Appendix A. Simplified Sample Entity-Level Control Matrices

Transcription

1 Control Strategies: A Mid to Small Business Guide By Julie Harrer Copyright 2008 Hamlet ing Corp. Appendix A Simplified Sample Entity-Level Control Matrices Control Environment Possible Controls Integrity and ethical values Code of conduct is approved the board and all employees. Code is updated annually. HR Code of conduct document approved the board of ; copies of employee signoff forms confirming acceptance; s or memos of code to employees; presentations to employees that include slides on ethics or code Commitment to competence Accounting, tax, and personnel perform tasks according to training manuals, desktop procedures, or policies. They receive ongoing training to keep skills current. HR audit Finance,, tax training manuals, desktop procedures, or company policies; samples of continuing education or credential certificates for key employees (Continued) 271

2 272 Appendix A Possible Controls Management s philosophy and operating style is independent of ; CFO attends board and executive meetings; turnover in senior executive positions is monitored; audit has at least one financial expert; effectiveness of audit is assessed and monitored board of., audit ; financial expert biography for audit ; assessment of audit ; statement of independence of board/audit Organizational structure Organizational charts are maintained depicting titles and reporting structure. Current organization chart Assignment of authority Assignment of responsibility follows organizational charts; has documented levels of authority in areas such as capital expenditures, cash, purchases, and credit approvals. Signature authorization policy; purchase authority levels Human resource policies and procedures Company has an HR manual that covers procedures for training, promoting, and compensating employees; formal job descriptions exist; company has a wellestablished performance evaluation process with all employees evaluated at least annually; employee retention and promotion criteria are linked to the performance evaluation process. HR and department heads Copy of HR manual; samples of employee signatures showing they received a copy of HR manual; listing of job descriptions; performance evaluation policy and examples; evidence that bonuses and promotions are based on performance

3 Appendix A 273 and s charter is in place; board approved a 3-year strategic plan; board has several active s. and board of charter; strategic plan approved board of ; listing of board s and ; relevant board ; audit assessments technology strategic plan aligns with company s business plan; understands its roles and responsibilities as it relates to internal controls. strategic plan or section of company strategic plan; s from on access, security, or other internal control topics and Communication Possible Controls Financial reporting policies Financial reporting policies and procedures exist and are relevant employees/. Department heads/regional managers s or presentations to financial reporting staff; Edgar procedures; reporting procedures Accounting and internal control policies Accounting policies exist and are relevant employees/. s or presentations to accounting staff of policies Lines of Financial results are communicated at least quarterly to senior, board of, and audit ; relevant information on ethics and policies is communicated to employees and. Presentations to board of or s Distribution of information Company has a policy for the distribution of critical information to the public. Procedures or policy for reporting info to public; s; board of meeting (Continued)

4 274 Appendix A Possible Controls Section 16 Company has a policy for Section 16/insider purchases of company stock. Policy has been communicated to employees and. Procedures or policy for reporting information to public; s; board of meeting Data integrity, information classification, and security ownership and responsibilities have been defined and communicated to and employees. Procedures or policy for reporting info to public; s; board of meeting Risk Assessment Possible Controls Company-wide objectives Business risk Identification Inherent risk identification and and/or strategy oversees the risk assessment process and takes action to address the significant risks identified. Management creates and follows a 3-year strategic plan. Management performs annual risk assessment and presents to board of. Management s budget, forecast, and strategic plans are board of and employees. or senior Examples of Evidence Board Strategic plan Annual Business Unit planning/ strategy meetings; risk assessment; board presentation of risk assessment presentations and s or memos to employees of budgets and forecasts

5 Appendix A 275 Managing change Managing change technology Management communicates changes that may have a significant effect on the entity to board of or audit. Accounting department has a process in place to identify and address changes in GAAP, the operating and regulatory environment, and related party transactions. and systems risks are part of the company s annual risk assessment. Controller or chief financial officer or senior Chief financial officer or audit, company presentations, s, memos Legal and accounting practices; meeting agendas and presentations; continuing education for accountants risk or strategy meeting agenda/ / presentation Monitoring Possible Controls Examples of Evidence Separate evaluations Self-assessment reviews. Business unit managers Self-assessment questionnaires and documentation Reporting deficiencies s or investigations performed to evaluate compliance and deficiencies. Results reported to the audit. audit or audit reports or presentations Ongoing monitoring monitors company s performance, risk, and operations. Presentations or to board of or s Ongoing monitoring monitors financial results and reviews financial statements before filing with SEC. Controller or chief financial officer Presentations or for audit meetings (Continued)

6 276 Appendix A Possible Controls Examples of Evidence technology monitors adherence to policies, procedures, and standards. Monitoring reports (backups/help desk); monthly/ quarterly meeting / presentations/ agendas Anti-Fraud COSO Component Control environment Control environment Control environment Code of conduct Whistleblower program Hiring and promotion Possible Controls : Code of conduct Human is approved the resources board and distributed to new employees. Code is updated annually. Whistleblower program is in place and is monitored audit. Background and references are checked for new hires. Job descriptions and qualifications are prepared and followed for each open position. Monitoring Monitoring effectively oversees the company s antifraud program and meets at least once a year to discuss the anti-fraud program and fraud risks. Human resources : Examples of Evidence Hotline information, reports on hotline complaints, procedures for resolving complaints, logs of reporting incidents Hiring and promotion policies; reference and background check forms or examples Relevant audit or board of meeting or s

7 Appendix A 277 Risk assessment and Fraud scenarios and Fraud risk assessment including audit fraud scenarios is prepared and presented to the audit or board of at least annually. Code of conduct and ethical tone at the top is and employees. Control activities Control activities Specific fraudrelated control activities are identified. audit Fraud risk assessment to include listing of scenarios, analysis, and controls in place to mitigate risks s, presentations, intranet addresses where code of conduct, HR policies, and other fraud-related matters have been or employees Listing of control activities that mitigate fraud risks