl y co m pl et e, a cc ur at e an d tim el y jo ur na l en tr ie s ar e pr oc es se d fo r a gi ve n pe ri od . S el ec t a s am pl e an d co nd uc t a w al kt hr ou gh o f t ra ns ac tio n th ro ug h th e te ch no lo gy p ro ce ss . Jo ur na l E nt ri es In fo rm at io n Te ch no lo gy E ns ur e th at o nl y ac cu ra te a cc ou nt co de s ar e us ed fo r jo ur na l e nt ri es . R ev ie w a nd a na ly ze th e co m pa ny ’s ch ar t o f a cc ou nt s an d ge ne ra l l ed ge r. bapp01.indd 246bapp01.indd 246 8/25/08 3:03:06 PM8/25/08 3:03:06 PM 247 Jo ur na l E nt ri es In fo rm at io n Te ch no lo gy D at a en tr y lo ad s or jo ur na l e nt ri es ar e ac cu ra te , i ni tia te d, a ut ho ri ze d, re co rd ed a nd p ro ce ss ed a pp ro pr ia te ly in th e ge ne ra l l ed ge r. Pa yr ol l C om pl ia nc e w ith la w s an d re gu la tio ns R ev ie w p ro ce ss to e ns ur e ap pr op ri at e ac co un tin g tr ea tm en t a nd r ep or tin g of th os e pa yr ol l c he ck s re qu ir ed to b e se gr eg at ed fo r es ch ea t t re at m en t. Pa yr ol l C om pl ia nc e w ith la w s an d re gu la tio ns R ev ie w a cc ou nt in g tr ea tm en t a nd es ch ea t r ep or tin g. Pa yr ol l C om pl ia nc e w ith la w s an d re gu la tio ns R ev ie w p ro ce ss in g pr oc ed ur es w he re lo ca l j ur is di ct io na l l aw s an d re gu la tio ns ar e di ff er en t t ha n co m pa ny s ta nd ar d pr ac tic e. Pa yr ol l C om pl ia nc e w ith la w s an d re gu la tio ns R ev ie w a nd r ec on ci le ta x an d ju ri sd ic tio na l r ep or tin g w ith a ct ua l pa yr ol l a m ou nt s. E ns ur e th e ap pr op ri at e re co rd in g an d pa ym en t o f no n- st an da rd r eq ui re m en ts . Pa yr ol l C om pl et e, A cc ur at e an d Ti m el y Pa yr ol l p ro ce ss ed o r pa id is a cc ur at e an d co m pl et e. P ay ro ll ca lc ul at ed ba se d on a pp ro ve d ra te s an d fo rm ul as in pu t t o th e pa yr ol l s ys te m , i nc lu di ng ad di tio na l p ay a nd d ed uc tio ns . R ev ie w an d an al yz e pe ri od o ve r pe ri od c on tr ol to ta ls , v ar ia nc es to p la nn ed s pe nd in g. Se le ct s am pl es a nd fo llo w th e pr oc es s fr om ti m e re co rd in g, to c al cu la tio n to pa yr ol l d is bu rs em en t. Pa yr ol l C om pl et e, A cc ur at e an d Ti m el y R ev ie w a nd a na ly ze th e tim in g of fu nd s tr an sf er b et w ee n C om pa ny b an k ac co un ts to c ov er p ay ro ll. Pa yr ol l C om pl et e, A cc ur at e an d Ti m el y R ev ie w e m pl oy ee d is pu te lo gs to en su re ti m el y, a cc ur at e re so lu tio n an d ro ot c au se a na ly si s an d co nt in uo us im pr ov em en t t o th e pa yr ol l p ro ce ss . Pa yr ol l A ut ho ri ze R ev ie w a nd a na ly ze p ay ro ll po lic y, pr oc ed ur es a nd in st ru ct io ns fo r pr oc es si ng p ay m en ts . (C on ti nu ed ) bapp01.indd 247bapp01.indd 247 8/25/08 3:03:06 PM8/25/08 3:03:06 PM 248 P ro ce ss / A cc ou nt C on tr ol O bj ec ti ve o r R is k C on tr ol A ct iv it y or T es t Sa m pl e Si ze a nd R es ul ts of T es ti ng C on tr ol in P la ce ( Y/ N ) if N o Ty pe o f E xp os ur e P ro ce ss O w ne r R em ed ia ti on A ct io ns N ex t F ol lo w up / D ue D at e Pa yr ol l A ut ho ri ze M an ua l c he ck s ar e au th or iz ed a nd ap pr ov ed b y tw o au th or iz ed s ig na to ri es as n am ed w ith in th e Tr ea su ry gu id el in es . O bs er ve a nd r ev ie w th e m an ua l c he ck p ro ce ss . S el ec t a s am pl e of c he ck s an d va lid at e th e ca lc ul at io n, m an ag em en t r ev ie w a nd a ut ho ri ze d si gn at or ie s. Pa yr ol l A ut ho ri ze R ev ie w a ll jo ur na l e nt ry m et ho do lo gy in cl ud in g ex pe ns e, li ab ili tie s an d ca sh pr od uc ed fo r pa yr ol l p ro ce ss in g. S el ec t sa m pl e jo ur na l e nt ri es fo r re vi ew of s up po rt in g do cu m en ta tio n an d pr oc es si ng o f t he tr an sa ct io ns . Pa yr ol l R ec on ci lia tio n B an k re co nc ili at io n of th e pa yr ol l pr oc es si ng a cc ou nt is p er fo rm ed af te r ea ch p ay ro ll ch ec k ru n. S el ec t ba nk r ec on ci lia tio n an d re vi ew fo r ac cu ra cy , m an ag em en t r ev ie w a nd au th or iz at io n an d ap pr op ri at e jo ur na l en tr y tr ea tm en t. Pa yr ol l R ec on ci lia tio n R ev ie w th e pr oc es si ng a nd re co nc ili at io n tr ai l b y fo llo w in g to ta ls an d se le ct ed s am pl in g th ro ug h th e cy cl e w hi ch c al cu la te s di sb ur se s pa yr ol l to r ec or di ng o f j ou rn al e nt ri es to re co nc ili at io n of b an k st at em en ts . Pa yr ol l Sa fe gu ar d A ss et s C he ck p ap er s to ck a nd s ig na tu re p la te s ar e re ta in ed in a lo ck ed s af e w ith lim ite d ac ce ss b y au th or iz ed p er so nn el . Pe rf or m a p hy si ca l i ns pe ct io n of th es e as se ts . Pa yr ol l Se gr eg at io n of D ut ie s Se gr eg at io n of D ut ie s te st s ar e pe rf or m ed b y ob se rv in g ro le s an d re sp on si bi lit ie s, r ev ie w in g do cu m en te d fl o w ch ar ts a nd /o r pr oc ed ur es . Se gr eg at io n of D ut ie s ex is ts b et w ee n em pl oy ee s w ho h av e ac ce ss to : bapp01.indd 248bapp01.indd 248 8/25/08 3:03:07 PM8/25/08 3:03:07 PM 249 Pa yr ol l Se gr eg at io n of D ut ie s ac ce ss to s ys te m s an d th os e w ho pr oc es s th e da ta Pa yr ol l Se gr eg at io n of D ut ie s em pl oy ee m as te r da ta , i de nt ify in g el ig ib le e m pl oy ee s an d ap pr ov ed p ay ra te s Pa yr ol l Se gr eg at io n of D ut ie s au th or iz e an d in pu t d at a Pa yr ol l Se gr eg at io n of D ut ie s ap pr ov e an d ov er se e ch an ge d at a or sy st em m ai nt en an ce a nd th os e w ho in pu t o r pr oc es s th e da ta Pa yr ol l Se gr eg at io n of D ut ie s re vi ew a nd r ec on ci le r ep or ts Pa yr ol l In fo rm at io n Te ch no lo gy C on tr ol s R ev ie w a cc es s co nt ro ls a nd th e lis t o f au th or iz ed e m pl oy ee s be tw ee n th e C om pa ny ’s pa yr ol l s ys te m a nd H um an R es ou rc e em pl oy ee r ec or ds . Pa yr ol l In fo rm at io n Te ch no lo gy C on tr ol s IT p ro ce ss in g an d ca lc ul at io n co nt ro ls ar e bu ilt in to th e pa yr ol l c al cu la tio n w hi ch id en tifi e s am ou nt s in e xc es s of ap pr ov ed th re sh ol ds . Pa yr ol l In fo rm at io n Te ch no lo gy C on tr ol s R ev ie w a nd a na ly ze I T c on tr ol lo gs . R ev ie w a nd a na ly ze s el ec te d sy st em co nt ro l r ep or ts a nd fo llo w th e pr oc es s to r es ol ve is su es o n ex ce pt io n re po rt s. Pa yr ol l In fo rm at io n Te ch no lo gy C on tr ol s If a ny p ar t o f t he p ro ce ss is o ut so ur ce d, re vi ew th e SA S 70 r ep or