Professional Documents
Culture Documents
December 2006
This document provides a consolidated set of audit checklists typical of those used by internal and external auditors to evaluate the financial close process and test compliance with SarbanesOxley (SOX). These checklists identify all of the typical controls that comprise a typical audit and highlight ways that you can automate many of the tasks by using an independent controls monitoring and audit (CMA) solution.
Table of Contents
Section 1 Financial Close Process ......................................................................................... 3 Section 2 Entity Level Controls - Control Environment ........................................................... 5 Section 3 Entity Level Controls - Information & Communication............................................. 8 Section 4 Entity Level Controls Monitoring ........................................................................ 10 Section 5 Entity Level Controls Risk Assessment ............................................................. 12 Section 6 Expenditure Process Controls .............................................................................. 12 Section 7 Fixed Assets Process Controls ............................................................................. 17 Section 8 Inventory Management Process Controls ............................................................. 19 Section 9 Payroll Process Controls ...................................................................................... 22 Section 10 Revenue Process Controls ................................................................................. 24 Section 11 Treasury Process Controls ................................................................................. 27 Section 12 SOX Checklist..................................................................................................... 30 ABOUT APPROVA .................................................................................................................. 34
Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures
z z z z z z z z z z z z z z z
Financial Close
Financial Close Financial Close Financial Close Financial Close Financial Close Financial Close Financial Close Financial Close Financial Close Financial Close Financial Close
Journal entry input is restricted to authorized personnel. There is a checklist of the standard closing journal entries made at month-end, quarter-end, and year-end. Pre-numbered vouchers are used to ensure that all non-recurring entries are processed only once in the system. Manual journal entries have adequate supporting documentation and are approved by the appropriate level of management.
Continuous controls monitoring and audit of the financial close process is an integral part of the financial close procedure. CMA solutions can report test results in existing corporate reports or as part of third party reporting packages (e.g. Crystal Reports). CMA solutions provide detailed remediation and monitoring of user access for accounting and reporting applications. CMA solutions monitor unauthorized or irregular journal entries. CMA solutions identify nonstandard journal entries. CMA solutions identify duplicate journal entries. CMA solutions identify manual journal entries that do not have proper approvals.
7 8
10 11
Standardized journal entries are used for recurring journal entries. Journal entries are supported and authorized before being posted. System logic prevents journal entries for which debits do not equal credits. The system will not allow journal entries to be recorded to a closed accounting period. System logic will not allow duplicate journal entry numbers. A procedure detailing the calculation of specific accruals and recording rules exists and is consistently applied.
CMA solutions identify unauthorized journal entries. CMA solutions identify journal entries for which debits do not equal credits. CMA solutions identify journal entries that have been recorded after a closed accounting period. CMA solutions identify duplicate journal entries.
12
13
14 15
Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures
16 17 18 19 20
Financial Close Financial Close Financial Close Financial Close Financial Close Financial Close Financial Close Financial Close
Write-offs and reserves are clearly defined, consistently applied, and monitored in accordance with company policy. All account balances are reconciled prior to closing the books, including confirming that balances agree with related parties. Significant variances in reconciliations are investigated and resolved timely. Fluctuation analysis of actual to budget or prior periods is performed. The financial reporting package is reviewed by management before submission to Corporate. Duties are appropriately segregated in the closing process. Access/authorization controls are in place to maintain the integrity of the chart of accounts. Procedure is in place to identify any changes to master data that have significant financial accounting and/or reporting implications to the accounting department A procedure is in place to identify and communicate transactions/events that have significant financial accounting and/or reporting implications to the accounting department.
21
22
23
z z z z z z z z z
CMA solutions identify and remediate segregation of duties violations. CMA solutions monitor all changes to the chart of accounts. CMA solutions monitor all changes to master data. For the operations that CMA solutions monitor, appropriate alerting and reporting is performed to communicate any anomalies in financial close procedures.
24
Financial Close
z = Significant opportunities to implement a controls monitoring and audit (CMA) solution z = Some opportunity to implement a controls monitoring and audit (CMA) solution z = Little or no opportunity to implement a controls monitoring and audit (CMA) solution
Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures
z z z z z z z z z z z
5
Integrity & Ethical Values Integrity & Ethical Values Integrity & Ethical Values Integrity & Ethical Values Integrity & Ethical Values
4 5
Integrity & Ethical Values Commitment to Competence Commitment to Competence Commitment to Competence
9 10
11
Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures
12 13 14
Commitment to Competence Commitment to Competence Commitment to Competence Management's Philosophy & Operating Style Management's Philosophy & Operating Style Management's Philosophy & Operating Style Management's Philosophy & Operating Style Management's Philosophy & Operating Style Organizational Structure Organizational Structure
Management provides personnel with access to training programs on relevant topics. Formal job descriptions or other means of defining tasks that comprise particular jobs exist and are effectively used. Adequate staffing levels are maintained to effectively perform required tasks. Management analyzes the risks and potential benefits of ventures. Turnover in management or supervisory personnel is monitored and the reasons for significant turnover are evaluated. Senior management maintains contact with and consistently emphasizes appropriate behavior to operating personnel. Management exemplifies attitudes and actions reflecting a sound control environment and commitment to ethical values. Management adopts accounting policies that best reflect the economic realities of the business. Executives clearly understand their responsibility and authority for business activities and how they relate to the entity as a whole. The entity establishes appropriate lines of reporting, giving consideration to its size and the nature of its activities.
