Your SlideShare is downloading. ×
0
Addressing Sarbanes-Oxley in Manufacturing Organizations  What Does it Mean and How to Become Compliant within the Sarbane...
Who is Logan Consulting? <ul><li>Logan Consulting is a professional services firm committed to helping businesses get the ...
Who is Logan Consulting? <ul><li>Operating throughout North America, our clients are equally diverse...from global Fortune...
BIO:  Andy Vitullo <ul><li>Former Controller, Accounting Manager, Tax Preparer, Auditor. </li></ul><ul><li>CPA, State of O...
Agenda <ul><li>Sarbanes-Oxley Law </li></ul><ul><li>404 Requirements </li></ul><ul><li>Considerations for Your Company’s I...
Why Was Sarbanes Oxley Passed <ul><li>A Perception that Public Companies failed to properly exercise appropriate corporate...
Who Does it Apply To? <ul><li>Any Public Company required to File financial statements with the Securities and Exchange Co...
Focus of Law is on Sections 302 and 404 <ul><li>Section 302 specifies the CEO and CFO must  personally certify  they are r...
What are Effective Controls <ul><li>“ A process designed to provide reasonable assurance regarding the achievement of busi...
Selected Related Events <ul><li>1985 - Treadway Commission </li></ul><ul><ul><ul><li>Report on Fraudulent Financial Report...
Selected Related Events <ul><li>2002 - Sarbanes-Oxley Act of July 2002 </li></ul><ul><ul><ul><li>Articulates compliance re...
Complying with the Sarbanes-Oxley Law <ul><li>The SEC specifies that a corporation must select an industry recognized cont...
Additional Information  <ul><li>Audit Requirements Prior to the Act as they relate to Internal Controls </li></ul><ul><ul>...
Additional Information <ul><li>A Sarbox Audit  is incremental to the Annual External Audit of the Financial Statements.  <...
Overview <ul><li>Requires management evaluation and auditor attestation to the presence and effectiveness of internal cont...
Impact on your Company 404 Identify financial processes and accounts at Corporate and OpCo levels <ul><li>Document interna...
Financial Statement Assertions 404 <ul><li>Existence or Occurrence </li></ul><ul><li>Completeness </li></ul><ul><li>Valuat...
Evaluation of Controls 404 Internal Control Deficiency More than remote likelihood of misstatement of financial statements...
Levels of Controls 404 <ul><li>EXAMPLE ENTERPRISE LEVEL CONTROLS </li></ul><ul><li>Corporate Acquisitions Processes </li><...
Suggested Participants in Compliance Project 404 <ul><li>CEO </li></ul><ul><li>COO </li></ul><ul><li>CFO </li></ul><ul><li...
Scoping and Planning High-Level Analysis –  Identify Significant Accounts  and Locations Classify Processes Affecting the ...
Prototype Processes <ul><li>Select distinct processes to prototype </li></ul><ul><li>Accounts Payable Process </li></ul><u...
Training & Education Operating Companies Majority of work to be done by functional managers and individuals at each operat...
Documentation 404 Documentation of Process and Internal Controls Detailed documentation to be done after risk assessment a...
Evaluation 404 Project team will evaluate controls, documentation and reporting Any control deficiencies will be explored ...
Independent Auditors 404 <ul><li>Independent Auditor Review and Attestation </li></ul><ul><ul><li>Ongoing involvement in s...
Ongoing Monitoring A comprehensive process will be documented and implemented Primary responsibility at Controller level, ...
Considerations for Documenting Controls at the Process, Transaction, or Application Level <ul><li>Identify Significant Acc...
Identify Significant Accounts <ul><li>An Account is significant if it  can contain errors  of importance in  managements j...
Significant Accounts Example <ul><li>Allowance for Doubtful Accounts </li></ul><ul><ul><li>Generally considered a signific...
Significant Accounts
Identify the Major Classes of Transactions an Related Process that influence the Significant accounts. <ul><li>Correlate B...
Routine Transactions <ul><li>Typically automated in our ERP systems. </li></ul><ul><li>IT Dependent </li></ul><ul><li>Mana...
Non-Routine Transactions <ul><li>Generally are manual operations involving management judgment. </li></ul><ul><li>Accuracy...
Documentation Considerations for Routine and Non-Routine Transactions.   <ul><li>Documentation should consider how transac...
Concentrate on Documenting: <ul><li>Major Data Input Sources </li></ul><ul><li>Important Data Files (customer and price ma...
Segregation of Duties
Interaction of Significant Accounts and Business Processes <ul><li>..Interaction of Significant Accounts and Business  Pro...