t p ro vi de d to th e co m pa ny to e ns ur e th at th e ou ts ou rc e pr ov id er h as a de qu at e in te rn al c on tr ol s in p la ce . S el ec t sa m pl es to e ns ur e co ns is te nt pr oc es si ng o f i nf or m at io n. Pr oc ur em en t C om pl ia nc e w ith c on tr ac t te rm s an d co nd iti on s R ev ie w a nd e ns ur e al l v en do rs h av e va lid p ro cu re m en t c on tr ac ts a nd w he re th er e ar e no n- st an da rd te rm s an d co nd iti on s, th os e co nt ra ct s ha ve ad di tio na l fi n an ce a nd le ga l a pp ro va l. (C on ti nu ed ) bapp01.indd 249bapp01.indd 249 8/25/08 3:03:07 PM8/25/08 3:03:07 PM 250 P ro ce ss / A cc ou nt C on tr ol O bj ec ti ve o r R is k C on tr ol A ct iv it y or T es t Sa m pl e Si ze a nd R es ul ts of T es ti ng C on tr ol in P la ce ( Y/ N ) if N o Ty pe o f E xp os ur e P ro ce ss O w ne r R em ed ia ti on A ct io ns N ex t F ol lo w up / D ue D at e Pr oc ur em en t C om pl et e W al k th ro ug h an d ob se rv e th e pu rc ha se r eq ui si tio n to p ur ch as e or de r pr oc es s. S el ec t a s am pl e of ap pr ov ed P O s an d re vi ew fo r ac cu ra cy , co m pl et en es s an d tim el in es s of pr oc es si ng . Pr oc ur em en t C om pl et e W al k th ro ug h an d ob se rv e th e go od s re ce ip tin g pr oc es s an d cl os in g of o pe n PO s by r eq ue st in g de pa rt m en ts . S el ec t a sa m pl e an d re vi ew fo r ac cu ra cy , co m pl et en es s an d tim el in es s of pr oc es si ng . Pr oc ur em en t A cc ur at e R ev ie w p ro cu re m en t a ct iv ity r ep or ts an d pe rf or m an ce m ea su re s to e ns ur e ac cu ra te , c om pl et e, ti m el y re po rt in g. R ev ie w r em ed ia tio n ac tio ns a nd p la ns . Pr oc ur em en t A cc ur at e R ev ie w th e ch ar t o f a cc ou nt s an d th e ap pl ic at io n of th e ac co un t a ss ig nm en t on a pp ro ve d PO s. Pr oc ur em en t A cc ur at e R ev ie w e xc ep tio n re po rt s fr om A /P si gn al in g qu an tit y, q ua lit y di ff er en ce s be tw ee n th e PO a nd th e in vo ic e. S el ec t a sa m pl e an d re vi ew fo r re so lu tio n, re m ed ia tio n an d ac tio n pl an s. Pr oc ur em en t A ut ho ri ze d Se le ct a s am pl e of P O s an d re vi ew fo r co m pl et en es s, a cc ur ac y an d au th or iz at io n. R ev ie w th at P O s ar e pl ac ed w ith q ua lifi e d an d ap pr ov ed ve nd or s. Pr oc ur em en t A ut ho ri ze d Se le ct a s am pl e of c ha ng es to PO s an d va lid at e ac cu ra cy a nd pr e- au th or iz at io n. Pr oc ur em en t A ut ho ri ze d R ev ie w e xc ep tio n re po rt s an d re m ed ia tio n pl an s fo r PO s ar e pl ac ed af te r th e go od s an d/ or s er vi ce s ha ve be en r ec ei ve d. bapp01.indd 250bapp01.indd 250 8/25/08 3:03:07 PM8/25/08 3:03:07 PM 251 Pr oc ur em en t A ut ho ri ze d O bs er ve a nd w al k th ro ug h th e ve nd or q ua lifi c at io n pr oc es s. R ev ie w an d an al yz e ve nd or p er fo rm an ce re po rt s, v en do r si te v is it re po rt s an d re m ed ia tio n ac tio n pl an s. Pr oc ur em en t A ut ho ri ze d R ev ie w e xc ep tio n re po rt s an d re m ed ia tio n pl an s fo r PO s pl ac ed w ith u nq ua lifi e d ve nd or s or fo r un au th or iz ed p ro du ct s or s er vi ce s. Pr oc ur em en t Se gr eg at io n of D ut ie s Se gr eg at io n of D ut ie s te st s ar e pe rf or m ed b y ob se rv in g ro le s an d re sp on si bi lit ie s, r ev ie w in g do cu m en te d fl o w ch ar ts a nd /o r pr oc ed ur es . Se gr eg at io n of D ut ie s ex is ts b et w ee n em pl oy ee s w ho h av e ac ce ss to : Pr oc ur em en t Se gr eg at io n of D ut ie s Ve nd or m as te r da ta a nd m ai nt en an ce (o w ne d by P ro cu re m en t d ep ar tm en t) an d em pl oy ee s w ho h av e ac ce ss to pr oc es s ve nd or in vo ic es (A cc ou nt s Pa ya bl e de pa rt m en t) Pr oc ur em en t Se gr eg at io n of D ut ie s R eq ue st g oo ds a nd /o r se rv ic es v ia Pu rc ha se O rd er s (P O ) ( ow ne d by Pr oc ur em en t D ep ar tm en t) a nd em pl oy ee s w ho p la ce th e or de r w ith th e ve nd or Pr oc ur em en t Se gr eg at io n of D ut ie s PO a pp ro va l ( pe rf or m ed b y bu si ne ss ar ea r eq ue st in g th e go od s an d/ or se rv ic es ) a nd e m pl oy ee s w ho h av e ac ce ss to p ro ce ss v en do r in vo ic es Pr oc ur em en t Se gr eg at io n of D ut ie s T he p ro cu re m en t p ro fe ss io na ls w ho ne go tia te th e co nt ra ct te rm s an d co nd iti on s w ith th e ve nd or a re s ep ar at e fr om th e em pl oy ee w ho r eq ue st s th e go od s an d/ or s er vi ce s. Pr oc ur em en t Se gr eg at io n of D ut ie s Pr oc es s ve nd or in vo ic es a nd e m pl oy ee s w ho h av e ac ce ss to G oo ds R ec ei pt on a P O (p er fo rm ed b y th e re ce iv in g de pa rt m en t o r bu si ne ss a re a re qu es tin g th e go od s an d/ or s er vi ce s) . (C on ti nu ed ) bapp01.indd 251bapp01.indd 251 8/25/08 3:03:08 PM8/25/08 3:03:08 PM 252 P ro ce ss / A cc ou nt C on tr ol O bj ec ti ve o r R is k C on tr ol A ct iv it y or T es t Sa m pl e Si ze a nd R es ul ts of T es ti ng C on tr ol in P la ce ( Y/ N ) if N o Ty pe o f E xp os ur e P ro ce ss O w ne r R em ed ia ti on A ct io ns N ex t F ol lo w up / D ue D at e Pr oc ur em en t In fo rm at io n Te ch no lo gy co nt ro ls In a cc or da nc e w ith C om pa ny po lic y an d pr oc ed ur e an d at le as t qu ar te rl y, th e fi l e sh ar e ow ne r’s ) pe rf or m a d oc um en te d re vi ew o f t he pr oc ur em en t s ys te m a nd fi le s ha re ac ce ss to e ns ur e ac ce ss is r es tr ic te d to au th or iz ed p er so nn el . Pr oc ur em en t In fo rm at io n Te ch no lo gy co nt ro ls A dd iti on al p ro cu re m en t s ys te m co nt ro ls a re d es ig ne d w hi ch : Pr oc ur em en t In fo rm at io n Te ch no lo gy co nt ro ls D o no t a llo w fo r ch an ge s to th e pu rc ha se o rd er d ur in g th e go od s re ce ip t p ro ce ss ; e .g ., ch an ge s to pr od uc ts o r se rv ic es o rd er s, q ua nt iti es an d/ or a m ou nt s as p re vi ou sl y ap pr ov ed . Pr oc ur em en t In fo rm at io n Te ch no lo gy co nt ro ls Tr ac ks th e re m ai ni ng b al an ce o f bl an ke t p ur ch as e or de rs w ith r ec ur ri ng pa ym en ts a nd c lo se s th e PO w he n th e ba la nc e be co m es z er o. R ev en ue C om pl ia nc e w ith C on tr ac t Te rm s A ll cu st om er s ha ve a v al id a nd ap pr ov ed c on tr ac t. C us to m er s re qu es tin g no n- st an da rd c on tr ac t te rm s an d co nd iti on s re qu ir e ad di tio na l fi n an ci al a nd le ga l a pp ro va l. R ev ie w ex ce pt io n re po rt fo r cu st om er s w ith ou t va lid c on tr ac ts a nd r em ed ia te fo r re