15
16
17
18
19
20 21
z z z z z z z z z z z z z z z z z z z
For the operations that CMA solutions monitor, appropriate alerting and reporting is performed to communicate any anomalies in the control environment CMA solutions identify and remediate segregation of duties (SoD) violations.
22
Organizational Structure
The structure of the entity facilitates the flow of information to appropriate people in a timely manner.
23
Organizational Structure Assignment of Authority & Responsibility Assignment of Authority & Responsibility
Incompatible duties are segregated (e.g., separation of accounting for and access to assets). Employees throughout the entity are assigned authority and responsibility related to their specific job functions. Job descriptions contain specific references to control-related responsibilities.
24
25
26
27
28
29
30
Assignment of Authority & Responsibility Assignment of Authority & Responsibility Human Resources Policies & Procedures Human Resources Policies & Procedures
There is a structure for assigning ownership of information including who is authorized to initiate or change transactions. There are policies and procedures for authorization and approval of transactions. Management establishes and enforces standards for hiring the most qualified individuals, with emphasis on educational background, prior work experience, past accomplishments, and evidence of integrity and ethical behavior. Screening procedures, including background checks, are employed for job applicants, particularly for employees with access to assets susceptible to misappropriation.
CMA solutions are designed so that the business process owner can design, implement and monitor controls and perform remediation of control violations without having to enlist IT resources. CMA solutions include remediation workflow to remediate SOD violations.
Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures
31
32
33
34
35
Human Resources Policies & Procedures Human Resources Policies & Procedures Human Resources Policies & Procedures Human Resources Policies & Procedures Human Resources Policies & Procedures
Recruiting practices include formal, in-depth employment interviews and informative, insightful presentations on the entity's history, culture, and operating style. Training policies communicate prospective roles and responsibilities and illustrate expected levels of performance and behavior.
z z z z z
Disciplinary actions send a message that violations of expected behavior will not be tolerated.
An ongoing education process enables people to deal effectively with evolving business environments.
1
z = Significant opportunities to implement a controls monitoring and audit (CMA) solution z = Some opportunity to implement a controls monitoring and audit (CMA) solution z = Little or no opportunity to implement a controls monitoring and audit (CMA) solution
Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures
z z z z z z
Independent CMA solutions can easily integrate with other governance, risk, compliance, and security-related applications such as Identity Management, GRC applications and portals. CMA solutions greatly reduce the time and effort of monitoring information system controls that affect the accuracy of financial statements.
Information Availability
Internal information regarding financial results is generated by the entity's financial information systems and that information is reported regularly.
3 4
Entity-wide operating results are reviewed and compared against budgets at regular intervals. The adequacy of the information technology structure is considered by senior management. Managers and other personnel have the required information in sufficient detail to carry out their responsibilities and there are mechanisms in place to ensure changing needs are met.
Reliability of IT Systems
Management has a strategic plan for IT systems that are linked to the entity's overall strategies.
Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures
Reliability of IT Systems
Procedures are in place to provide assurance that relevant information is identified, captured, processed and reported by IT systems in an appropriate and timely fashion.
z z z z z z z z z z z
Reliability of IT Systems
Management adequately staffs and designs the IT department to support the entity's overall business objectives.
There are defined responsibilities for individuals responsible for implementing, documenting, testing, and approving changes to computer programs and systems. There is a regular back-up of application programs and data files.
CMA solutions can continuously monitor SOD, Financial Close, Order to Cash, Procure to Pay, System Configuration, Sensitive Transactions, and custom transactions in financial systems to ensure compliance is met and enforced. CMA solutions significantly reduce the effort of monitoring financial system controls by effectively utilizing existing staff. CMA solutions can assist in change control by monitoring financial application system settings.
10
11
Reliability of IT Systems
The entity has a disaster recovery plan in place that allows for the timely recovery of information. The disaster recovery plan is tested regularly and is updated as the business changes.
12
There is a high level of user satisfaction with the IT systems, including reliability and timeliness of reports. Employee duties and control responsibilities are timely and effectively communicated.
13
14
Communication
Communication across the organization is adequate, complete and timely to enable people to perform their responsibilities effectively.
For the operations that CMA solutions monitor, appropriate alerting and reporting is performed to communicate any anomalies in the control environment.