What Can Go Wrong <ul><li>Use the prism of Financial Statement Assertions in identifying errors.  The assertions are: </li...
What Can Go Wrong Questions
Identify Controls Policies and procedures that are designed to monitor the achievement of the relevant process objectives,...
Considerations for Documenting Controls <ul><li>Documentation of Controls is Sufficient when: </li></ul><ul><ul><li>Specif...
Validate the Control <ul><li>Through Walk through/ Audit of the transaction and control steps. </li></ul><ul><li>Assure al...
Outside Resources <ul><li>Most Large Consulting firms are booked supporting the Large and Intermediate size companies for ...
Internal Control Project Phases Internal Controls Evaluation Manage Project Internal Controls Enhancement  - Operations  )...
Becoming Compliant:  A Project Approach <ul><li>Plan the Project (2 Phases) </li></ul><ul><ul><li>Internal Control Evaluat...
I.  Plan Project <ul><li>Establish a shared vision of the project phase </li></ul><ul><li>Set objectives and deliverables ...
II. Define Project Organization <ul><li>Determine if both Disclosure Committee and Internal Audit are required </li></ul><...
II. Define Project Organization Board/Audit Committee Disclosure Committee Internal Audit CEO and CFO Project Leader(s) Pr...
III. Assess Control Environment <ul><li>Determine project phase scope by looking at the organization’s industry, size, com...
III. Assess Control Environment <ul><li>Conduct review of controls, processes and procedures </li></ul><ul><li>Review desi...
IV. Prepare Phase 1 Project Results <ul><li>Prepare project report </li></ul><ul><li>Plan next phase </li></ul><ul><li>Con...
Phase 2:  Internal Control Enhancement Phase <ul><li>Define scope - select objective categories </li></ul><ul><li>Confirm ...
Assess Control Risk, Objectives, Processes and Procedures <ul><li>Establish an internal controls data base </li></ul><ul><...
Improve Control Activities, Processes and Procedures <ul><li>Identify control deficiencies and weaknesses </li></ul><ul><l...
Enhance Information and Communication Support <ul><li>Determine how computer systems could improve controls </li></ul><ul>...
Test & Monitor Controls <ul><li>Develop an over-all internal control test plan </li></ul><ul><li>Prepare the information a...
Project Management Project  Management <ul><li>Activities: </li></ul><ul><li>Management Project Team Meetings </li></ul><u...
Using MFG/PRO to Comply with  Sarbanes Oxley  <ul><li>MFG/PRO assists in supporting the internal control environment. </li...
MFG/PRO Security <ul><li>A proper security profile for you company will assist the internal control environment in establi...
MFG/PRO Security Examples in the Purchasing Cycle <ul><li>Assume there are 4 Groups: </li></ul><ul><ul><ul><li>Purchasing,...
MFG/PRO Revenue Cycle <ul><li>Assure Proper cutoff of Shipments at month end.  Use Calendar Maintenance to prevent backdat...
MFG/PRO Purchasing Cycle <ul><li>Assure all Purchase Orders are Authorized – Global Requisitions. </li></ul><ul><li>Assure...
Fixed Assets <ul><li>Assure Proper Accounting for CIP versus Expenses.  ( QAD does not have any inherent prevent controls ...
Inventory Control <ul><li>Eliminate Uncontrolled Transactions – Unplanned Issues and Unplanned Receipts. </li></ul><ul><li...
Financial Reporting <ul><li>Module integration to General Ledger should be a priority.  </li></ul><ul><li>Eliminate manual...
What Can You Do ? <ul><li>Complete Upgrade to Latest Version of software to take the benefits of New Functionality. </li><...
Opportunity <ul><li>Documentation of Sarbanes –Oxley  Assist the company in Supporting: </li></ul><ul><ul><li>Compliance &...
