财务管理咨询

1、13.SOX Documentation and Requirement 4. A statement that the external auditor has issued an attestation report on managements assessment.13.SOX Documentation and Requirement 13.SOX Documentation and Requirement 6. Safeguarding - Assets are adequately safeguarded from misappropriation or use.7. Segre

2、gation of Duties - Authorization, custody, recording, and controlling are adequately segregated.13.SOX Documentation and Requirement 13.SOX Documentation and Requirement Control 1: VMM can only create / change the master vendor file based on approved forms and then the VMM double check the creation

3、/ change. Control 2: VMM runs SAP run vendor master change log and new vendor creation change log weekly, then deputy of VMM check the change log against the approved application form. PControl 1: Sales staff updates SAP based on the approved SAP Customer creation / change form with information of c

4、ustomers name, address, telephone no, fax no., proposed payment terms and order amount when opening a new customer account.Control 2: Sales staff runs SAP run customer master change log and new customer creation change log weekly, then deputy of sales staff checks the change log against the approved

5、 Customer creation / change form.PControl 1: The company follows the group policy and country policy. Control 2: Before engaging each hedging transaction, the accounting manager reviews and confirms whether the transaction is complied with the group policy - when PO is in place, it should be hedged.

6、 Then the FC approves the transaction in accordance with approved Group hedging policy. P13.SOX Documentation and Requirement Control 1: SAP required enter fields to remind VMM to fill all necessary information. Control 2: VMM runs SAP vendor master change log and new vendor creation change log week

7、ly, then deputy of VMM check the change log against the approved application form. P13.SOX Documentation and Requirement Key Controls Example (Purchasing & AP Process)Control 1 - All purchase orders are authorized by the purchase manager.Control 2 - All purchase orders are sequentially numbered

8、and entered into the SAP.Control 3 - Goods received are inspected and received in to the store, a Goods Received Note (GRN) is prepared and signed by the storekeeper and entered in the SAP.Control 4 - Invoices are received by the SSC, who check authorization of purchase, details of goods ordered, ma

9、terial received, details and pricing on the invoice before releasing payment (Three point matching).All these are important controls that must be documented and evaluated.This is a Key Control, which when tested will give you the comfort that all the 4 controls are operating effectively.Purchasing a

10、nd Accounts Payable Controls13.SOX Documentation and Requirement DeficienciesDesign DeficienciesOperating Deficiencies1.a control necessary to address a financial reporting risk is missing2.an existing control is not properly designed so that, even if the control operates as designed, the financial

11、reporting risk may not always be addressedFor an existing control, which is properly designed, while due to the responsible staff intentionally or unintentionally doesnt follow the designed control procedure during operating, the financial reporting risk may not be addressed13.SOX Documentation and

12、Requirement 13.SOX Documentation and Requirement Controls will be assessed twice; once for design effectiveness and once for operational effectiveness. If either assessment leads to the conclusion that the control is not working, an action plan must be developed.Documentcontrol Testcontrol Update de

13、ficiency log and developan action planEntity will continue to monitor control effectiveness Is control designed effectively?Is control operating effectively?YesYesNoNoTest of ControlRemediedAssessmenttechniquesExplanation“SOXProof”Re-performanceAscertain if the control iseffective by repeating the c

14、ontrolactivityYesExaminationAscertain if the control iseffective by inspecting evidence(records, documents, reports etc.)that the control activity has beenperformed properlyYesObservationAscertain if the control iseffective by watching it beingperformed by the relevantpersonnelNoInquiryAscertain if

15、the control iseffective by asking questions tothe relevant personnel.NoLevel ofcomfortRISKSCONTROLS KEY CONTROLS1234567ABCDENA.NA.ADEXProcess TemplateControl typeAssessmentinstructionExampleReconciliationand Cut-offcontrolTrace the reconcilingtotals to the source orsupporting document.Review the rec

16、oncilingitems forreasonableness.Bank reconciliation: Tracethe GL cash balance andthe bank statementbalance to the sourcedocument. Review thereconciling items for itemsmore than 3 months oldand for unusually largeamounts.Control typeAssessmentinstructionExampleCompliancewith policiesand proceduresand

17、 Educationand trainingThis is usuallycovered by interviewwith relevantpersonnel followed bya review of evidencethat the control wasperformed.Upon resignation orretirement, an employeeexit checklist iscompleted to ensure thatnecessary properties arereturned, access to thecompany is cancelled andpayro