15
Communication
There is an established channel of communication for people to report, anonymously when appropriate, suspected improprieties and management encourages employees to utilize such channels when necessary. Reported problems are investigated in a timely manner and disciplinary actions are taken when necessary. There are realistic mechanisms in place for employees to provide recommendations.
16 17
Communication Communication
z = Significant opportunities to implement a controls monitoring and audit (CMA) solution z = Some opportunity to implement a controls monitoring and audit (CMA) solution z = Little or no opportunity to implement a controls monitoring and audit (CMA) solution
Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures
Ongoing Monitoring
Management monitors relevant external and internal information and considers the impact on the control structure.
z z z z z z z z
Ongoing Monitoring
Procedures are in place to monitor when controls are overridden and to determine if the override was appropriate.
Management takes appropriate action on exceptions to policies and procedures. Management responds timely to comments identified in management letters from the external auditor. Internal audit has the authority to review any aspect of the entity's operations.
CMA solutions enable audit to monitor 100% of financial system controls on a daily or weekly basis rather than a 5% sample performed on a quarterly basis. For the systems that CMA solutions support, control design, deployment and monitoring is designed to be operated by the business process owner (without IT intervention) which facilitates better controls as the same person who is responsible for the control owns the controls. Independent CMA solutions that are not sold by financial applications vendors provide independent verification of controls effectiveness.
Ongoing Monitoring
Controls are reviewed to ensure that they are being applied as expected.
Internal auditors are prohibited from having an operating role in the activities they monitor.
Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures
10
Management is required to respond in a timely manner to the internal audit department's findings and recommendations. Internal and/or external audit comments and management responses are provided to the audit committee or board of directors. Complaints of improper financial matters by external parties such as suppliers or regulators are fully investigated and documented.
10
11
12
Reporting Deficiencies
Discrepancies that have been identified by customers are investigated and resolved.
z z z z z z z z
CMA solutions can not only identify discrepancies in financial applications but they can also identify the root cause of the discrepancy to enable a faster remediation of the issue.
13
Controls that should have prevented or detected problems are reassessed when problems occur. Personnel with the requisite skills conduct evaluations of appropriate portions of the internal control system.
14
CMA solutions can automate the control testing for financial applications reducing the need for highly skilled personnel to manually conduct control testing. CMA solutions enable audit to monitor 100% of financial system controls on a daily or weekly basis rather than a 5% sample performed on a quarterly basis. CMA solutions enable audit to monitor 100% of financial system controls on a daily or weekly basis rather than a 5% sample performed on a quarterly basis.
15
Separate Evaluations
The frequency and scope of supervision and monitoring activities are appropriate to the size and nature of the entity.
16
Separate Evaluations
Supervisory personnel perform various random and structured reviews over the functioning of control procedures.
z = Significant opportunities to implement a controls monitoring and audit (CMA) solution z = Some opportunity to implement a controls monitoring and audit (CMA) solution z = Little or no opportunity to implement a controls monitoring and audit (CMA) solution
Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures
11
z z z z z z z z z z z z z
12
10
11
12
13
Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures
14
The responsibilities and expectations for the entity's business activities and the entity's philosophy about identification and acceptance of business risk are clearly communicated to the executives in charge of separate functions.
z z z z z z z z
15
Risks are reviewed periodically with the appropriate corporate governance functions (e.g., executive management, disclosure committee, audit committee, and legal). The business planning process includes a broad spectrum of personnel with collective knowledge of all areas of the entity.
16
17
Manage Change
The business planning process includes consideration of changes in the business environment, including the industry, competitors, the regulatory environment, and customers.
18 19
Changes in risks are identified in a timely manner. Changes are appropriately communicated to the proper level of management (depending on the significance). Management has identified the resources needed to achieve the objectives and has plans to acquire the necessary resources. Budgets and forecasts are updated throughout the year to reflect changing conditions.
20
21
z = Significant opportunities to implement a controls monitoring and audit (CMA) solution z = Some opportunity to implement a controls monitoring and audit (CMA) solution z = Little or no opportunity to implement a controls monitoring and audit (CMA) solution
Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures
13
Purchasing
Purchasing
All purchase orders issued are input and processed. Purchasing has established and follows policies and procedures to qualify and evaluate vendors prior to becoming approved vendors. There is an approved/preferred vendor list that is maintained by the purchasing department. A threshold has been established for obtaining competitive bids and quotations for expenditures. After-the-fact POs are identified, tracked, and followed-up on regularly. Vendor performance (price, product quality, delivery, etc.) is monitored periodically. Purchase price variances are monitored to evaluate the effectiveness of the purchasing department. Justification for using sole source vendors is documented and approved by management. There is a contingency plan for alternative sources of supply with respect to sole source vendors. Unused/open purchase orders are reviewed periodically and investigated by individuals independent of the purchasing and receiving functions. Contents of incoming shipments, as listed on the packing slip or bill of lading, are compared to the physical product(s) received. Approved purchase orders are required for all receipts.