so lu tio n. R ev en ue C om pl ia nc e w ith C on tr ac t Te rm s R ev ie w C us to m er d is sa tis fa ct io n an d es ca la tio n re po rt s to id en tif y th e ty pe s of is su es c us to m er s ar e ha vi ng w ith th e C om pa ny ’s pr od uc ts a nd /o r se rv ic es . A na ly ze h ow th e C om pa ny in ve st ig at es th e ro ot c au se o f t he se is su es , i m pr ov es th e pr oc es s an d re so lv es th e is su e w ith th e cu st om er . bapp01.indd 252bapp01.indd 252 8/25/08 3:03:08 PM8/25/08 3:03:08 PM 253 R ev en ue C om pl et e A ll sa le s or de rs a re in pu t t o th e sa le s da ta ba se a nd o nc e ac ce pt ed b y th e C om pa ny , t he s al es o rd er is r el ea se d to d is tr ib ut io n fo r fu lfi llm en t. R ev ie w ex ce pt io n re po rt s an d fo llo w u p w ith re m ed ia tio n pl an s. S el ec t a nd s am pl e to te st s al es o rd er s fo r co m pl et e, ac cu ra te a nd ti m el y pr oc es si ng . R ev en ue C om pl et e Ze ro d ol la r sa le s or de rs a re r ev ie w ed fo r ac cu ra cy o f r ev en ue a nd in ve nt or y ac co un tin g tr ea tm en t. R ev ie w th e ze ro d ol la r sa le s re po rt a nd v al id at e th e re as on s pr ov id ed fo r ze ro d ol la r fu lfi llm en t. Se le ct a s am pl e an d te st ac cu ra cy o f r ea so n cl as si fi c at io n. R ev en ue C om pl et e C om pl et ed s al es o rd er s ar e re co nc ile d to th e or ig in al c on tr ac t w ith di ff er en ce s ex pl ai ne d, a ut ho ri ze d an d do cu m en te d. C on tr ac t a nd s up po rt in g do cu m en ta tio n in cl ud in g ap pr ov al s ar e re ta in ed a nd m ai nt ai ne d w ith th e cu st om er fi le a cc or di ng to s al es o rd er . R ev ie w p ee r- to -p ee r or s el f- as se ss m en t ch ec kl is ts . S el ec t a s am pl e an d ve ri fy re co nc ili at io n re po rt s an d re m ed ia tio n pl an s. R ev en ue Ti m el in es s In st ru ct io ns a s to r ev en ue c ut of f pe ri od s ar e co m m un ic at ed p ri or to ea ch m on th -e nd c lo si ng . R ev ie w co m m un ic at io ns a nd s ch ed ul es . R ev en ue A cc ur at e R ev ie w a nd a na ly ze th e co m pa ny ’s po lic y an d pr oc ed ur e fo r re ve nu e re co gn iti on . S el ec t a s am pl e of r ev en ue re co gn iti on c he ck lis ts to e ns ur e th at th e re ve nu e re co gn iti on c ri te ri a ha ve be en m et . F or a s el ec te d sa m pl e of tr an sa ct io ns , r ev ie w a nd fo llo w c ra dl e- to -g ra ve s up po rt in g do cu m en ta tio n in cl ud in g cu st om er c on tr ac t, sa le s or de rs , s hi pp in g an d fu lfi llm en t o rd er s an d cu st om er c or re sp on de nc e. (C on ti nu ed ) bapp01.indd 253bapp01.indd 253 8/25/08 3:03:09 PM8/25/08 3:03:09 PM 254 P ro ce ss / A cc ou nt C on tr ol O bj ec ti ve o r R is k C on tr ol A ct iv it y or T es t Sa m pl e Si ze a nd R es ul ts of T es ti ng C on tr ol in P la ce ( Y/ N ) if N o Ty pe o f E xp os ur e P ro ce ss O w ne r R em ed ia ti on A ct io ns N ex t F ol lo w up / D ue D at e R ev en ue A cc ur at e R ev ie w a nd a na ly ze e st im at e an d re se rv e ac co un ts fo r co m pl ia nc e w ith co m pa ny p ol ic ie s an d pr oc ed ur es , ac cu ra cy o f c al cu la tio n an d tim el in es s of p ro ce ss in g. R ec al cu la te e st im at e an d re se rv e am ou nt s fo r ac cu ra cy a nd co ns is te nc y. R ev en ue A ut ho ri ze Se le ct a s am pl e of s al es o rd er s an d re vi ew fo r co m pl et en es s, a cc ur ac y an d au th or iz at io n pr io r to p ro ce ss in g. R ev en ue A ut ho ri ze T he r ev en ue s eg m en ta tio n re po rt in g by p ro du ct a nd g eo gr ap hy is r ev ie w ed fo r co m pl ia nc e w ith c on si st en t ap pl ic at io n of c om pa ny m et ho do lo gy . T he V P F in an ce o r co rp or at e co nt ro lle r re vi ew s, s ig ns , a nd d at es th e de ta ile d sc he du le s an d fi n an ci al d is cl os ur es . R ev en ue R ec on ci lia tio n A cc ou nt a na ly si s an d re co nc ili at io n is pe rf or m ed b et w ee n th e: R ev en ue R ec on ci lia tio n Sa le s or de r da ta ba se a nd r ev en ue bo ok ed a nd r ec og ni ze d R ev en ue R ec on ci lia tio n A cc ou nt s re ce iv ab le a nd r ec og ni ze d re ve nu e R ev en ue R ec on ci lia tio n Sa le s an d us e ta x an d re ve nu e R ev en ue R ec on ci lia tio n In te rc om pa ny r ev en ue a nd In te rc om pa ny r ec ei va bl es R ev en ue R ec on ci lia tio n R ev en ue a nd r oy al ty p ay ab le R ev en ue R ec on ci lia tio n Sa le s or de rs , r ev en ue a nd in ce nt iv e co m pe ns at io n R ev en ue Se gr eg at io n of D ut ie s Se gr eg at io n of d ut ie s te st s ar e pe rf or m ed b y ob se rv in g ro le s an d re sp on si bi lit ie s, r ev ie w in g do cu m en te d fl o w ch ar ts a nd /o r pr oc ed ur es . Se gr eg at io n of d ut ie s ex is ts b et w ee n em pl oy ee s w ho h av e ac ce ss to : bapp01.indd 254bapp01.indd 254 8/25/08 3:03:09 PM8/25/08 3:03:09 PM R ev en ue Se gr eg at io n of D ut ie s Pr ep ar e an d en te r sa le s or de rs a nd th os e w ho fu lfi ll th e sa le s or de r an d th os e w ho r ec or d th e re la te d ac co un tin g tr an sa ct io ns . R ev en ue Se gr eg at io n of D ut ie s In vo ic e th e cu st om er a nd th os e w ho co lle ct a nd p ro ce ss c us to m er p ay m en t. R ev en ue Se gr eg at io n of D ut ie s R ec or d th e ac co un tin g tr an sa ct io ns a nd th os e w ho r ec on ci le th e ac co un ts R et ai l S al es O rd er s C om pl ia nc e w ith C on tr ac t Te rm s R et ai l p ar tn er li st is c om pl et e an d ac cu ra te a nd r ep re se nt s au th or iz ed re ta il pa rt ne rs w ho h av e va lid m as te r sa le s ag re em en ts w ith th e co m pa ny . A ll bu si ne ss p ar tn er s ha ve a v al id a nd ap pr ov ed c on tr ac t. B us in es s pa rt ne rs re qu es tin g no ns ta nd ar d co nt ra ct te rm s an d co nd iti on s re qu ir e ad di tio na l fi n an ci al a nd le ga l a pp ro va l. R et ai l S al es O rd er s C om pl et e B us in es s pa rt ne r pr od uc t a nd p ri ci ng lis ts a re c om pl et e an d ac cu ra te a nd re pr es en ts p ro du ct s th e co m pa ny is au th or iz ed to s el l t o re ta il pa rt ne rs . R ev ie w th e pr od uc t a nd p ri ci ng li st fo r au th or iz at io n, c om m un ic at io n, a nd to en su re th at th es e pr od uc ts a nd p ri ce s ar e in cl ud ed w ith in b us in es s pa rt ne r or de rs . R et ai l S al es O rd er s C om pl et e T he s al es o rd er m an ag er r ev ie w s an d ap pr ov es s al es o rd er s pr io r to fo rw ar di ng th e sa le s or de r to di st ri bu tio n fo r fu lfi llm en t. R ev ie w th e co m pl et ed s al es o rd er c he ck