18、ll is informedaccordingly. This can bereviewed by reviewing anemployee file forevidence of the checklist.Control typeAssessmentinstructionExampleVerification orvouching andArithmeticaccuracyThis is usually doneby re-performance ofthe control activity.That is, performexactly the samechecks done by th

19、econtrol executor.To test the 3 way matchof supplier invoice.Perform the 3 way matchfor the sample selected,ensuring the match forsupplier ID and name,description of goodspurchased, quantity andprice.Control typeAssessment instructionReview andAuthorisationThis is usually done by looking for evidenc

20、e ofreview or authorisationSegregation ofdutiesThis is usually done by interviewing the relevantmanager of the function, supported by observationof the actual activity. For segregation enforced bythe system, testing can be done by reviewing a listof user access generated from the system.Physical acc

21、esscontrolThis is usually done by interviewing the relevantmanager of the function, supported by observationof the actual activity.Control typeAssessment instructionIT configurationor programmedcontrolThis can usually be tested by a systemswalkthroughIT accesscontrolThis can usually be tested by rev

22、iewing a list ofusers access generated from the system.have been achieved.Note: If the sample size available is less than the targeted sample size, the sample should be 100% of the available population.13.SOX Documentation and Requirement 13.SOX Documentation and Requirement DocumentationA. Document

23、sub-processesB. DocumentRisks &ControlsD. Assess ControlsE.AssessRisks F. Report &sign-offG. Audit & final sign-offH. Filing to SEC and archiveAssessmentsReporting & sign-offExecutionC.ExecuteControlsA. Documentsub-processesB. DocumentRisks &ControlsC.ExecuteControlsD. Assess Con

24、trolsE.AssessRisks F. Report &sign-offG. Audit & final sign-offH. Filing to SEC and archiveThreshold inMillions ofU.S. DollarsMinimumAccountCoverage25.0 a5.0 60%2.0 60%2.0 60%0.5 60%aMinimum account coverage achieved through the selection of significant locations.LevelGroupSub-reporting Unit

25、LocationClass of TransactionsReporting UnitReporting UnitMinimum Account Coverage Balance3Sub-reporting Unit 1Account balance2.1 aSub-reporting Unit 2Account balance0.8 bSub-reporting Unit 3Account balance0.7 bSub-reporting Unit 4Account balance0.6Other Sub-reporting Units Account balanceless than 0

26、.6a. Significant Accounts identified by thresholdsb. Significant Accounts identified by minimum coverageRemote( or = 5%of Occurence)ThresholdSignificantAccountsInsignificantAccountsPossible SignificantAccountsConsider QualitativeFactorsMagnitude of AccountLikelihood of MisstatementFactorAssessment C

27、riteriaQuantitative Factor Size and composition of accountPrior year end actual results and current year end forecast in excess of established threshold or not in excess of established thresholdQualitative Factors Nature of account (for example, suspense accounts generally warrant greater attention)

28、Routine, Non-routine, or EstimationVolume of activity processedLow or HighA. Documentsub-processesB. DocumentRisks &ControlsC.ExecuteControlsD. Assess ControlsE.AssessRisks F. Report &sign-offG. Audit & final sign-offH. Filing to SEC and archiveA. Documentsub-processesB. DocumentRisks &a

29、mp;ControlsC.ExecuteControlsD. Assess ControlsE.AssessRisks F. Report &sign-offG. Audit & final sign-offH. Filing to SEC and archivelThe execution of control activities should be the part of the day to day business activities performed by the relevant personnel. lIn this step, we perform a g

30、ap analysis between the control activities in step B and C. Develop action plan to implement missing control activitiesA. Documentsub-processesB. DocumentRisks &ControlsC.ExecuteControlsD. Assess ControlsE.AssessRisks F. Report &sign-offG. Audit & final sign-offH. Filing to SEC and archi

31、velThe execution of the control activities needs to be reviewed on a regular basis to ensure that the control activities are effectivelThe assessment should be performed by someone independent of the execution of the controlExample: To continue from the previous example,Control assessor: AP managerA

32、ssessment instruction: Select 3 items for payment. Trace to supplier invoice, review for evidence of receipt of goods (goods received notes) or services (acknowledgement by recipient).Assessment frequency: QuarterlyA. Documentsub-processesB. DocumentRisks &ControlsC.ExecuteControlsD. Assess ControlsE.AssessRisks F. Report &sign-offG