Purchasing
5 6
Purchasing Purchasing
Purchasing
8 9 10 11
12
Purchasing
13
Receiving
14
Receiving
z z z z z z z z z z z z z z
CMA solutions can ensure that vendor policies such as credit limits are not violated.
CMA solutions can identify purchase orders that are issued after goods are received.
CMA solutions can identify open purchase orders independent of purchasing and receiving departments.
Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures
14
15 16
Receiving Receiving
A sequentially numbered receiving report is generated for all items received. All receipts are physically processed and recorded timely in the relevant systems. The receiving department maintains a permanent record of original receiving documents (packing slips, bills of lading, and receiving reports). Written procedures exist identifying which inbound goods require inspection before being released to production. Rejected goods are clearly marked and segregated to prevent use. Rejected goods are promptly returned to the vendor for credit. There are procedures in place to ensure adequate cut-off of receipts at period end. Amounts posted to accounts payable represent goods or services received. Only original invoices are processed for payment.
17
Receiving
18
Receiving
19 20 21
Receiving Receiving Receiving Processing Accounts Payable Processing Accounts Payable Processing Accounts Payable Processing Accounts Payable Processing Accounts Payable Processing Accounts Payable Processing Accounts Payable Processing Accounts Payable Processing Accounts Payable Processing Accounts Payable Processing Accounts Payable Processing Accounts Payable Processing Accounts Payable Processing Accounts Payable Processing Accounts Payable
22
23
24
Prices and extensions on invoices are checked for accuracy. Vendor discounts are taken in accordance with current cash management guidelines. Invoices processed for payment are marked/perforated to prevent duplicate processing/payment. System logic prevents duplicate invoices from being processed. Accounts payable amounts are accurately calculated and recorded. All amounts for goods or services received are input and processed to accounts payable in the appropriate period. Credit notes and other adjustments are accurately calculated and recorded. All valid credit notes and other adjustments related to accounts payable are input and processed in the appropriate period. Vendor invoices are matched to purchase order receiving information prior to payment. Disbursements are only made for goods and services received. Disbursements are distributed to the appropriate suppliers.
25
26
27
28
29
30
31
32
33
34
35
Disbursements are accurately calculated and recorded. All disbursements are recorded in the period in which they are issued.
36
z z z z z z z z z z z z z z z z z z z z z z
CMA solutions can identify anomalies in accounts payable vs. goods received. CMA solutions can monitor changes to master data and identify duplicate payment of invoices.
CMA solutions can monitor master data information including vendor discounts.
CMA solutions can identify duplicate payments. CMA solutions can identify anomalies in accounts payable vs. goods received.
CMA solutions can perform 3-way matching to ensure that payments are not disbursed to invoices without matching purchase orders. CMA solutions can identify disbursements made without goods or services received. CMA solutions monitor master data so that appropriate supplier information is correct.
CMA solutions can identify disbursements made outside of the period they were issued.
Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures
15
37
38
Processing Accounts Payable Processing Accounts Payable Processing Accounts Payable Maintaining Vendor Master File Maintaining Vendor Master File Maintaining Vendor Master File Maintaining Vendor Master File Maintaining Vendor Master File Maintaining Vendor Master File
Accounts payable sub-ledger is reconciled to the general ledger at least monthly. Debit balances in the accounts payable subsidiary ledger are promptly investigated and, if necessary, refunds are obtained from vendors. All necessary accruals (received not vouchered) are computed and recorded at period end.
39
40
Only valid changes are made to the supplier master file. All valid changes to the supplier master file are input and processed. Changes to the supplier master file are accurate and are processed in a timely manner. Supplier master file data remains pertinent. Access to the vendor master file is limited to appropriate individuals. The functions to create vendor master file, prepare an invoice for payment, create the check run, sign and distribute checks are segregated.
41
42
43
44
z z z z z z z z z
CMA solutions monitor master data so that appropriate supplier information is correct. CMA solutions monitor master data so that appropriate supplier information is correct.
CMA solutions monitor access to vendor master file. CMA solutions monitor segregation of duty access controls to ensure changes to vendor master file, prepare invoice for payment, and distribution of checks are segregated.
45
z = Significant opportunities to implement a controls monitoring and audit (CMA) solution z = Some opportunity to implement a controls monitoring and audit (CMA) solution z = Little or no opportunity to implement a controls monitoring and audit (CMA) solution
Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures
16
Recorded fixed asset acquisitions represent fixed assets acquired by the organization. Prior to the acquisition of any fixed asset, a capital authorization is obtained. Fixed asset acquisitions are accurately recorded in the appropriate period. All fixed asset acquisitions are recorded. Capital expenditure overruns are anticipated and properly approved.
2 3 4 5
7 8
Depreciation charges are accurately calculated and recorded. All depreciation charges are recorded in the appropriate period. Recorded fixed asset disposals represent actual disposals.
z z z z z z z z z z z z z z z
CMA solutions monitor the proper security within the ERP to reduce unauthorized changes.
