Relevant COSO Principles. Policies and procedures are maintained. Policies and Procedures. Roles and responsibilities are identified

Size: px

Start display at page:

Download "Relevant COSO Principles. Policies and procedures are maintained. Policies and Procedures. Roles and responsibilities are identified"

Isabella Morgan
8 years ago
Views:

1 Accountability is unable to govern service processes No consistent or communicated policies procedures structure is inadequate Policies procedures are maintained Roles responsibilities are identified Policies Procedures Authority Responsibility Company Stards are established communicated: Quality Hbook, Procedures, Rules, Directives structure is under the supervision of the Board: Job descriptions, Roles Responsibilities, Nomination Records has no specific responsibility takes responsibility s Philosophy Operating Style are clearly articulated supported by attitude: Quality Hbook, Actions Lack of skilled staff Recruitment compensation planning Human Resources Directed by under Board supervision: Actions, Job Descriptions Competency Staff is unable to perform tasks Staff do not know proper procedures Staff members are continually informed Internal Communication Policies Procedures, Rules, Directives, Templates are available via intranet, Periodic Staff is provided by. Frequent regulatory changes Adequate training sources are determined used Human Resources Internal external trainings are organized by : Training Plan, Training Records, Skill Assessment Reports for Memolux Payroll Services,

descriptions, Roles Responsibilities, Nomination Records has no specific responsibility takes responsibility s Philosophy Operating Style are clearly articulated supported by attitude: Quality Hbook,

2 s are out of date or missing of payroll settings calculations Internal Payroll settings are verified at start-up revised by independent staff member (yearly at any midyear regulatory or significant system change): Repository, Triggers, Review Reports Accuracy Results are inconsistent errors are frequent Recurring errors are not always identified or known No process of prevention correction s are in place to stop errors fraud Evaluate metrics execute corrective actions Deficiencies, Fraud Risks, Deficiencies Assessments of rout-causes behind recurring errors, potential fraud incentives control override cases are performed the necessary corrective actions are taken evaluated by : Assessment Reports, Corrective Actions, Review Reports Inputs outputs of each payroll cycle are checked validated by other staff member, errors are hled either during the payroll cycle or in next period. All errors identified after completing the concerning payroll cycle are reported to : Payroll Cycle Checklists, Corrective Actions, Deficiency Reports Process control Process performance is wholly dependent on key staff Same staff perform all tasks No segregation of duties of payroll amendments adjustments Segregation of duties, tasks verifications All amendments adjustments are performed based on written orders (either from Clients or from reviewers): Change Requests Payroll cycle check verification has to validate these changes: Payroll Cycle Checklists, Deficiency Reports Duties, tasks, deadlines verifications are documented including Clients duties: Service Level Agreements or similar written documentation agreed with Clients (Payroll Processing Manual, Timetables, etc.) for Memolux Payroll Services,

are in place to stop errors fraud Evaluate metrics execute corrective actions Deficiencies, Fraud Risks, Deficiencies Assessments of rout-causes behind recurring errors, potential fraud incentives

3 No independent verification or reliable checks of financial disbursements Stard or agreed Client-specific payment verification procedure is used: Payment Verification Reports If paying service is included, financial tasks are performed by independent process staff: Paying service documents Poor security open system access Staff have restricted access for their job Policies Procedures Security Procedure Directives (including both physical electronic access to workplace infrastructure) are maintained communicated by : Security Procedure, Directives Security Unauthorized access to highly confidential data Lack of data control secure backup Failure to monitor react to incidents Active security policies procedures are in place Access is continually monitored Technology Ongoing Separate Evaluations, Deficiencies IT general application controls are applied: Quality Hbook, IT Procedures, IT Repository, IT Reports Data of physical electronic access to workplace infrastructure are continuously monitored by independent staff, access deficiencies are reported to : Security Alarms, Security Deficiency Reports, Actions for Memolux Payroll Services,