lis ts to e ns ur e th at th e co m pa ny m ay fu lfi ll re qu es te d pr od uc t q ua nt iti es a t qu ot ed p ri ce s an d va lid at e ca lc ul at io n ex te ns io ns . S el ec t a s am pl e an d te st su pp or tin g do cu m en ta tio n. (C on ti nu ed ) 255 bapp01.indd 255bapp01.indd 255 8/25/08 3:03:09 PM8/25/08 3:03:09 PM 256 P ro ce ss / A cc ou nt C on tr ol O bj ec ti ve o r R is k C on tr ol A ct iv it y or T es t Sa m pl e Si ze a nd R es ul ts of T es ti ng C on tr ol in P la ce ( Y/ N ) if N o Ty pe o f E xp os ur e P ro ce ss O w ne r R em ed ia ti on A ct io ns N ex t F ol lo w up / D ue D at e R et ai l S al es O rd er s A cc ur at e A ll sh ip m en ts a re r ec or de d ac cu ra te ly , in a ti m el y m an ne r an d in th e ap pr op ri at e pe ri od . R ev ie w s hi pp in g re po rt s an d se le ct a s am pl e to r ev ie w su pp or tin g do cu m en ta tio n. R et ai l S al es O rd er s A cc ur at e W al k an d ob se rv e th e pr oc es s fr om w he n th e co m pa ny r ec ei ve s an d pr oc es se s th e sa le s or de r to fu lfi lli ng an d sh ip pi ng th e or de r to r ec or di ng jo ur na l e nt ri es . D oc um en t c on tr ol is su es a nd fi nd in gs . R et ai l S al es O rd er s A ut ho ri ze B us in es s pa rt ne rs a re q ua lifi e d, pr ea pp ro ve d, a nd u nd er go c re di t au th or iz at io n. R et ai l S al es O rd er s A ut ho ri ze In a cc or da nc e w ith c om pa ny p ol ic y an d pr oc ed ur es , a s th es e re qu ir e ad di tio na l r ev ie w a nd a pp ro va l; sa le s or de r re po rt s ar e ge ne ra te d to id en tif y th os e sa le s or de rs le ss th an o r gr ea te r th an g en er al s al es o rd er v ol um es a nd am ou nt s. R ev ie w a nd a na ly ze th es e re po rt s fo r ad di tio na l m an ag em en t re vi ew , a pp ro va l, an d su pp or tin g do cu m en ta tio n. R et ai l S al es O rd er s R ec on ci lia tio n R ec on ci lia tio ns a re p re pa re d, re vi ew ed , a nd a pp ro ve d be tw ee n sa le s or de rs r ec ei ve d an d or de rs fu lfi lle d; un re co nc ile d ite m s ar e ag ed fo r re so lu tio n. S el ec t r ec on ci lia tio n, r ev ie w so ur ce d at a, r ec al cu la te a nd v al id at e ap pr ov al s. R et ai l S al es O rd er s R ec on ci lia tio n R ec on ci le fu lfi lle d sa le s or de rs a nd bu si ne ss p ar tn er a cc ou nt r ec ei va bl e da ta fl ow . S el ec t a s am pl e; r ev ie w ca lc ul at io ns , a pp ro va ls , a nd s up po rt in g do cu m en ta tio n. bapp01.indd 256bapp01.indd 256 8/25/08 3:03:10 PM8/25/08 3:03:10 PM 257 R et ai l S al es O rd er s Se gr eg at io n of D ut ie s Se gr eg at io n- of -d ut ie s te st s ar e pe rf or m ed b y ob se rv in g ro le s an d re sp on si bi lit ie s, r ev ie w in g do cu m en te d fl o w ch ar ts a nd /o r pr oc ed ur es . Se gr eg at io n of d ut ie s ex is ts b et w ee n em pl oy ee s w ho h av e ac ce ss to : R et ai l S al es O rd er s Se gr eg at io n of D ut ie s E va lu at in g an d ap pr ov in g bu si ne ss pa rt ne rs a nd th os e pr oc es si ng s al es or de rs , s hi pp in g pr od uc t o r A cc ou nt s R ec ei va bl e pr oc es si ng . R et ai l S al es O rd er s IT C on tr ol s T he s ys te m a ut om at ic al ly m on ito rs cu st om er c re di t l im its a nd d es ig na te s a cu st om er a s “h ol d ov er c re di t l im it” if th e cu st om er p ur ch as e or de r ex ce ed s th e ap pr ov ed c re di t l im it in th e sy st em . R et ai l S al es O rd er s IT C on tr ol s O nl y va lid a nd a cc ur at e pu rc ha se or de rs a re e nt er ed in to th e sy st em . O rd er s ar e re vi ew ed fo r ac cu ra cy a nd va lid ity p ri or to e nt ry in to th e sy st em a s ev id en ce d by s ig n- of f o f t he p ur ch as e or de r. In co m e Ta x C om pl ia nc e w ith la w s an d re gu la tio ns Ta x sc he du le s ar e pr ep ar ed w hi ch re pr es en t t he c om pa ny ’s ju ri sd ic tio na l ob lig at io ns fo r in co m e ta x pr ep ar at io n an d fi l in g. T he ta x de pa rt m en t ca n de m on st ra te a dh er en ce to th e sc he du le . R ev ie w a nd a na ly ze th e lis t of ju ri sd ic tio na l fi li ng s. In co m e Ta x C om pl ia nc e w ith la w s an d re gu la tio ns Ta x re se ar ch is d oc um en te d id en tif yi ng c om pa ny s pe ci fi c pr oc ed ur es to im pl em en t t ax re qu ir em en ts in to o pe ra tio na l a nd ta x pr oc es se s. R ev ie w th e lis t o f t ax ite m s re se ar ch ed a nd a ss es sm en t as to w he th er th e re se ar ch ed it em ne ed s to b e in co rp or at ed in to th e co m pa ny ’s po lic ie s an d pr oc ed ur es . Se ni or e xe cu tiv es a re a ss ur ed th at al l a va ila bl e an d ap pr op ri at e ta x ad va nt ag es a re in cl ud ed w ith in in co m e ta x pr ep ar at io n, ta x su bm is si on s, a nd di sc lo su re s. (C on ti nu ed ) bapp01.indd 257bapp01.indd 257 8/25/08 3:03:10 PM8/25/08 3:03:10 PM 258 P ro ce ss / A cc ou nt C on tr ol O bj ec ti ve o r R is k C on tr ol A ct iv it y or T es t Sa m pl e Si ze a nd R es ul ts of T es ti ng C on tr ol in P la ce ( Y/ N ) if N o Ty pe o f E xp os ur e P ro ce ss O w ne r R em ed ia ti on A ct io ns N ex t F ol lo w up / D ue D at e In co m e Ta x C om pl et e T he re a re e st ab lis he d lin es o f co m m un ic at io n be tw ee n th e ta x fu nc tio n an d th e fu nc tio na l a nd ge og ra ph ic b us in es s un its , p ro vi di ng cl ea r in st ru ct io n as to r eq ui re d in pu t fo r in co m e ta x pr ep ar at io n. R ev ie w po lic ie s an d pr oc ed ur es fo r in cl us io n of ta x co ns id er at io ns w he re a nd a s ap pr op ri at e. In co m e Ta x C om pl et e T he ta x m an ag em en t c om pa re s th e fo re ca st ed p re ta x in co m e w ith th e ta x pr ov is io n w or k pa pe rs . R ev ie w p ee r- to -p ee r or s el f- as se ss m en t c he ck lis ts to d et er m in e if th e w or k pa pe rs ar e co m pl et e. V er ify th e us e of th e in co m e ta x ch ec kl is t a nd s up po rt in g do cu m en ta tio n. In co m e Ta x A cc ur at e T he ta x pr ov is io n ca lc ul at io n is pr op er ly d oc um en te d, a cc ur at el y de te rm in ed , s up po rt ed a nd p ro pe rl y re co rd ed in th e ge ne ra l l ed ge r. R ev ie w th e as su m pt io ns a nd p ro ce ss u se d to c al cu la te , r ev ie w a nd a pp ro ve ta x pr ov is io ns . S el ec t s am pl e ca lc ul at io ns fo r re ca lc ul at io n. In co m e Ta x A cc ur at e Sa le s an d us e ta x lia bi lit ie s ar e ca pt ur ed a nd r ec or de d co m pl et el y an d ac cu ra te ly w ith p ay m en ts s ub m itt ed in a tim el y m an ne r. R ev ie w a nd a na ly ze sa le s an d us e ta x w or k pa pe rs a nd pr es en