10
Disposing of Fixed Assets Disposing of Fixed Assets Disposing of Fixed Assets Managing Fixed Assets Managing Fixed Assets Managing Fixed Assets
CMA solutions monitor the proper security within the ERP to reduce unauthorized changes. CMA solutions monitor the proper security within the ERP to reduce unauthorized changes.
11
Fixed asset disposals (and related gain/loss) are accurately calculated and recorded. Fixed asset disposals (and related gain/loss) are recorded in the appropriate period. Records of fixed asset maintenance activity are accurately maintained. Fixed assets are adequately safeguarded. Fixed asset maintenance records are updated timely.
12
13 14 15
Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures
17
16 17
Managing Fixed Assets Managing Fixed Assets Managing Fixed Assets Maintaining Fixed Asset Register and/or Master File Maintaining Fixed Asset Register and/or Master File Maintaining Fixed Asset Register and/or Master File Maintaining Fixed Asset Register and/or Master File
The Fixed asset register is reconciled to the General Ledger on a regular basis. Management performs regular reviews for impairment of fixed assets. A physical inventory of fixed assets is taken periodically and reconciled to the fixed asset register and general ledger. Only valid changes are made to the fixed asset register and/or master file.
18
19
z z z z z z z
20
All valid changes to the fixed asset register and/or master file are input and processed accurately.
CMA solutions monitor master data files and General Ledger to ensure only valid changes are made. CMA solutions monitor master data files and general ledger to ensure only valid changes are made.
21
Changes to the fixed asset register and/or master file are processed in a timely manner.
22
Access to transactions such as depreciation, purging fixed assets, changing the fixed asset register and master data should be reviewed on a regular basis
CMA solutions monitor sensitive transaction access control to ensure that the appropriate people have access to such transactions.
z = Significant opportunities to implement a controls monitoring and audit (CMA) solution z = Some opportunity to implement a controls monitoring and audit (CMA) solution z = Little or no opportunity to implement a controls monitoring and audit (CMA) solution
Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures
18
Managing Inventory
z z z z z z z z z z z z z z
CMA solutions monitor access to change prices ensuring only authorized users can change prices. CMA solutions monitor access to change prices or quantities ensuring only authorized users can change prices.
Managing Inventory
Managing Inventory Receiving and Storing Raw Materials Receiving and Storing Raw Materials Receiving and Storing Raw Materials Receiving and Storing Raw Materials Receiving and Storing Raw Materials Requisitioning Materials
CMA solutions can identify materials without valid purchase orders. CMA solutions monitor access to receive and record materials ensuring only authorized users can perform transactions.
All raw materials received are recorded. Receipts of raw materials are recorded timely and in the appropriate period. Defective raw materials are returned timely to suppliers. All transfers of raw materials to production are recorded accurately and in the appropriate period. All recorded production costs are consistent with actual direct and indirect expenses associated with production. All direct and indirect expenses associated with production are recorded as production costs. All direct and indirect expenses associated with production are recorded accurately and in the appropriate period.
10
11
12
Producing/Costing Inventory
CMA solutions monitor access to record production costs ensuring only authorized users can perform transactions.
13
14
Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures
19
15
Producing/Costing Inventory
All transfers of completed units of production to finished goods inventory are recorded completely and accurately in the appropriate period. All defective products and scrap resulting from the production process are valid and recorded completely and accurately in the appropriate period. Finished goods returned by customers are recorded completely and accurately in the appropriate period. Finished goods received from production are recorded completely and accurately in the appropriate period. Goods received from production or returned by customers are only accepted in accordance with the organizations policies. All shipments are recorded accurately. Shipments are recorded timely and in the appropriate period. Inventory is relieved only when goods are shipped with approved customer orders. Costs of shipped inventory are transferred from inventory to cost of sales. Costs of shipped inventory are recorded accurately.
z z z z z z z z z z z z z z z z z z
CMA solutions monitor access to record transfers of completed units ensuring only authorized users can perform transactions. CMA solutions monitor access to record transfers of completed units ensuring only authorized users can perform transactions.
16
Producing/Costing Inventory
17
Handling Finished Products Handling Finished Products Handling Finished Products Shipping Finished Products Shipping Finished Products Shipping Finished Products Shipping Finished Products Shipping Finished Products
18
19
20
CMA solutions monitor access to record transfers of completed units ensuring only authorized users can perform transactions. CMA solutions monitor access to goods received ensuring only authorized users can perform transactions. CMA solutions monitor access to shipping ensuring only authorized users can perform transactions.
21 22 23
24
CMA solutions monitor access to shipping ensuring only authorized users can perform transactions. CMA solutions monitor access to shipping ensuring only authorized users can perform transactions.