Procedure Directives (including both physical electronic access to workplace infrastructure) are maintained communicated by : Security Procedure, Directives Security Unauthorized access to highly

4 Continuity Interruption of information communication systems System features of regulatory changes or client requests are not available Disability of information communication infrastructure Unusable office environment Mature inhouse IT unit Readiness for changing to manual processes is established Disaster recovery plan is maintained Technology IT general controls are applied for development maintenance of Systems: Quality Hbook, IT Procedures, IT Repository, IT Reports Alternative manual payroll process is maintained: Payroll Processing Manual maintains tests processes infrastructure for outside operation: Disaster Recovery Plan, Test Reports Efficiency Inefficient usage of resources Inadequate structures for operation reporting maintains organizational structure reporting lines Organizational Structure Yearly revision by the Board: Organizational Charts, Lines for Memolux Payroll Services,

maintenance of Systems: Quality Hbook, IT Procedures, IT Repository, IT Reports Alternative manual payroll process is maintained: Payroll Processing Manual maintains tests processes infrastructure

5 Performance measurement doesn t provide sufficient information Measurement of operational financial performance is evaluated Ongoing Separate Evaluations Measurement process tools are evaluated (at least yearly) by : Directives In case of special contractual requirements, additional service performance metrics are defined, collected evaluated: Service Performance Metrics Necessary corrective actions are not taken in time oversees performance deficiencies actions taken Deficiencies Operational financial performance metrics are evaluated monthly by : Performance Metrics, Financial Reports The Board oversees Actions. Client dissatisfaction Client relationship management External Communication Clients are asked monthly to perform satisfaction survey. evaluates deficiencies provides feedback: Client Satisfaction Surveys, Reports Sustainability Unbalanced cash flow Underpriced service operation Default of paying Contract maintenance Enforcement procedures Policies Procedures Stard contract templates include price-negotiating contract modification terms: Contracting Procedure, Contract Templates Late payment of Clients are continuously monitored by the finance department, takes (if necessary legal) actions to arrange payments: Bad Dept Reports, Enforcement Letters for Memolux Payroll Services,

actions are not taken in time oversees performance deficiencies actions taken Deficiencies Operational financial performance metrics are evaluated monthly by : Performance Metrics, Financial Reports

6 Indemnities liability related to service performance Insurance cash flow management Integration with Risk Assessment contracts with recognized insurance companies for covering indemnities liabilities. Coverage limits fees are confirmed by the Board: Insurance Contracts Recognition Noncompliance with regulatory or qualification requirements Qualified opinion by external audit Changes of qualification requirements have serious business impact Oversight of control selfassessment improvement program Board level acceptance or refusal Oversight Board Board makes decisions about approval of external qualification requirements, provides necessary resources for control self-assessment improvement programs to achieve clear audit opinions: Self-Assessment Improvement Programs, Qualification/Audit Reports Risk Assessment Board decisions are supported by Cost vs. Benefit Analysis. Competitiveness Loosing market Market needs are not respected Improvement of service features are considered Integration with Risk Assessment assesses service improvement potentials maintains Service Improvement Program to increase competitiveness. Poor visibility on the market Planning of marketing sales activities maintains Sales Improvement Program to increase visibility on the market. for Memolux Payroll Services,

qualification requirements have serious business impact Oversight of control selfassessment improvement program Board level acceptance or refusal Oversight Board Board makes decisions about approval

7 Business objectives are not reflecting to the changes of economic environment Board oversees business objectives Risk Assessment Business related Risk Process are (min. twice a year) assessed by the Board. for Memolux Payroll Services,

Assessment Business related Risk Process are (min.

Office of the State Controller. Self-Assessment of Internal Controls. Computer Security Cycle. Objectives and Risks

Office of the State Controller Self-Assessment of Internal Controls Computer Security Cycle Objectives and Risks Agency Year-End Objectives Risks Definition and communication of organizational structure,