ta tio n of li ab ili tie s. In co m e Ta x A cc ur at e B us in es s un it an d ta x m an ag em en t ve ri fy th e in te gr ity a nd c om pl et en es s of g at he re d da ta . T he ta x fu nc tio n pe rf or m s tim el y re ca lc ul at io ns to a ss es s th e ac cu ra cy a nd r ea so na bl en es s of co m pu ta tio ns . I nt er na l c on tr ol s re vi ew s th e da ta in pu t a nd ta x ca lc ul at io ns . bapp01.indd 258bapp01.indd 258 8/25/08 3:03:11 PM8/25/08 3:03:11 PM 259 In co m e Ta x A cc ur at e To s er ve a s a ch ec k an d ba la nc e an d fo r pu rp os es o f a cc ur ac y, th os e w ho pr ep ar e in co m e ta x co m pu ta tio ns /w or k pr od uc ts a nd th os e w ho r ev ie w a nd ap pr ov e ta x su bm is si on s an d th os e w ho a pp ro ve a nd /o r re co nc ile jo ur na l en tr ie s. W al k th ro ug h an d ob se rv e th e pr oc es s fr om r ec ei vi ng d at a in pu t to p re pa ri ng jo ur na l e nt ri es fr om ta x su bm is si on s an d di sb ur se m en t o f t ax es pa ya bl e. In co m e Ta x A ut ho ri ze T he ta x V P re vi ew s an d ap pr ov es th e in co m e ta x ra te w hi ch m us t b e us ed fo r bu dg et a nd fo re ca st in g pu rp os es . T hi s ra te is r ec on ci le d to th e ac tu al ca lc ul at ed y ea r- en d ra te . In co m e Ta x A ut ho ri ze T he ta x V P re vi ew s an d ap pr ov es th e in co m e ta x jo ur na l e nt ri es a nd cl as si fi c at io n be tw ee n cu rr en t a nd de fe rr ed , s ho rt -a nd lo ng -t er m ob lig at io ns . In co m e Ta x A ut ho ri ze T he ta x V P re vi ew s an d ap pr ov es th e bl en de d st at ut or y st at e in co m e ta x ra te . In co m e Ta x A ut ho ri ze T he C F O q ua rt er ly r ev ie w s an d ap pr ov es th e co nt in ge nc y re se rv e no tin g su pp or t i n ac co rd an ce w ith SF A S5 a nd th e re la te d ef fe ct s on th e ta x ac co un ts . In co m e Ta x A ut ho ri ze C om pa ny p ol ic ie s an d pr oc ed ur es (e .g ., in te rc om pa ny tr an sa ct io ns , c ro ss - bo rd er a nd tr an sf er p ro du ct p ri ci ng ) ar e ad eq ua te ly r ev ie w ed a nd a pp ro ve d fo r in co m e ta x im pl ic at io ns . In co m e Ta x A ut ho ri ze T he in co m e ta x pr ov is io ns , p re se nt a- tio ns , a nd d is cl os ur e re qu ir ed a re re vi ew ed fo r co m pl et en es s, a cc ur ac y, an d co m pl ia nc e la w s an d re gu la tio ns . T he V P F in an ce o r co rp or at e co nt ro lle r re vi ew s, s ig ns , a nd d at es th e de ta ile d sc he du le s an d fi n an ci al di sc lo su re s. R ev ie w th e di sc lo su re a nd su pp or tin g do cu m en ta tio n. (C on ti nu ed ) bapp01.indd 259bapp01.indd 259 8/25/08 3:03:11 PM8/25/08 3:03:11 PM 260 P ro ce ss / A cc ou nt C on tr ol O bj ec ti ve o r R is k C on tr ol A ct iv it y or T es t Sa m pl e Si ze a nd R es ul ts of T es ti ng C on tr ol in P la ce ( Y/ N ) if N o Ty pe o f E xp os ur e P ro ce ss O w ne r R em ed ia ti on A ct io ns N ex t F ol lo w up / D ue D at e In co m e Ta x R ec on ci lia tio n R ec on ci lia tio ns a re p er fo rm ed b et w ee n th e fi n an ci al d at a su bm itt ed b y th e bu si ne ss u ni ts a nd th e in fo rm at io n su bm itt ed to th e ta x de pa rt m en t. R ev ie w a nd a na ly ze s el ec te d re co nc ili at io n. In co m e Ta x R ec on ci lia tio n T he T ax V P re vi ew s an d ap pr ov es th e ro ll fo rw ar d sc he du le a nd an al ys is w hi ch in cl ud es c ur re nt ta xe s pa ya bl e, d ef er re d ta xe s an d th e ta x pr ov is io n. R ev ie w a nd a na ly ze s el ec te d re co nc ili at io n. In co m e Ta x R ec on ci lia tio n T he T ax V P re vi ew s th e re co nc ili at io n of th e re qu es te d ta x en tr ie s to th e ba la nc es r efl e ct ed o n th e ge ne ra l le dg er to c on fi r m th at th e in fo rm at io n w as p os te d ac cu ra te ly a nd th at th e ta x ac co un ts a re c or re ct ly s ta te d. R ev ie w an d an al yz e se le ct ed r ec on ci lia tio n. In co m e Ta x R ec on ci lia tio n T he a cc ru al fo r sa le s an d us e ta x co nt in ge nc ie s is r ec on ci le d m on th ly to su pp or tin g sc he du le s or g en er al le dg er to e ns ur e th e ac cr ua l i s co m pl et e an d ac cu ra te . R ev ie w a nd a na ly ze s el ec te d re co nc ili at io n. bapp01.indd 260bapp01.indd 260 8/25/08 3:03:12 PM8/25/08 3:03:12 PM 261 Internal Control – Result of Control Activity Testing As the Internal Control representative tests each control objective, they should keep track of the tests and results by com- pleting the Result of Control Activity form. This form serves as the cover sheet for evidence collected to support the asser- tion made about the control objective. The results of each test, whether positive or negative, must be recorded to demonstrate that the internal control representa- tive exercised an appropriate level of due diligence when reviewing the process. In addition, those items which indicate a defi ciency need to be identifi ed and classifi ed for remedial action. Internal Controls – Result of Control Activity Testing Company Location Financial Period Prepared by: Date Reviewed by: Purpose: Scope or Process description: Policy and Procedure references Result of control activities tested Number and identify each control objective and activity being tested. Follow or create a cross reference to the control objectives and activities as listed on the Test Guide. Result of the Control Activity should identify the size of the sample, criteria used for sampling and the fi nding; reference fi ndings as (E) controls were found to be in existence, (CT) controls were found to be executed completely and in a timely fashion, (VA) controls were found to be validate and accurate. Include other assertion levels as appropriate to your test plans. Assessment refers to your evaluation as to whether the control is working as it should be. Ratings are 1 to 4 defi ned as 1 for a signifi cant defi ciency, 2 as a material weakness, 3 as a reportable condition or 4 as an effective control. Result of Control Activities Tested Description of Control Tested Assertion Result of Control Activity Tested Assessment 1, 2, 3, 4 1 2 3 Evaluation: In my opinion, the overall control assessment for the process described above is rated as < insert rating 1, 2, 3, 4 > and describe why you reached this conclusion. Prepared by: _____________________________________ Date: _________________________ Reviewed and approved by: _________________________ Date: _________________________ Once complete, attach the Test Guide as a cover sheet to the supporting evidence and forward to Internal Controls. bapp01.indd 261bapp01.indd 261 