25
Shipping Finished Products Shipping Finished Products Maintaining Inventory Master File Maintaining Inventory Master File Maintaining Inventory Master File Maintaining Inventory Master File Maintaining Inventory Master File
Amounts posted to cost of sales represent those associated with shipped inventory. Costs of shipped inventory are transferred from inventory to cost of sales timely and in the appropriate period. Only valid changes are made to the inventory management master file. All valid changes to the inventory management master file are input and processed. Changes to the inventory management master file are accurate.
26
27
CMA solutions can monitor the master file and identify unauthorized changes. CMA solutions can monitor the master file and identify unauthorized changes. CMA solutions monitor access to inventory management master data ensuring only authorized users can perform transactions.
28
29
30
Changes to the inventory management master file are processed timely. Inventory management master file remains pertinent. Periodic inventory counts are performed to confirm inventory records. Selection of items for count is segregated from performing the count, which is in turn segregated from recording the count. System count is reflected on cycle count worksheets (e.g. Blind counts are performed).
31
32
Inventory Accounting
Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures
20
33
Inventory Accounting
Physical counts verify quantities on hand. Written instructions are used by physical count personnel that provide guidance on timing of the count, number and composition of the count teams, areas of responsibility, how to perform and record the physical counts and count sheet control. Discrepancies between physical counts and perpetual inventory records are researched prior to posting any adjustments to the perpetual and/or accounting records. Inventory count crews are supervised. Receiving/shipping during physical counts is controlled. Perpetual records are reconciled to physical counts. Perpetual/physical is reconciled to the general ledger. Procedures are in place to adjust slow moving, obsolete, or damaged items to their expected realizable value. Access to transactions such as inventory received, recording defective goods, shipping inventory and master data should be reviewed on a regular basis
z z z z z z z z z
CMA solutions monitor segregation of duties access controls to ensure changes to inventory received, recording defective goods, shipping inventory and master data are segregated.
34
Inventory Accounting
35
Inventory Accounting
36 37 38 39 40
Inventory Accounting Inventory Accounting Inventory Accounting Inventory Accounting Inventory Accounting Inventory Accounting
41
z = Significant opportunities to implement a controls monitoring and audit (CMA) solution z = Some opportunity to implement a controls monitoring and audit (CMA) solution z = Little or no opportunity to implement a controls monitoring and audit (CMA) solution
Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures
21
z z z z z z z z z z z z z z
Terminating Personnel
CMA solutions can monitor access to the master data file and ensure only authorized access which reduces master file data errors.
6 7 8 9 10 11
Recording Time Recording Time Recording Time Calculating Payroll Calculating Payroll Disbursing Payroll Disbursing Payroll Disbursing Payroll Maintaining Payroll Master Files
Time and attendance data recorded reflects actual time worked and is authorized. Time worked is accurately input and processed. Time worked is processed in a timely manner. Payroll is recorded in the appropriate period. Payroll (including compensation and withholdings) is accurately calculated and recorded. Payroll disbursements and recorded payroll expenses relate to actual time worked.
12
CMA solutions can check for expired employee status to ensure terminated employees are not receiving payroll.
13
14
CMA solutions can monitor access to the master data file and ensure only authorized access which reduces master file data errors.
Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures
22
15
16
17
Maintaining Payroll Master Files Maintaining Payroll Master Files Maintaining Payroll Master Files Maintaining Payroll Master Files Managing Payroll Accounting Managing Payroll Accounting
All valid changes to the payroll master files are input and processed.
z z z z z z
CMA solutions can monitor access to the master data file and ensure only authorized access which reduces master file data errors.
18
19
Payroll related accruals/provisions reflect the existing business circumstances and economic conditions in accordance with the accounting policies being used. All payroll sub-ledgers and payroll-related bank accounts are reconciled to the general ledger at least monthly.
20
z = Significant opportunities to implement a controls monitoring and audit (CMA) solution z = Some opportunity to implement a controls monitoring and audit (CMA) solution z = Little or no opportunity to implement a controls monitoring and audit (CMA) solution
Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures
23
z z z z z z z z z z z
CMA solutions can check if credit limits for existing customers have been exceeded. CMA solutions can check if appropriate approvals have been attained.
Managing and Processing Orders Managing and Processing Orders Managing and Processing Orders Managing and Processing Orders Managing and Processing Orders
CMA solutions can monitor access control to managing and processing orders so that only authorized transactions can be performed which reduces errors. CMA solutions can monitor orders that may be processed for invalid customers, on credit hold or exceeding their credit limit.
Managing and Processing Orders Managing and Processing Orders Managing and Processing Orders Shipping
10
CMA solutions can identify invalid orders. CMA solutions can monitor access control to invoicing and accounts receivable functions to ensure segregation of duties.
11
Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures
24
12
Shipping
There are standard policies and procedures and they are followed by personnel. Sequentially numbered shipping documents (BOL, customs forms, ASN, etc.) are prepared for all items shipped. The daily shipping register is reconciled against orders shipped. Shipped orders are transferred for invoicing promptly. Period-end procedures exist and are followed to ensure proper cutoff of shipping activity. Invoices are generated using authorized terms and prices. Invoices are accurately calculated and recorded.