Upcoming SlideShare
Loading in...5
×

Addressing Sarbanes-Oxley in Manufacturing Organizations

1,342

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,342
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
46
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Addressing Sarbanes-Oxley in Manufacturing Organizations "

  1. 1. Addressing Sarbanes-Oxley in Manufacturing Organizations What Does it Mean and How to Become Compliant within the Sarbanes-Oxley Law Presented By: Andy Vitullo Principal, Logan Consulting
  2. 2. Who is Logan Consulting? <ul><li>Logan Consulting is a professional services firm committed to helping businesses get the most from their information technology investments. Since 1992, we have been helping companies develop and execute business management and information systems strategies...from ERP selections and implementations to e-business planning to strategic IT applications. </li></ul>
  3. 3. Who is Logan Consulting? <ul><li>Operating throughout North America, our clients are equally diverse...from global Fortune 100 companies to regional manufacturers...in both process and discrete industries. </li></ul>
  4. 4. BIO: Andy Vitullo <ul><li>Former Controller, Accounting Manager, Tax Preparer, Auditor. </li></ul><ul><li>CPA, State of Ohio </li></ul><ul><li>BS, Accounting – </li></ul><ul><li>Financial Accountant with over 15 years of experience. </li></ul><ul><li>An Implementer of ERP with over 8 Years of Experience. </li></ul>
  5. 5. Agenda <ul><li>Sarbanes-Oxley Law </li></ul><ul><li>404 Requirements </li></ul><ul><li>Considerations for Your Company’s Internal Control Environment </li></ul><ul><li>Becoming Compliant with the Law: A phased project approach </li></ul><ul><li>Utilizing QAD’s MFG/PROs inherent “PREVENT Controls” </li></ul>
  6. 6. Why Was Sarbanes Oxley Passed <ul><li>A Perception that Public Companies failed to properly exercise appropriate corporate governance which in turn led to fraudulent activities at certain public companies. </li></ul><ul><ul><li>Enron, WorldCom, Tyco, Adelphia, etc… </li></ul></ul><ul><li>Most Dramatic Business Legislation in the last 50 years. </li></ul>
  7. 7. Who Does it Apply To? <ul><li>Any Public Company required to File financial statements with the Securities and Exchange Commission (SEC) </li></ul><ul><li>Approximately public equity and debt 17,000 registrants </li></ul>
  8. 8. Focus of Law is on Sections 302 and 404 <ul><li>Section 302 specifies the CEO and CFO must personally certify they are responsible for internal controls’ and procedures’ design, effectiveness, conclusions, and disclosure </li></ul><ul><li>They must disclose significant control changes, deficiencies, weaknesses, and fraud to their audit committee and external auditors </li></ul><ul><li>Section 404 mandates that management evaluate and opine on their internal controls in their annual report </li></ul><ul><li>The independent auditor must attest to management’s assessment of the effectiveness of financial reporting internal controls and procedures </li></ul>
  9. 9. What are Effective Controls <ul><li>“ A process designed to provide reasonable assurance regarding the achievement of business objectives” * </li></ul><ul><li>A process used by people, not an event </li></ul><ul><li>Reasonable but not absolute assurance </li></ul><ul><li>Business objectives include: </li></ul><ul><ul><li>Effectiveness and efficiency of operations </li></ul></ul><ul><ul><li>Reliability of financial reporting </li></ul></ul><ul><ul><li>Compliance with applicable laws and regulations </li></ul></ul><ul><ul><li>* Committee of Sponsoring Organizations (COSO) </li></ul></ul>
  10. 10. Selected Related Events <ul><li>1985 - Treadway Commission </li></ul><ul><ul><ul><li>Report on Fraudulent Financial Reporting </li></ul></ul></ul><ul><ul><ul><li>Focus on control environment, codes of conduct, and competence and participation of audit committee </li></ul></ul></ul><ul><ul><ul><li>Created Committee of Sponsoring Organizations (COSO) </li></ul></ul></ul><ul><li>1992 - COSO Published “Internal Controls - Integrated Framework ” </li></ul><ul><ul><ul><li>Defined roles and responsibilities of management </li></ul></ul></ul><ul><ul><ul><li>Established framework for establishing, evaluating, monitoring, and reporting on internal controls </li></ul></ul></ul>