8/25/08 3:03:12 PM8/25/08 3:03:12 PM 262 Reporting Scorecard Company Location Financial Period Prepared by: Date Reviewed by: Distributed to: Chief Executive Offi cer, Chief Financial Offi cer, Executive Team and Process owners Purpose: Consolidate the fi ndings from the Result of Control Activity Testing and report on the progress made to remedi- ate open issues. Goal: Zero material weaknesses and zero signifi cant defi ciencies Testing is current as of Findings: Process Total # Controls Rating 1 SD Rating 2 MW Rating 3 RC Total Ratings are 1 to 4 defi ned as 1 for a signifi cant defi ciency (SD), 2 as a material weakness (MW) or 3 as a reportable condition (RC). Actions: Process Process Owner Remediation Actions Expected Completion Date Internal Control comments or observations bapp01.indd 262bapp01.indd 262 8/25/08 3:03:12 PM8/25/08 3:03:12 PM 263263 Acronyms AP or A/P: accounts payable AR or A/R: accounts receivable BOD: board of directors BS or B/S: balance sheet CAO: chief accounting offi cer CAO: chief administrative offi cer CEO: chief executive offi cer CFO: chief fi nancial offi cer CIP: construction in progress Company – IDEAL LLC COO: chief cperating offi cer COSO or Framework: Committee of Sponsoring Organizations of the Treadway Commission CT: complete and timely DOA: delegation of authority DPO: days payable outstanding E: existence EBS: electronic bank statements EUC: end-user computing FASB: Financial Accounting Standards Board FCPA: U.S. Foreign Corrupt Practices Act GAAP: generally accepted accounting principles GL: general ledger ICOFR: internal controls over fi nancial reporting IDEAL: Instruction, Design, Evaluation and Assessment for Leadership IFAC: International Federation of Accountants IIA: Institute of Internal Auditors IS: information services IT: information technology Legal: legal department Letter: quarterly subcertifi cation letter or the letter of representation Matrix: process owner matrix MBA: master of business administration MD&A: management discussion and analysis MW: material weaknesses PCAOB: Public Company Accounting Oversight Board PO: purchase order Program: internal controls program RASCI: responsible, authority, support, counsel, and inform RC: reportable condition bapp01.indd 263bapp01.indd 263 8/25/08 3:03:13 PM8/25/08 3:03:13 PM SAS: Statement on Auditing Standards SD: signifi cant defi ciencies SEC: Securities and Exchange Commission SOX: Sarbanes–Oxley Act of 2002 U.S. GAAP: United States generally accepted accounting principles VA: validate and accurate VP: vice president 264 ACRONYMS bapp01.indd 264bapp01.indd 264 8/25/08 3:03:13 PM8/25/08 3:03:13 PM 265 References Visit the following sites for additional information on: Sarbanes-Oxley www.sec.gov/spotlight/sarbanes-oxley.htm http://thecaq.aicpa.org /Resources/Sarbanes+Oxley/ Securities and Exchange Commission http://www.sec.gov/ COSO http://www.coso.org/ PCAOB http://www.pcaobus.org/index.aspx For program support and information, contact IDEAL via [email protected] or via http://www.idealpolicy.com bref.indd 265bref.indd 265 8/25/08 3:07:01 PM8/25/08 3:07:01 PM bref.indd 266bref.indd 266 8/25/08 3:07:01 PM8/25/08 3:07:01 PM 267 Index A account reconciliation program contact persons, 103 exhibit, 104 fl ow chart, 96 policy, 101 procedure, 97–99, 101–3 responsibility, control and areas of, 103 scope, 101 techniques, format and analysis, 99–100 Accounting authority, 72 accounts payable (disbursements) checklist, readiness, 154 control objectives and activities, 154–57 fl owchart, 153 key measures, 157 reference policies and procedures, 153 accounts receivable and allowance for doubtful accounts checklist, readiness, 159 control objectives and activities, 159–60 fl owchart, 158 key measures, 160–61 reference policies and procedures, 158 accounts receivable and cash applications checklist, readiness, 163 control objectives and activities, 163–65 fl owchart, 162 key measures, 165 reference policies and procedures, 162 accounts receivable and collections checklist, readiness, 167 control objectives and activities, 167–68 fl owchart, 166 key measures, 168 reference policies and procedures, 166 accounts receivable and credit information checklist, readiness, 169–70 control objectives and activities, 170 fl owchart, 169 key measures, 170–71 reference policies and procedures, 169 acronyms, 263–64 authority. See also responsibility, authority, support, counsel and inform (RASCI); subdelegation of authority Accounting, 72 areas of worldwide, 72 Contracts, 72 delegation of, 69–70, 74–75 Information Services (IS), 72 matrix, subdelegation of, 71, 77–78 Planning, 72 Product and Services, 72 Real Estate, 72 special areas with worldwide, 74–75 Tax, 72 Treasury, 72 authorization and approval program. See also subdelegation of authority authority, areas of worldwide, 72 authority, delegation of, 69–70 authority, special areas with worldwide, 74–75 authority matrix, subdelegation of, 71 authorization matrix, 71 defi nitions, 71 planned spending, 75 RASCI, 70 rules and responsibilities, 71–72 terms, defi ning, 69 B board of directors (BOD), 38 BOD. See board of directors (BOD) C CAO. See chief administrative offi cer (CAO) cash and marketable securities checklist, readiness, 173 control objectives and activities, 173–74 fl owchart, 172 key measures, 174–75 reference policies and procedures, 172 CEO. See chief executive offi cer (CEO) CFO. See chief fi nancial offi cer (CFO) checklist of readiness accounts payable (disbursements), 154 accounts receivable and allowance for doubtful accounts, 159 accounts receivable and cash applications, 163 accounts receivable and collections, 167 bindex.indd 267bindex.indd 267 8/25/08 3:07:14 PM8/25/08 3:07:14 PM 268 INDEX checklist of readiness (Continued) accounts receivable and credit information, 169–70 cash and marketable securities, 173 control activity program, 138 fi nancial planning and analysis, 177 fi xed assets and long lived assets, 180 governance documentation, 24 income tax, 214 intercompany transactions (cross charges), 184 journal entries and non-routine transactions, 195 payroll, 198 procurement, 201–2 raw materials and inventory, 190 retail sales orders to business partners, 210 revenue recognition, 206 chief administrative offi cer (CAO), 74 chief executive offi cer (CEO), 38, 74, 105, 120 chief fi nancial offi cer (CFO), 38, 74, 105, 120 chief operating offi cer (COO), 74 Committee of Sponsoring Organizations of the Treadway Commission (COSO), 7–8, 28, 31, 52, 55, 263 Contracts authority, 72 control activity program checklist, readiness, 138 control activities, 