Module 6 Documenting Processes and Controls



Similar documents
AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING THAT IS INTEGRATED WITH AN AUDIT OF FINANCIAL STATEMENTS:

Internal Control Questionnaire and Assessment

Risk Assessment Standards Toolkit. Practical Guidance in Implementing SFAS

Audit of the Test of Design of Entity-Level Controls

GAO. Standards for Internal Control in the Federal Government. Internal Control. United States General Accounting Office.

Enterprise Risk Management

Guide to Internal Control Over Financial Reporting

4 Testing General and Automated Controls

How To Audit A Financial Statement

MNsure Compliance Program Strategic Plan. December 17, 2014

Governance Guideline SEPTEMBER 2013 BC CREDIT UNIONS.

Transmittal Letter Objectives and Scope Approach Financial System Permitting Application... 9

Guidance Note: Corporate Governance - Board of Directors. March Ce document est aussi disponible en français.

Report on Inspection of PricewaterhouseCoopers LLP (Headquartered in New York, New York) Public Company Accounting Oversight Board

INTERNATIONAL STANDARD ON AUDITING (UK AND IRELAND) 240 THE AUDITOR S RESPONSIBILITY TO CONSIDER FRAUD IN AN AUDIT OF FINANCIAL STATEMENTS CONTENTS

[RELEASE NOS ; ; FR-77; File No. S ]

Control Environment Questionnaire

Antifraud program and controls assessment grid*

GUIDANCE FOR MANAGING THIRD-PARTY RISK

1. FPO. Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Second Edition

An Examination of an Entity s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements

Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

Domain 1 The Process of Auditing Information Systems

AUDITING A BCP PLAN. Thomas Bronack Auditing a BCP Plan presentation Page: 1

IFAD Policy on Enterprise Risk Management

Fraud Checklist. From the enquiries made and procedures performed in completing Part B of this checklist we consider the risk of irregularities to be

Internal Controls and Financial Accountability for Not-for-Profit Boards NEW YORK STATE OFFICE. of the ATTORNEY GENERAL.

Internal Controls over Financial Reporting. Integrating in Business Processes & Key Lessons learned

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

TECK RESOURCES LIMITED AUDIT COMMITTEE CHARTER

APPLICATION OF THE KING III REPORT ON CORPORATE GOVERNANCE PRINCIPLES

Standards for Internal Control

Vendor Management Best Practices

TENET HEALTHCARE CORPORATION S QUALITY, COMPLIANCE AND ETHICS PROGRAM CHARTER. Updated May 7, 2014

February Sample audit committee charter

February 2001 HEADS OF DEPARTMENTS AND AGENCIES

How To Maintain An Effective System Of Internal Control Over Financial Reporting

11/12/2013. Role of the Board. Risk Appetite. Strategy, Planning and Performance. Risk Governance Framework. Assembling an effective team

Fraud-Related Compliance

[300] Accounting and internal control systems and audit risk assessments

Relevant COSO Principles. Policies and procedures are maintained. Policies and Procedures. Roles and responsibilities are identified

INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS)

STATEMENT OF AUDITING STANDARDS 300 AUDIT RISK ASSESSMENTS AND ACCOUNTING AND INTERNAL CONTROL SYSTEMS

Get More Out of Your Risk Assessment. Austin Chapter of the IIA

INTERNATIONAL STANDARD ON AUDITING (UK AND IRELAND) 315

COSO s 2013 Internal Control Framework in Depth: Implementing the Enhanced Guidance for Internal Control over External Financial Reporting

IT Governance. What is it and how to audit it. 21 April 2009

Communicating Internal Control Related Matters Identified in an Audit

INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS)

Fraud and Role of Information Technology. September 2008

Third-Party Risk Management for Life Sciences Companies

ASAE s Job Task Analysis Strategic Level Competencies

STANDING ADVISORY GROUP MEETING

How To Audit A Company

Internal Controls. A short presentation from Your Internal Audit Department

APPLICATION OF KING III CORPORATE GOVERNANCE PRINCIPLES 2014

FINANCIAL MANAGEMENT POLICIES AND PROCEDURES

Tom J. Hull & Company Type 1 SSAE

INTERNATIONAL STANDARD ON AUDITING (UK AND IRELAND) 240 THE AUDITOR S RESPONSIBILITIES RELATING TO FRAUD IN AN AUDIT OF FINANCIAL STATEMENTS