  11. 11. Selected Related Events <ul><li>2002 - Sarbanes-Oxley Act of July 2002 </li></ul><ul><ul><ul><li>Articulates compliance responsibilities for board and management </li></ul></ul></ul><ul><ul><ul><li>Relevant sections: </li></ul></ul></ul><ul><ul><ul><ul><li>301 - Procedures for handling complaints of financial problems and potential fraud </li></ul></ul></ul></ul><ul><ul><ul><ul><li>302 - Disclosure certification of quarterly and annual financial reports </li></ul></ul></ul></ul><ul><ul><ul><ul><li>401 - Disclosure of periodic off-balance-sheet transactions, pro-forma income statements, etc. </li></ul></ul></ul></ul><ul><ul><ul><ul><li>404 - Management assessment of financial reporting internal controls </li></ul></ul></ul></ul><ul><ul><ul><ul><li>409 - Real time issuer disclosures </li></ul></ul></ul></ul><ul><ul><ul><ul><li>802 - Criminal penalties for altering documents </li></ul></ul></ul></ul><ul><ul><ul><ul><li>806 - Protection for those who provide fraud evidence </li></ul></ul></ul></ul>
  12. 12. Complying with the Sarbanes-Oxley Law <ul><li>The SEC specifies that a corporation must select an industry recognized controls framework </li></ul><ul><li>The SEC recognizes the most used COSO’s framework </li></ul><ul><li>This framework provides structure for an internal controls program </li></ul><ul><li>It also is helpful in organizing the evaluation reporting </li></ul>
  13. 13. Additional Information <ul><li>Audit Requirements Prior to the Act as they relate to Internal Controls </li></ul><ul><ul><li>Prior to the Act the focus of an audit of the financial statements has been to provide an opinion on a company’s financial statements and not to report on internal control . Therefore, it is unlikely companies already will possess sufficient, organized documentation to support management’s assessment of the effectiveness of internal control. </li></ul></ul>
  14. 14. Additional Information <ul><li>A Sarbox Audit is incremental to the Annual External Audit of the Financial Statements. </li></ul><ul><li>Incremental Costs are estimated anywhere between 50 to 80 percent of the Standard External Audit. (Source: SEC: Survey of Filing Companies). </li></ul>
  15. 15. Overview <ul><li>Requires management evaluation and auditor attestation to the presence and effectiveness of internal controls over financial reporting. </li></ul><ul><ul><li>Companies must report annually on internal controls in Form 10K and disclose: </li></ul></ul><ul><ul><ul><li>Management’s responsibility for establishing and maintaining internal controls and procedures for financial reporting </li></ul></ul></ul><ul><ul><ul><li>Management’s conclusions as to the effectiveness of the internal controls and procedures for financial reporting </li></ul></ul></ul><ul><ul><ul><li>A statement identifying the framework used by management to evaluate the effectiveness of internal controls </li></ul></ul></ul><ul><ul><ul><li>A statement that independent auditors have issued a separate report attesting to management’s assertions </li></ul></ul></ul>404
  16. 16. Impact on your Company 404 Identify financial processes and accounts at Corporate and OpCo levels <ul><li>Document internal controls </li></ul><ul><li>Enterprise level controls </li></ul><ul><li>Process/transaction/application level controls </li></ul>Test internal controls and assess effectiveness Obtain independent auditor attestation Implement remediation steps if necessary Establish ongoing monitoring and certification of effectiveness
  17. 17. Financial Statement Assertions 404 <ul><li>Existence or Occurrence </li></ul><ul><li>Completeness </li></ul><ul><li>Valuation or Measurement </li></ul><ul><li>Rights and Obligations </li></ul><ul><li>Presentation and Disclosure </li></ul>
  18. 18. Evaluation of Controls 404 Internal Control Deficiency More than remote likelihood of misstatement of financial statements More than inconsequential in amount * SIGNIFICANT DEFICIENCY: Must be reported to Audit Committee By itself or in combination with other deficiencies Results in more than a remote likelihood of material misstatement in financial statements MATERIAL WEAKNESS: Must be referred to in Attestation Report (results in adverse opinion) * Determined through judgment – there is not a published guideline for this .
  19. 19. Levels of Controls 404 <ul><li>EXAMPLE ENTERPRISE LEVEL CONTROLS </li></ul><ul><li>Corporate Acquisitions Processes </li></ul><ul><li>Corporate and Operating Unit Sub Company Certification Process (SOX 302) </li></ul><ul><li>Good Audit Committee Processes </li></ul><ul><li>Corporate Consolidation Process </li></ul><ul><li>Financial Reporting Process </li></ul><ul><li>Internal Audit </li></ul><ul><li>EXAMPLE TRANSACTION/PROCESS/APPLICATION LEVEL CONTROLS </li></ul><ul><li>Quote to Cash Cycle </li></ul><ul><li>Record to Report Cycle </li></ul><ul><li>Purchase to Pay Cycle </li></ul><ul><li>Inventory Production and Control Cycle </li></ul><ul><li>Record and Monitor Debt </li></ul><ul><li>Calculate Income Taxes </li></ul><ul><li>Asset Management - Capitalization </li></ul><ul><li>Estimate Self-Insurance Accruals </li></ul><ul><li>Assess Assets for Impairment </li></ul>