137–38 control objectives, 137 evaluation, 139–40 internal control planning, testing and remediation worksheet, 144–46 internal controls reporting scorecard, instructions for, 142–44 key measures, 138 monitoring and tracking, 140–41 overview, 135 remediation, 141–42 reporting, 142 results, control activity, 148 scorecard, reporting, 151–52 template, control activity, 147 testing form, instruction for completing the, 138–40 testing guide, instruction for building your, 135–38 worksheet, planning, testing and remediation, 149–50 control objectives and activities accounts payable (disbursements), 154–57 accounts receivable and cash applications, 163–65 accounts receivable and collections, 167–68 accounts receivable and credit information, 170 cash and marketable securities, 173–74 fi nancial planning and analysis, 177–78 fi xed assets and long lived assets, 180–82 income tax, 214–16 intercompany transactions (cross charges), 184–86 journal entries and non-routine transactions, 195–96 payroll, 198–99 procurement, 202–4 raw materials and inventory, 190–93 retail sales orders to business partners, 210–11 revenue recognition, 206–8 COO. See chief operating offi cer (COO) COSO. See Committee of Sponsoring Orga- nizations of the Treadway Commission (COSO) D delegation of authority. See also subdelegation of authority authority, delegation of, 74–75 authority matrix, subdelegation of, 77–78 contact persons, 76 policy, 73–74 responsibilities, control and areas of, 76 roles and responsibilities, 75–76 scope and background, 73 documentation, 20–24 E end-user computing contact persons, 96 policy, 95 procedure, 95–96 responsibility, control and area of, 96 scope, 95 spreadsheet control, 91–94 spreadsheet cover, 93 F FASB. See Financial Accounting Standards Board (FASB) Financial Accounting Standards Board (FASB), 3 fi nancial planning and analysis checklist, readiness, 177 control objectives and activities, 177–78 fl owchart, 176 key measures, 178 reference policies and procedures, 176 fi xed assets and long lived assets checklist, readiness, 180 control objectives and activities, 180–82 bindex.indd 268bindex.indd 268 8/25/08 3:07:15 PM8/25/08 3:07:15 PM INDEX 269 fl owchart, 179 key measures, 182 reference policies and procedures, 179 fl owchart accounts payable (disbursements), 153 accounts receivable and allowance for doubtful accounts, 158 accounts receivable and cash applications, 162 accounts receivable and collections, 166 accounts receivable and credit information, 169 cash and marketable securities, 172 fi nancial planning and analysis, 176 fi xed assets and long lived assets, 179 governance, 5–6 income tax, 213 intercompany transactions (cross charges), 183 journal entries and non-routine transactions, 194 payroll, 197 procurement, 201 raw materials and inventory, 187–89 retail sales orders to business partners, 209 revenue recognition, 205 404 certifi cation, 128–30 404 subcertifi cation, 118 G GAAP. See generally accepted accounting principles (GAAP) generally accepted accounting principles (GAAP), 40 governance. See also Public Company Accounting Oversight Board (PCAOB) COSO framework, 7–8 documentation, about, 22 documentation, readiness checklist for, 24 documentation, source of, 20 documentation, what it is, 20–22 documentation, why now, 22–23 documentation diffi culties, 23 fl owchart of, 5–6 oversight, about, 16–17 oversight, source of, 16 oversight, what it is, 16 oversight, why now?, 17 oversight principles, 17–19 PCAOB, 9 risk, about, 10–11 risk, evaluating process, 13–15 risk, types of, 11–12 risk, what it is, 10 risk assessment, 10–12 risk management, 11–12 risk matrix, 13–14 Sarbanes-Oxley Act, 8–9 source of, 3–4 what it is, 3 what it is about, 3 why now?, 4–5 I IDEAL LLP’s legal entities, subsidiaries, and business units contact persons, 54 policy, 52 procedure, 52–54 responsibility, control/areas of, 54 risk thresholds, 53–54 scope of policy, 52 IFAC. See International Federation of Accountants (IFAC) income tax checklist, readiness, 214 control objectives and activities, 214–16 fl owchart, 213 key measures, 216 references and procedures, 213 Information Services (IS) authority, 72 information technology program end-user computing and spreadsheet control, 91–94 end-user computing spreadsheet cover, 93 procedure, 87–90 spreadsheet errors, preventing and detecting, 94 intercompany transactions (cross charges) checklist, readiness, 184 control objectives and activities, 184–86 fl owchart, 183 key measures, 186 reference policies and procedures, 183 internal control plan, 83–85 planning, testing and remediation worksheet, 144–46 reasons for, 28–29 reporting scorecard, instructions for, 142–44 requirements for, 28 what it is about, 27–28 what they are, 27 internal control process about, 37 control activities, 44–46 control activity testing, 261–62 control environment, 38–39 controls, detective and preventive, 44–45 COSO control element, 50 fi nancial reporting, internal controls over, 40 fi ndings, classifying, 48–49 bindex.indd 269bindex.indd 269 8/25/08 3:07:15 PM8/25/08 3:07:15 PM 270 INDEX internal control process (Continued) fl ow chart, 37 information and communications objectives, 48 integrity, 41 internal control objectives and principles, 39–42 internal control program, evaluating, 50 monitoring and testing, 46–48 narrative for the process, 38 planning, testing and remediation worksheet, 144–46 reporting scorecard, instructions for, 142–44 reviews, operational and fi nancial, 40–41 risk assessment, 43–44 safeguarding assets, 41–42 segregation of duties, 41 submissions and attestations, 51 top-down approach, determining scope using, 42–44 internal control program accounts receivable (A/R) collections process, 30 control activities, 35 control environment, 34 fi nancial reporting, internal control over, 31–32 information and communications, 35 internal controls, reasons for, 28–29 internal controls, requirements for, 28 internal controls, what it is about, 27–28 internal controls, what they are, 27 monitoring, evaluating and reporting, 35 note to reader, 36 program vs. process, 29–31 risk assessment, 34 risks, fi nancial, 31 risks, operational, 31 risks, performance, 31 self-assessment questions and COSO, 33–36 Internal Control–Integrated Framework, 28 internal controls program charter meetings, 55 purpose, 55 responsibilities and authority, 56 scope, 55 International Federation of Accountants (IFAC), 3 IS. See Information Services (IS) J journal entries and non-routine transactions checklist, readiness, 195 control objectives and activities, 195–96 fl owchart, 194 key