Advisory Guidelines of the Financial Supervisory Authority. Requirements regarding the arrangement of operational risk management

Sample Financial institution Risk Management Policy 2011

PHASE 3: PLANNING PHASE

Summary of Internal Control-Integrated Framework by COSO:

EURIBOR - CODE OF OBLIGATIONS OF PANEL BANKS

SunTrust Banks, Inc. Audit Committee of the Board of Directors Charter

ORDINANCE AN ORDINANCE ESTABLISHING INTERNAL CONTROL STANDARDS AND ESTABLISHING A MATERIALITY THRESHOLD

RISK MANAGEMENT AND COMPLIANCE

PHASE 3: PLANNING PHASE

Developing Effective Internal Controls Using the COSO Model

Instructions for Completing the Information Technology Officer s Questionnaire

RISK BASED AUDITING: A VALUE ADD PROPOSITION. Participant Guide

A Risk-Based Audit Strategy November 2006 Internal Audit Department

Information Management Advice 35: Implementing Information Security Part 1: A Step by Step Approach to your Agency Project

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

IPPF Practice Guide. the control environment

GAO INFORMATION SECURITY. Weak Controls Place Interior s Financial and Other Data at Risk. Report to the Secretary of the Interior

University Audit and Compliance. Internal Controls Enterprise-Wide Risk Assessment

State University of New York Charter Renewal Benchmarks Version 5.0, May 2012

White Paper: The Seven Elements of an Effective Compliance and Ethics Program

COSO Internal Control Integrated Framework (2013)

Report on Inspection of PricewaterhouseCoopers LLP. Public Company Accounting Oversight Board

Managing Risk at Bank of America Corporation. Overview

Sarbanes-Oxley Compliance Workbook. From Zero to SOX. Sarbanes-Oxley Compliance Workbook. sensiba san filippo

FCPA 10 Hallmarks Self- Assessment

CITY OF BURLINGTON COSO FRAMEWORK & COMPLIANCE

Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Frequently Asked Questions

Assessing the Adequacy and Effectiveness of a Fund s Compliance Policies and Procedures. December 2005

California ISO Audit of the Financial Statements for the Year Ending December 31, 2015 December 18, 2015

Administrative Guidelines on the Internal Control Framework and Internal Audit Standards

AUDIT OF READINESS FOR THE IMPLEMENTATION OF THE POLICY ON INTERNAL CONTROL

INTERNAL AUDIT MANUAL

engage ERM ADVISORY Insurer Management Risk Committee Practices

RISK ASSESSMENT CHECKLIST

Framework for Enterprise Risk Management

FINANCIAL POLICIES ADMINISTRATION AND FINANCE

Standards for the Professional Practice of Internal Auditing

CISM (Certified Information Security Manager) Document version:

FRAUD RISK ASSESSMENT

Consideration of Fraud in a Financial Statement Audit

Transcription:

A logical place to begin any comprehensive evaluation of internal controls is at the top entity-level controls that might have a pervasive effect on the organization. This includes a consideration of factors in each of the five components of internal control that can have a pervasive effect on the risks of errors or fraud (i.e., control environment, risk assessment, information and communication, control activities, and monitoring). Documenting and evaluating internal control at the entity level does not by itself provide a complete perspective of internal control of an entity. However, it is an important starting point because the assessment of entity-level controls particularly when weaknesses are identified can have a significant effect on the overall assessment of the effectiveness of internal controls and procedures for financial reporting. This questionnaire provides points to consider for each of the five components of internal control as part of documenting an organization's entity-level controls. These considerations serve as a guide to help gain an understanding of the culture and operating style of the agency. These points are not all-inclusive, and not all the points listed will apply to every entity. While a no response to an individual point does not necessarily mean that the entire component is ineffective, a no response should heighten awareness to potential weaknesses in internal control and indicate areas where management should focus attention. Note: This questionnaire is not required, but merely included as a guide for considering entity-level controls. Control Environment Does management show concern for integrity and ethical values? Is there a code of conduct and/or ethics policy and has it been adequately communicated? Is management s commitment to integrity and ethical behavior communicated effectively throughout the organization, both in words and deeds? Does management lead by example? Are those in top management hired from outside made familiar with the importance of high ethics and controls? Does management take appropriate disciplinary action in response to departures from approved policies and procedures or violations of the code of conduct? Do rewards, such as bonuses, foster an appropriate ethical tone (i.e., not given to those who meet objectives but, in the process, circumvent established policies, procedures, and controls?) Is the management structure appropriate (i.e., not dominated by one of a few individuals) and is there effective oversight? Is there a mechanism in place to regularly educate and communicate to management and employees the importance of internal controls, and to raise their level of understanding of controls? Does management give appropriate attention to internal control, including the effects of information systems processing? Does management set realistic financial targets and expectations for operating personnel? Do personnel appear to have the competence and training necessary for their assigned level of responsibility or the nature and complexity of the entity s business? Does management possess broad functional experience (i.e., management comes from several functional areas rather than from just a few)? Does management demonstrate a commitment to provide sufficient accounting and financial personnel to keep pace with the growth and/or complexity of the business environment? 1

Are there standards and procedures for hiring, training, motivating, evaluating, promoting, compensating, transferring, and terminating personnel that are applicable to all functional areas (e.g., accounting, information systems)? Are there screening procedures for job applicants, particularly for employees with access to assets susceptible to misappropriation? Are policies and procedures clear and are they issued, updated, and revised on a timely basis? Are there written job descriptions, reference manuals or other forms of communication to inform personnel of their duties? Has management prepared strategic plans for IT that align business objectives with IT strategies? Does the planning approach include mechanisms to solicit input from relevant internal and external stakeholders affected by the IT strategic plans? Does the IT organization communicate its IT plans to business process owners and other relevant parties across the organization? Does IT management communicate its activities, challenges and risks on a regular basis with the CEO and CFO? Is this information also shared with the board of directors? Does the IT organization monitor its progress against the strategic plan and react accordingly to meet established objectives? Do IT managers have adequate knowledge and experience to fulfill their responsibilities? Have relevant systems and data been inventoried and their owners identified? Are roles and responsibilities of the IT organization defined, documented and understood? Do IT personnel understand and accept their responsibility regarding internal control? Have data integrity ownership and responsibilities been communicated to appropriate data/business owners and have they accepted these responsibilities? Has IT management implemented a division of roles and responsibilities (segregation of duties) that reasonably prevents a single individual from subverting a critical process? Has the IT organization adopted and promoted the entity s culture of integrity management, including ethics, business practices and human resources evaluations? Does IT management provide education and ongoing training programs that include ethical conduct, system security practices, confidentiality standards, integrity standards and security responsibilities of all staff? Risk Assessment Are key elements of the entity s strategic plan communicated throughout the entity so all employees have a basic understanding of the entity s overall objectives? Is a process in place to periodically review and update entity-wide strategic plans? Does the entity-wide strategic plan include IT or is there a separate IT strategic plan that addresses the technology needs of the entity to effectively and efficiently meet its strategic plan? Does internal audit (or another group within the entity) perform a periodic (at least annual) risk assessment? If yes, does management review the risk assessment and consider actions to mitigate the significant risks identified? 2