  20. 20. Suggested Participants in Compliance Project 404 <ul><li>CEO </li></ul><ul><li>COO </li></ul><ul><li>CFO </li></ul><ul><li>Audit Committee Representative </li></ul><ul><li>IT Representative </li></ul>SPONSOR/STEERING COMMITTEE PROJECT OFFICE <ul><li>Corporate </li></ul><ul><li>Operations </li></ul><ul><li>Strategic Partners (External Auditor and Services Partner) </li></ul>PROJECT TEAM <ul><li>Operating Company Controllers </li></ul><ul><li>Director of Financial Reporting </li></ul><ul><li>Director of Internal Audit </li></ul><ul><li>Director of IT Financial Systems </li></ul>OPERATING COMPANY <ul><li>Functional Managers </li></ul><ul><ul><li>Financial Systems </li></ul></ul><ul><ul><li>Operational Systems </li></ul></ul><ul><li>Individual Contributors </li></ul>
  21. 21. Scoping and Planning High-Level Analysis – Identify Significant Accounts and Locations Classify Processes Affecting the Significant Accounts <ul><li>Routine Data Processes </li></ul><ul><li>Non-Routine Data Processes </li></ul><ul><li>Estimation Processes </li></ul>Determine Controls To Document and Test 404
  22. 22. Prototype Processes <ul><li>Select distinct processes to prototype </li></ul><ul><li>Accounts Payable Process </li></ul><ul><li>Revenue Recognition Process </li></ul><ul><li>Non-routine process </li></ul><ul><li>Estimation process </li></ul>Documentation will be basis and template for remaining processes Functional managers at operating company will work together with project team 404
  23. 23. Training & Education Operating Companies Majority of work to be done by functional managers and individuals at each operating company Project Team <ul><li>Project team will develop training/project materials: </li></ul><ul><li>Guidelines </li></ul><ul><li>Templates </li></ul><ul><li>Reporting requirements </li></ul>Training & Education Educate operating company participants via road-show training sessions 404
  24. 24. Documentation 404 Documentation of Process and Internal Controls Detailed documentation to be done after risk assessment and internal control process inventory is complete To be done by the process owner at operating company Uniform basis using common templates and techniques
  25. 25. Evaluation 404 Project team will evaluate controls, documentation and reporting Any control deficiencies will be explored and remedial steps will be taken Communication with External Auditors
  26. 26. Independent Auditors 404 <ul><li>Independent Auditor Review and Attestation </li></ul><ul><ul><li>Ongoing involvement in scoping, planning and training </li></ul></ul><ul><ul><li>Required to perform their own testing and assessment </li></ul></ul><ul><ul><li>Project team will facilitate information flow and communication </li></ul></ul>
  27. 27. Ongoing Monitoring A comprehensive process will be documented and implemented Primary responsibility at Controller level, reporting up to senior management <ul><li>Examples include: </li></ul><ul><li>Reconciliation reviews </li></ul><ul><li>Management reports </li></ul><ul><li>Internal audit reviews </li></ul><ul><li>Ad hoc monitoring </li></ul>404
  28. 28. Considerations for Documenting Controls at the Process, Transaction, or Application Level <ul><li>Identify Significant Accounts </li></ul><ul><li>Identify the Major Classes of Transactions an Related Process that influence the Significant accounts. </li></ul><ul><li>Ask “What can go Wrong” questions </li></ul><ul><li>Identify Controls </li></ul>
  29. 29. Identify Significant Accounts <ul><li>An Account is significant if it can contain errors of importance in managements judgment </li></ul><ul><li>Factors to Consider in Determining if an Account is Significant </li></ul><ul><ul><li>Size and Composition of the account including its susceptibility to loss or fraud. </li></ul></ul><ul><ul><li>Volume of activity and the homogeneity of the transactions processed through the account. </li></ul></ul><ul><ul><li>Subjectivity in determining the account balance. </li></ul></ul><ul><ul><li>Nature of Account: Suspense accounts generally require greater attention. </li></ul></ul><ul><ul><li>Accounting and Reporting complexities associated with the account. </li></ul></ul><ul><ul><li>Existence of Related Party transactions. </li></ul></ul>
  30. 30. Significant Accounts Example <ul><li>Allowance for Doubtful Accounts </li></ul><ul><ul><li>Generally considered a significant account separate from accounts receivable since balances that affect the allowance account are based on management estimation processes rather than on routine transactions (i.e. sales and cash receipts) </li></ul></ul>
  31. 31. Significant Accounts