measures, 196 reference policies and procedures, 194 K key measures accounts payable (disbursements), 157 accounts receivable and allowance for doubtful accounts, 160–61 accounts receivable and cash applications, 165 accounts receivable and collections, 168 accounts receivable and credit information, 170–71 cash and marketable securities, 174–75 control activity program, 138 fi nancial planning and analysis, 178 income tax, 216 intercompany transactions (cross charges), 186 journal entries and non-routine transactions, 196 payroll, 200 procurement, 204 raw materials and inventory, 193 retail sales orders to business partners, 211–12 revenue recognition, 208 M matrix authority, subdelegation of, 71, 77–78 quarterly subcertifi cation program, 106–9, 122–23 RASCI, 83, 85–86 risk, 13–14 subcertifi cation, 126 O oversight. See also Public Company Accounting Oversight Board (PCAOB) about, 16–17 principles, 17–19 source of, 16 what it is, 16 why now?, 17 P payroll checklist, readiness, 198 control objectives and activities, 198–99 fl owchart, 197 key measures, 200 reference policies and procedures, 197 safeguard assets, 199–200 PCAOB. See Public Company Accounting Oversight Board (PCAOB) bindex.indd 270bindex.indd 270 8/25/08 3:07:15 PM8/25/08 3:07:15 PM INDEX 271 Planning authority, 72 procurement checklist, readiness, 201–2 control objectives and activities, 202–4 fl owchart, 201 key measures, 204 reference policies and procedures, 201 Product and Services authority, 72 program support contact, 263 Public Company Accounting Oversight Board (PCAOB), 9, 16, 23, 31, 263 Q quarterly fi nancial subcertifi cation training for fi rst-time subcertifi ers agenda, 124 business practices, 128 certifi cation summary, 125 fi nancial data, representation of, 128 404 certifi cation, 128–29 framework and process, 127–28 letter of representation, 128 management’s role and responsibility, 129–30 objectives, program, 124–25 subcertifi cation, assigning ownership for, 126 subcertifi cation matrix, 126 subcertifi cation process fl ow, 127 302 certifi cation, 128 302 subcertifi er responsibilities, 128 quarterly subcertifi cation program business practices, 116–17 certifi cation, 130 certifi cation, next steps, 130 contact persons, 121 exhibits, 115–16 fi nancial data, representation of, 116–17 fi nancial statement subcertifi ers, 117 404 certifi cation, 130 404 subcertifi cation, 118 letter, 110 matrix, 106–8 matrix, instructions for, 122–23 matrix, steps to customize the, 108–9 overview, 105–6 policy, 120 procedure, 120–21 references, 131 responsibility, control and areas of, 121 schedule, 110–14 scope, 120 subcertifi cation, quarterly, 118–19, 130 subcertifi cation questionnaire, quarterly, 119 302 disclosure subcertifi cation, 117 R RASCI. See responsibility, authority, support, counsel and inform (RASCI) raw materials and inventory checklist, readiness, 190 control objectives and activities, 190–93 fl owcharts, 187–89 key measures, 193 reference policies and procedures, 187 Real Estate authority, 72 reference policies and procedures accounts payable (disbursements), 153 accounts receivable and allowance for doubtful accounts, 158 accounts receivable and cash applications, 162 accounts receivable and collections, 166 accounts receivable and credit information, 169 cash and marketable securities, 172 fi nancial planning and analysis, 176 fi xed assets and long lived assets, 179 intercompany transactions (cross charges), 183 journal entries and non-routine transactions, 194 payroll, 197 procurement, 201 raw materials and inventory, 187 retail sales orders to business partners, 209 references, 263 responsibility, authority, support, counsel and inform (RASCI), 70, 83–85 matrix, 83, 85–86 retail sales orders to business partners checklist, readiness, 210 control objectives and activities, 210–11 fl owchart, 209 key measures, 211–12 reference policies and procedures, 209 revenue recognition checklist, readiness, 206 control objectives and activities, 206–8 fl owchart, 205 key measures, 208 references and procedures, 205 risk about, 10–11 assessment, 10–12, 34, 43–44 evaluating process, 13–15 fi nancial, 31 management, 11–12 matrix, 13–14 operational, 31 bindex.indd 271bindex.indd 271 8/25/08 3:07:16 PM8/25/08 3:07:16 PM 272 INDEX risk (Continued) performance, 31 thresholds, 53–54 types of, 11–12 what it is, 10 roll-forward analysis, 99 S Sarbanes-Oxley Act (SOX), 8–9, 16, 20, 31, 73, 105, 263 SEC. See Securities and Exchange Commission (SEC) Securities and Exchange Commission (SEC), 3, 16, 22, 263 SOX. See Sarbanes-Oxley Act (SOX) subdelegation of authority. See also delega- tion of authority; responsibility, authority, support, counsel and inform (RASCI) acquisition, 81 divestitures, 81 human resources, 79 intercompany matters, 82 joint ventures and alliances, 81 legal, 80 matrix, 71, 79–81 procurement, 81 sales, 81 treasury, 82 U.S. dollars, 79–80, 82 T Tax authority, 72 302 disclosure subcertifi cation, 117 302 certifi cation, 128 302 subcertifi er responsibilities, 128 Treasury authority, 72 U U.S. Foreign Corrupt Practices Act, 73 W worksheet internal control, testing and remediation, 217–60 internal control planning, testing and remediation, 144–46, 149–50 bindex.indd 272bindex.indd 272 8/25/08 3:07:16 PM8/25/08 3:07:16 PM Internal Controls Policies and Procedures About the Author About the Web Site Contents How to use this Manual Preface GOVERNANCE JOURNEY BIG G TO LITTLE g GOVERNANCE JOURNEY APPENDIX: SOME BACKGROUND INFORMATION ON COSO, SOX AND PCAOB RISK ASSESSMENT OVERSIGHT DOCUMENTATION INTERNAL CONTROL PROGRAM INTERNAL CONTROLS PROGRAM APPENDIX: SELF-ASSESSMENT FOR THE INTERNAL CONTROL FRAMEWORK ACCORDING TO COSO INTERNAL CONTROL PROCESS INTERNAL CONTROL PLAN ROLES AND RESPONSIBILITIES INTERNAL CONTROL – PLANNING, TESTING AND REMEDIATION WORKSHEET AUTHORIZATION AND APPROVAL PROGRAM SUBDELEGATION-OF-AUTHORITY MATRIX SUB DELEGATION OF AUTHORITY MATRIX SUPPORTS THE SUB DELEGATION OF AUTHORITY POLICY AND PROCEDURE AUTHORIZATION – DELEGATION, SUBDELEGATION OF AUTHORITY RESPONSIBILITY, AUTHORITY, SUPPORT, COUNSEL, AND INFORM (RASCI) INFORMATION TECHNOLOGY PROGRAM END-USER COMPUTING AND SPREADSHEET CONTROL ACCOUNT RECONCILIATION PROGRAM QUARTERLY SUBCERTIFICATION PROGRAM QUARTERLY SUBCERTIFICATION: SECTION 404 QUESTIONNAIRE QUARTERLY SUBCERTIFICATION - MATRIX QUARTERLY FINANCIAL SUBCERTIFICATION TRAINING FOR FIRST-TIME SUBCERTIFIERS CONTROL ACTIVITY PROGRAM CONTROL ACTIVITY PROGRAM INTERNAL CONTROL—PLANNING, TESTING, AND REMEDIATION WORKSHEET Appendix Acronyms References Index


Comments

Copyright © 2025 UPDOCS Inc.