13
Shipping
14 15 16
Shipping Shipping Shipping Invoicing, Sales Returns and Adjustments Invoicing, Sales Returns and Adjustments Invoicing, Sales Returns and Adjustments Invoicing, Sales Returns and Adjustments Invoicing, Sales Returns and Adjustments Invoicing, Sales Returns and Adjustments Invoicing, Sales Returns and Adjustments Invoicing, Sales Returns and Adjustments Invoicing, Sales Returns and Adjustments Invoicing, Sales Returns and Adjustments Invoicing, Sales Returns and Adjustments Invoicing, Sales Returns and Adjustments
17
18
19
20
21
22
z z z z z z z z z z z z z z z z z z z z
CMA solutions can identify invoices with terms that fall outside the scope of authorized terms and prices.
CMA solutions can identify goods shipped with no invoice. CMA solutions can identify invoices with no goods shipped.
CMA solutions can identify invoices posted out of period. CMA solutions can monitor access control to credit notes and adjustments to accounts so that only authorized transactions can be performed which reduces errors. CMA solutions can identify credit notes and adjustments with terms that fall outside the scope of authorized credit and adjustments. CMA solutions can identify credit notes with no goods returned.
23
Credit notes and adjustments to accounts receivable are accurately calculated and recorded. Credit notes for all goods returned and adjustments to accounts receivable are issued in accordance with organization policy. All credit notes relate to a return of goods or other valid adjustments. All credit notes issued are recorded. Credit notes issued are recorded in the appropriate period. Accounts Receivable reflects the existing business circumstances and economic conditions in accordance with the accounting policies being used. Sales and Accounts Receivable information is appropriately presented, and all information that is necessary for fair presentation and compliance with professional standards or legal requirements is disclosed. Cash receipts are recorded in the period in which they are received. Cash receipts data are entered for processing completely and accurately.
24
25
26
27
28
29
CMA solutions can identify exceptions to sales and accounts receivable policies as well as ensure proper segregation of duties for access to sales and accounts receivables systems. CMA solutions can identify cash receipts posted out of period. CMA solutions can monitor access control to cash receipts so that only authorized transactions can be performed which reduces errors.
30
31
Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures
25
32 33 34 35 36 37
Processing Cash Receipts Processing Cash Receipts Processing Cash Receipts Processing Cash Receipts Processing Cash Receipts Processing Cash Receipts Managing Accounts Receivable Managing Accounts Receivable Managing Accounts Receivable Managing Accounts Receivable Managing Accounts Receivable Managing Accounts Receivable
Cash receipts data are valid and are entered for processing only once. Checks are manually logged with customer name, date and amount when received. Checks are restrictively endorsed immediately upon receipt. Checks are physically secured until deposited. Cash discounts are accurately calculated and recorded. Unapplied cash receipts are reviewed and resolved promptly. Timely collection of accounts receivable is monitored. All A/R accounts and sub-ledgers are reconciled to the general ledger at least monthly. The A/R aging is reviewed at least monthly for past-due accounts and unusual items and these items are followed up on a timely basis. Bank reconciliations are prepared and reviewed timely. The allowance for doubtful accounts is reviewed and adjusted (if necessary) at least quarterly for potential uncollectible accounts. Write-off policies and procedures have been established and adhered to.
38
39
40
41
42
43
z z z z z z z z z z z z z z z z
44
CMA solutions monitor access and transaction changes to the master file to ensure only appropriate people have access to the file and only appropriate changes are made to the file.
45
46
All valid changes to the customer master file are input and processed. Changes to the customer master file are accurate and processed timely.
47
CMA solutions monitor access and transaction changes to the master file to ensure only appropriate people have access to the file and only appropriate changes are made to the file.
z = Significant opportunities to implement a controls monitoring and audit (CMA) solution z = Some opportunity to implement a controls monitoring and audit (CMA) solution z = Little or no opportunity to implement a controls monitoring and audit (CMA) solution
Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures
26
10
11
12
13
14
All investment income is accurately calculated and recorded in the appropriate period.
z z z z z z z z z z z z z z
Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures
27
15
Managing Cash and Investments Managing Derivative Transactions Managing Derivative Transactions Managing Derivative Transactions Managing Derivative Transactions Managing Derivative Transactions Managing Derivative Transactions Managing Derivative Transactions Managing Derivative Transactions Managing Derivative Transactions Managing Derivative Transactions Managing Derivative Transactions Cash Accounting Cash Accounting Cash Accounting Cash Accounting
16
Senior management has an understanding of the organization's derivative activities. Recorded derivative transactions represent assets or liabilities of the organization. Disclosed off-balance sheet derivative transactions represent valid transactions.
17
18
19
20
21
22
All off-balance sheet derivative transactions are disclosed in the financial statements.