  32. 32. Identify the Major Classes of Transactions an Related Process that influence the Significant accounts. <ul><li>Correlate Business Processes to Significant Accounts (i.e., Segregate Inventories between purchasing, WIP, distribution of FG, maintenance) </li></ul><ul><li>Categorize Transaction Types as: </li></ul><ul><ul><li>Routine – ( Sales, Cash Receipts, Payroll) </li></ul></ul><ul><ul><li>Non-Routine – (Physical Inventory, Calc Deprecation, Adjusting Foreign Currencies) </li></ul></ul><ul><ul><li>Estimation – Involves Management Judgment and has no precise means of measurement ( Allowance for Doubtful Accounts, Warranty Reserves, Assessing Assets for Impairment) </li></ul></ul>
  33. 33. Routine Transactions <ul><li>Typically automated in our ERP systems. </li></ul><ul><li>IT Dependent </li></ul><ul><li>Management Reliance on programmed controls </li></ul><ul><ul><li>Routine Transactions will still have inherent risk if the company fails to enforce “segregation of duties”. </li></ul></ul>
  34. 34. Non-Routine Transactions <ul><li>Generally are manual operations involving management judgment. </li></ul><ul><li>Accuracy indirectly dependent upon data elements from the computerized process. </li></ul><ul><li>Management Still dependent upon IT to understand the flows of transactions. </li></ul>
  35. 35. Documentation Considerations for Routine and Non-Routine Transactions. <ul><li>Documentation should consider how transactions are initiated, recorded, processes and reported. </li></ul><ul><li>Process Models, Flowcharts, Procedure Manuals, Job Descriptions, Documents and Forms should be the foundation document for these transactions. </li></ul>
  36. 36. Concentrate on Documenting: <ul><li>Major Data Input Sources </li></ul><ul><li>Important Data Files (customer and price master) </li></ul><ul><li>Processing Procedures </li></ul><ul><li>Output files, reports, and records. </li></ul><ul><li>Functional Segregation of Duties. </li></ul><ul><ul><li>The Primary Purpose of this Documentation is to help identify where errors or fraud can occur. </li></ul></ul>
  37. 37. Segregation of Duties
  38. 38. Interaction of Significant Accounts and Business Processes <ul><li>..Interaction of Significant Accounts and Business Processes.xls </li></ul>
  39. 39. What Can Go Wrong <ul><li>Use the prism of Financial Statement Assertions in identifying errors. The assertions are: </li></ul><ul><ul><li>Existence – of and asset or liability </li></ul></ul><ul><ul><li>Occurrence – an event to place </li></ul></ul><ul><ul><li>Valuation – of the transaction at the appropriate amount </li></ul></ul><ul><ul><li>Completeness- all transactions are recorded </li></ul></ul><ul><ul><li>Rights and Obligations – legal title exist for the assets. </li></ul></ul><ul><ul><li>Presentation and Discloser – a transaction is properly classified and disclosed in the Financial Statements. </li></ul></ul>
  40. 40. What Can Go Wrong Questions
  41. 41. Identify Controls Policies and procedures that are designed to monitor the achievement of the relevant process objectives, including identifying errors or fraud. Detect controls can be applied to groups of transactions. Detect Controls Procedures designed to prevent an error or fraud. Prevent controls are normally applied at a single transaction level. Many Prevent Controls are programmed controls residing in computer applications if used Prevent Controls Description Control Types:
  42. 42. Considerations for Documenting Controls <ul><li>Documentation of Controls is Sufficient when: </li></ul><ul><ul><li>Specifies “what can go wrong” in the transaction stream and thus where the controls are needed. </li></ul></ul><ul><ul><li>Describes the relevant prevent and detect controls that are responsive to the what can go wrong question. </li></ul></ul><ul><ul><li>States who performs the controls. </li></ul></ul>
  43. 43. Validate the Control <ul><li>Through Walk through/ Audit of the transaction and control steps. </li></ul><ul><li>Assure all control steps are followed </li></ul><ul><li>Document the results. </li></ul><ul><ul><li>Does process need stronger controls? </li></ul></ul>
  44. 44. Outside Resources <ul><li>Most Large Consulting firms are booked supporting the Large and Intermediate size companies for Sarbox Compliance. </li></ul>
  45. 45. Internal Control Project Phases Internal Controls Evaluation Manage Project Internal Controls Enhancement - Operations ) - Financial Reporting ) * One or All - Compliance ) Assure Quality
  46. 46. Becoming Compliant: A Project Approach <ul><li>Plan the Project (2 Phases) </li></ul><ul><ul><li>Internal Control Evaluation Phase </li></ul></ul><ul><ul><li>Internal control Enhancement Phase </li></ul></ul><ul><li>Define the Project Organization </li></ul><ul><li>Assess the control Environment </li></ul><ul><li>Prepare Project Results </li></ul>