Are budgets/forecasts updated during the year to reflect changing conditions? Does the accounting department have a process in place to identify and address changes prescribed by GASB, as well as for approving changes in accounting made to address such changes? Are there processes to verify the accounting department is made aware of changes in the operating environment so they can review the changes and determine what, if any, effect the change may have on the entity s accounting practices? Are there processes to verify the accounting department is aware of significant transactions so they can determine whether such transactions are appropriately accounted for and disclosed? Does the IT organization have an entity- and activity-level risk assessment framework that is used periodically to assess information risk to achieving financial reporting objectives? Does it consider the probability and likelihood of threats? Does the IT organization s risk assessment framework measure the impact of risks according to qualitative and quantitative criteria, using inputs from different areas including, but not limited to, management brainstorming, strategic planning, past audits and other assessments? Where risks are considered acceptable, is there formal documentation and acceptance of residual risk with related offsets, including adequate insurance coverage, contractually negotiated liabilities and selfinsurance? Where risks have not been accepted, does management have an action plan to implement risk response? Information and Communication Is the entity able to prepare accurate and timely financial reports, including interim reports? Does management receive sufficient and timely information to allow it to fulfill its responsibilities? Is there a sufficient level of coordination between the accounting and information systems processing functions/departments? Are there appropriate policies for developing and modifying accounting systems and controls (including changes to and use of computer programs and/or data files)? Are there significant applications or transactions that are executed /processed by service organizations? If yes, has management documented the relevant controls at the service organization, the entity, or both that mitigate the risk of errors? Are there defined responsibilities for individuals responsible for implementing, documenting, testing and approving changes to computer programs that are purchased or developed by information systems personnel or users? Is there a current disaster recovery plan for the significant components of the IT infrastructure? Is there a business continuity plan that incorporates the disaster recovery plan and end-user department needs for timely recovery of critical business functions, systems, processes and data? Are the lines of authority and responsibility (including lines of reporting) within the organization clearly defined and communicated? Are there written job descriptions and/or reference manuals that describe the duties of personnel? Are policies and procedures established for and communicated to personnel at decentralized locations? Is there a process for employees to communicate improprieties? Is the process well communicated throughout the entity? Does the process allow for anonymity for individuals who report possible 3

improprieties? Does IT management periodically review its policies, procedures and standards to reflect changing business conditions? Does IT management have a process in place to assess compliance with its policies, procedures and standards? Control Activities Are accounting and closing practices followed consistently at interim dates (e.g., quarterly, monthly) throughout the year? Is there appropriate involvement by management in reviewing significant accounting estimates and support for significant unusual transactions and non-standard journal entries? Is there a budgetary system? Does management review key performance indicators (e.g., budget, profit, financial goals, operating goals) regularly (e.g., monthly, quarterly) and identify significant variances? Does management then investigate the significant variances? Is there an appropriate segregation of duties (e.g., separation of accounting for and access to assets, IT operations function separate from systems and programming, database administration function separate from application programming and systems programming)? Are organizational charts reviewed to verify proper segregation of duties exist? Are there processes to periodically (e.g., quarterly, semi-annually) review system privileges and access controls to the different applications and databases within the IT infrastructure to determine if system privileges and access controls are appropriate? Has management established procedures to periodically reconcile physical assets (e.g., cash, receivables, inventories, property and equipment) with related accounting records? Are controls in place over dial-up access to the organization s computer resources (e.g., firewalls; centralized directories to store and manage user identities and resource privileges; automated policybased request, approval, and fulfillment process for enterprise access)? Is critical computer data backed up daily and stored off-site? Monitoring Are procedures in place to monitor when controls are overridden and to determine if the override was appropriate? Are policies and procedures in place to assure that corrective action is taken on a timely basis when control exceptions occur? Does management respond timely and appropriately to the findings and recommendations of the auditors? Internal audit? Are the results of internal audit activities reported to management and/or appropriate parties? Does the internal audit department develop an annual plan that considers risk in determining the allocation of resources? Is documentation created and maintained for significant IT process, controls and activities? 4

Does a quality plan exist for significant IT functions (e.g., system development and deployment) and does it provide a consistent approach to address both general and project-specific quality assurance activities? Has IT management established appropriate metrics to effectively manage the day-to-day activities of the IT department? Does IT management monitor IT s delivery of services to identify shortfalls and does IT respond with actionable plans to improve? Does IT management obtain independent reviews of its operations, including policies, procedures, overall IT systems and processes, and do they assess adherence to those policies and procedures? Does the organization have an IT internal audit that is responsible for reviewing IT activities and controls, including general and application controls? Is there a follow-up process for residual actions? Is there a mechanism to allow monitoring of internal control of third-party service providers? 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information