23
24
Off-balance sheet derivative transactions are recorded in the financial statements in the appropriate period. All investment income on derivative transactions is accurately calculated and recorded in the appropriate period. All interest expense on derivative transactions is accurately calculated and recorded in the appropriate period. Reconciliations of all cash and investment accounts are performed monthly. Appropriate segregation of duties is established for the input, release and reconciliation of wire transfers and daily cash activity. All bank accounts have been authorized by Corporate treasury. Appropriate procedures are established to ensure signers on bank accounts are properly removed from termination.
25
26
27
28
29
30
z z z z z z z z z z z z z z z z
Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures
28
31
Cash Accounting Cash Accounting Cash Accounting Cash Accounting Cash Accounting
Policy has been established which defines appropriate Petty Cash amounts, usage, required approvals and replenishment procedures. Petty cash accounts are reconciled to the general ledger at least monthly. Only miscellaneous items less than a pre-defined amount are paid through petty cash. All payments are supported with appropriate documentation and are reviewed for reasonableness. The cash balances in the petty cash funds are reconciled and reviewed by an independent person monthly
32 33 34
35
z z z z z
z = Significant opportunities to implement a controls monitoring and audit (CMA) solution z = Some opportunity to implement a controls monitoring and audit (CMA) solution z = Little or no opportunity to implement a controls monitoring and audit (CMA) solution
Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures
29
Accounts Receivable
Other Assets
Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures
30
Liabilities Accounts Payable Accounts payable Competitive bids Request for proposal Purchase requisitions Purchase orders Contracts Purchasing procedures Vendor selections Vendor file maintenance Equipment rentals General Accrued expenses (employee benefits, debt restrictions, vessel operations, interest, severance, advances) Deferred revenue Allowance for bad debts Bank overdrafts Income taxes Accrued employee compensation Deferred taxes Warranties General Long-term debt (Approval, debt issuance cost, accounting for current maturities) Subsidiaries with separate debt Operating and capital lease obligations Short-term debt Capital stock Stock transactions Revenue recognition Revenue reporting Cost of sales Third party reimbursable expenses Payroll Operating income (expense) Capitalization Depreciation and amortization Research and development Selling, general and administrative costs Travel and entertainment Impairment of long-lived assets Steaming and mobilization Income (loss) from associated companies Interest expense/income Minority expense Results of discontinued operations Insurance Other expenses Fiscal adjustments
Other Liabilities
Debt
Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures
31
General Financial Management Chart of accounts Consolidation Segment reporting and disclosures Reporting packages Business combinations Period-end financial reporting Month-end closing procedures Reconciliations Inter-company allocations Variable interest entities Commitments and contingencies Related parties Disclosures Process change control Unusual transactions Budgeting and forecasts Release of financial/ confidential information Journal entry Employment (hiring, promotion) policies Employee benefits Compensation / Payroll Termination Performance appraisals Executive compensation Incentive compensation Employee handbook Attendance, holidays, vacation, sick leave Relocation payments Internal transfers Family & medical leave Americans with Disabilities Act Share-based compensation plans Fair employment practices Orientation and training Employment verifications / background check Equal opportunity Sexual harassment / other harassment New employee processing Hiring of consultants / contractors Personnel files and records Information security Systems change policy Software licensing Electronic information (e-mail) systems Trade shows Workplace rules, safety and health Disaster management / business resumption Corporate credit cards Use of company vehicles Magazine subscriptions
Human Resources
Information Technology
Other
Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures
32
Corporate Governance
General
Board of Directors
Internal Audit
Record retention, storage and disposal Ethics hotline and policy on handling of complaints US Antitrust Law Compliance Delegation of authority Code of Conduct Entertainment and gifts Insider trading Related party transactions Conflict of interest Foreign corrupt practices act Personal loans to directors and executive officers Corporate governance guidelines Audit committee charter Remuneration committee charter Internal audit charter Pre-approval of audit and non-audit services
Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures
33
ABOUT APPROVA
Approva Corporation is the industry-leading provider of continuous controls monitoring and audit software. We enable business, finance, IT and audit professionals to automate the ondemand testing, closed-loop remediation and continuous, exception-based monitoring of controls within and across their business systems. Using our solutions, customers are able to significantly increase visibility into their controls, streamline the audit process, cost-effectively sustain their compliance initiatives and reduce exposure to mistakes, fraud and inefficiencies for business processes such as procurement, sales and delivery, payroll and financial close. In addition, our automated solutions act as key preventative and detective controls, further strengthening our customers financial and operational control environments. Global companies such as Campbell Soup Company, Colgate-Palmolive, the Commonwealth of Pennsylvania, DirecTV, Discovery Communications, McCormick & Company, P&G, Pratt & Whitney, Siemens and Wyndham Hotels & Resorts rely on Approva BizRights Platform and Enterprise Controls Suite to reduce compliance risk, increase operational efficiency and flag exceptions to their business controls. For more information: Website: www.approva.net Information: info@approva.net Sales: sales@approva.net
Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures
34