  47. 47. I. Plan Project <ul><li>Establish a shared vision of the project phase </li></ul><ul><li>Set objectives and deliverables </li></ul><ul><li>Define scope - select objective categories </li></ul><ul><li>Confirm work program, timing, and roles </li></ul><ul><li>Determine project phase risks, mitigation approach, and expectations </li></ul><ul><li>Complete project phase arrangements </li></ul><ul><li>Schedule key date </li></ul><ul><li>Notify organization </li></ul>Internal Controls Evaluation
  48. 48. II. Define Project Organization <ul><li>Determine if both Disclosure Committee and Internal Audit are required </li></ul><ul><li>Determine if CEO and CFO will also be the Project Management team </li></ul><ul><li>Establish Project Management Team </li></ul><ul><li>Select leaders and participants </li></ul><ul><li>Estimate required time and timing </li></ul><ul><li>Arrange for the participants’ time and timing </li></ul><ul><li>Train participants in Sarbanes-Oxley Act, COSO Framework, etc. </li></ul>Internal Controls Evaluation
  49. 49. II. Define Project Organization Board/Audit Committee Disclosure Committee Internal Audit CEO and CFO Project Leader(s) Project Team Project Management Team Internal Controls Evaluation
  50. 50. III. Assess Control Environment <ul><li>Determine project phase scope by looking at the organization’s industry, size, complexity, organization, and locations </li></ul><ul><li>Define levels of deficiency and weakness </li></ul><ul><li>Conduct Environment Survey for intangibles: </li></ul><ul><ul><li>Code of conduct including integrity and ethical values </li></ul></ul><ul><ul><li>Active compliance program </li></ul></ul><ul><ul><li>Commitment to competence and training </li></ul></ul><ul><ul><li>Communicating the importance and awareness of internal controls </li></ul></ul><ul><ul><li>Management philosophy and operating style </li></ul></ul><ul><ul><li>Established channels of communication </li></ul></ul>
  51. 51. III. Assess Control Environment <ul><li>Conduct review of controls, processes and procedures </li></ul><ul><li>Review design and operating effectiveness and efficiency </li></ul><ul><li>Determine extent of documentation </li></ul><ul><li>Assess knowledge and use of controls, processes and procedures </li></ul><ul><li>Analyze consistently used monitoring </li></ul>Internal Controls Evaluation
  52. 52. IV. Prepare Phase 1 Project Results <ul><li>Prepare project report </li></ul><ul><li>Plan next phase </li></ul><ul><li>Conduct desired meetings </li></ul><ul><li>Obtain management approval for next phase </li></ul>
  53. 53. Phase 2: Internal Control Enhancement Phase <ul><li>Define scope - select objective categories </li></ul><ul><li>Confirm work program, timing, and roles </li></ul><ul><li>Determine project phase risks, mitigation approach, and expectations </li></ul><ul><li>Schedule key date </li></ul><ul><li>Notify organization </li></ul><ul><li>Select participants </li></ul><ul><li>Estimate required time and timing </li></ul><ul><li>Arrange for the participants’ time and timing </li></ul>Internal Controls Enhancement
  54. 54. Assess Control Risk, Objectives, Processes and Procedures <ul><li>Establish an internal controls data base </li></ul><ul><li>Interview management to identify risks </li></ul><ul><li>Follow normal operations to determine that transactions are handled accurately, completely, fairly, and timely </li></ul><ul><li>Look at one-time and highly judgmental activities for risks </li></ul><ul><li>Determine where management could over-ride controls </li></ul><ul><li>Define control objectives for each risk including authorizing, recording, protecting, and reconciling </li></ul><ul><li>Relate control processes and procedures to control objectives </li></ul>Internal Controls Enhancement
  55. 55. Improve Control Activities, Processes and Procedures <ul><li>Identify control deficiencies and weaknesses </li></ul><ul><li>Identify ineffective control activities, processes and procedures </li></ul><ul><li>Update risks and objectives if there are activities, processes and procedures with no risks or objectives </li></ul><ul><li>Define missing control processes and procedures </li></ul><ul><li>Review with management and obtain approval </li></ul>Internal Controls Enhancement
  56. 56. Enhance Information and Communication Support <ul><li>Determine how computer systems could improve controls </li></ul><ul><li>Design missing system controls </li></ul><ul><li>Implement missing system controls </li></ul><ul><li>Test system controls </li></ul><ul><li>Review non-system communications from and to management and the organization </li></ul><ul><li>Identify and define improvements </li></ul>Internal Controls Enhancement
  57. 57. Test & Monitor Controls <ul><li>Develop an over-all internal control test plan </li></ul><ul><li>Prepare the information and activities for the test </li></ul><ul><li>Perform the test using the people with the on-going responsible for monitoring </li></ul><ul><li>Make adjustments as necessary </li></ul><ul><li>Expand the tests to cover all the areas within scope </li></ul><ul><li>Develop a plan for on-going monitoring and reporting </li></ul>Internal Controls Enhancement
  58. 58. Project Management Project Management <ul><li>Activities: </li></ul><ul><li>Management Project Team Meetings </li></ul><ul><li>Team Meetings </li></ul><ul><li>Process Tracking </li></ul><ul><li>Status Reporting </li></ul><ul><li>Key Deliverables: </li></ul><ul><li>Project Plan & Budget </li></ul><ul><li>Action Items </li></ul><ul><li>Issues Log </li></ul><ul><li>Status Reports </li></ul>Benefits: - Informed Project Management - Teamwork - Focused Team Members - Consistent Team Mindset - Financial and Timeline Tracking - Executive knowledge and buy-in
  59. 59. Using MFG/PRO to Comply with Sarbanes Oxley <ul><li>MFG/PRO assists in supporting the internal control environment. </li></ul><ul><li>Does not in itself make the company compliant with Sarbanes-Oxley. </li></ul><ul><li>Utilizing the Software Functionality Can assist in establishing “Prevent” Controls. </li></ul>
  60. 60. MFG/PRO Security <ul><li>A proper security profile for you company will assist the internal control environment in establishing “segregation of duties”. </li></ul>
  61. 61. MFG/PRO Security Examples in the Purchasing Cycle <ul><li>Assume there are 4 Groups: </li></ul><ul><ul><ul><li>Purchasing, Receiving, AP, and Cash Disbursement </li></ul></ul></ul><ul><li>Access to 2.3.1 Supplier Maintenance and 5.7 PO Maintenance – Purchasing Group Only </li></ul><ul><li>Access to 5.13.1 PO Receipts – Receiving Group Only </li></ul><ul><li>Access to 28.1 Voucher Maintenance – AP only </li></ul><ul><li>Access to 28.9.9 Payment Automatic Checks – CD Group Only </li></ul>
  62. 62. MFG/PRO Revenue Cycle <ul><li>Assure Proper cutoff of Shipments at month end. Use Calendar Maintenance to prevent backdating of transactions </li></ul><ul><li>Assure Proper Pricing of Orders and Invoices – Utilize Price tables. </li></ul><ul><li>Insure Credit Decisions are controlled outside of the Selling origination - Use Credit Hold Functionality. </li></ul>
  63. 63. MFG/PRO Purchasing Cycle <ul><li>Assure all Purchase Orders are Authorized – Global Requisitions. </li></ul><ul><li>Assure Accurate Pricing – Review Purchase Price Variance Report (5.13.5). </li></ul><ul><li>Assure receipts are completed in the proper period (proper Cutoff through Calendar Maintenance). </li></ul>
  64. 64. Fixed Assets <ul><li>Assure Proper Accounting for CIP versus Expenses. ( QAD does not have any inherent prevent controls for this condition. However an Audit of CIP Project may discover incorrectly coded transactions to the projects). </li></ul><ul><li>Physically Control Fixed Assets - Assign Asset Custodians, Tag Numbers and Asset Locations </li></ul><ul><ul><li>– Fixed Asset Maintenance. </li></ul></ul><ul><li>Conduct Physical Inventory of Fixed Assets – Complete Asset Disposal and Transfer Transactions. </li></ul><ul><li>Properly Depreciate Fixed Assets. </li></ul>
  65. 65. Inventory Control <ul><li>Eliminate Uncontrolled Transactions – Unplanned Issues and Unplanned Receipts. </li></ul><ul><li>Accurately State your Standards – Income should not be based on favorable PPV. </li></ul><ul><li>Record Shipments in the Proper Period (Backdating Shipments may have criminal implications). </li></ul><ul><li>Use Cycle Counting instead of Physical Inventory. </li></ul><ul><li>Write Off Excess and Obsolete inventory - Inventory is not a Fixed Asset. </li></ul>
  66. 66. Financial Reporting <ul><li>Module integration to General Ledger should be a priority. </li></ul><ul><li>Eliminate manual feeds to your GL. </li></ul><ul><li>Use the Native General Ledger Report Writer for Financial Reporting – Eliminate off-line Excel financial reporting. This means you Controllers. </li></ul><ul><li>Load Budgets and report against them </li></ul><ul><li>Load Cost Center Budgets and report against them. </li></ul>
  67. 67. What Can You Do ? <ul><li>Complete Upgrade to Latest Version of software to take the benefits of New Functionality. </li></ul><ul><li>Complete Process Re-Engineering in concert with Upgrade consistent with Internal Control Objectives. </li></ul><ul><li>Document the control, test the controls. Be Ready!!!!! </li></ul>
  68. 68. Opportunity <ul><li>Documentation of Sarbanes –Oxley Assist the company in Supporting: </li></ul><ul><ul><li>Compliance & Control </li></ul></ul><ul><ul><li>Accurate Financials </li></ul></ul><ul><ul><li>Increase Efficiency </li></ul></ul>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×