SELF-ASSESSMENT ON INTERNAL CONTROLS REPORT

flutheronioneyedΛογισμικό & κατασκευή λογ/κού

13 Δεκ 2013 (πριν από 3 χρόνια και 10 μήνες)

93 εμφανίσεις








SELF
-
ASSESSMENT
ON
INTERNAL CONTROLS REPORT


COMPANY XYZ FINANCE DIVISION


DATE








Source: KnowledgeLeader

http://www.knowledgeleader.com

2

I.

COMPANY BACKGROUND

(I
nsert
Company XYZ

background information)

II.

SELF
-
ASSESSMENT OBJECTIVE
AND SCOPE

The purpose of this self
-
assessment

initiative

was to evaluate the effectiveness of the
design of internal controls
for
Company XYZ’s

operations and budget
process
as of
(insert
date)
per
the recommendation documented in the (insert date)
i
nternal
a
udit report
.

Based
on the requirements
of the
i
nternal
a
udit report
, the scope for the self
-
assessment was
defined to include entity level controls and key financial

reporting controls in the following
process
areas:
a
ccounts
p
ayable and
t
ravel
e
xpenses;
b
illings,
a
ccounts
r
eceivable,
c
ollections;
p
ayroll;
b
udgeting;
f
ixed
a
ssets;
f
inancial
r
eporting; and
i
nformation
t
echnology
general control processes.

The self
-
assessment was facilitated through the use of an
e
ntity
-
l
evel
c
ontrol (ELC)
questionn
aire completed

by
m
anagement and
i
nternal
c
ontrol
q
uestionnaires
(ICQs)
.

Information was obtained from
the
process owners

for each of the
in
-
scope processes
.

During the self
-
assessment process, the
f
inance
d
ivision
coordinated with
X

to review
process
documentation and self
-
assessment questionnaires.

The
ICQs
were independently
validated
by “
walk
-
through


exercises conducted by

senior members of
the
f
inance
d
ivision
.

The purpose of the walk
-
throughs was to verify the existence of controls documented in
the
questionnaires and to assess

the effectiveness of the

contr
ol design.

The walk
-
through

did

not
constitute
a test of
internal
controls
;

thus
a conclusion on the operating effectiveness of
internal controls is not within scope of this self
-
assessment.

III.

SELF
-
ASSESSMENT APPROACH

Following is a brief summary of our self
-
assessment approach
:



Finance
d
ivision d
eveloped
ICQs
for each of the process areas included in the scope of
the assessment
,

leveraging
Institute of Internal Audit (
IIA
)

concepts and the
Comm
ittee
of Sponsoring Organizations (
COSO
)

and
Control Objectives for Information
Technology and Related Technology (
C
OBI
T
)

frameworks
to identify relevant

control
objectives

and related control activities
;



Company XYZ’s

i
nternal
a
udit
d
ivision reviewed
final draft
s

of
the
ICQs prior to

distribution to process owners
;



Finance
d
ivision c
onducted self
-
assessment
training
with applicable business process
owners, introducing the IC
Qs
, providing guidance, and establishing timeframes and
expectations
;



Business
process owners c
ompleted IC
Qs
;



Senior members of the
f
inance
d
ivision c
onducted
process
control walk
-
through
exercises
with each b
usiness
p
rocess
o
wner
;



Finance
d
ivision d
ocumented walk
-
through results

and reviewed documentation with

business process owners:



U
pdated documentation based upon responses to the questions and results of the
walk
-
through
,



Expanded notations and captured compensating controls, where applicable
, and



Finalized the overall assessment for
the
control objectives and
the
process area
.



Finance
d
ivision developed an ELC questionnaire based upon the COSO framework;


Source: KnowledgeLeader

http://www.knowledgeleader.com

3



Senior members of the
f
inance
d
ivision completed the ELC questionnaire;



Company XYZ’s

i
nternal
a
udit
d
ivision
r
eviewed
the
final IC
Qs
and ELC questionnaire;



Finance
d
ivision e
valuated overall results
:



Identified areas for improvement
,



Identified compensating controls
,



Assessed
overall risk, and



Accumulated results
.



Finance
d
ivision developed draft self
-
assessment report;



Internal Audit
d
ivision and the
o
ffice of
the
g
eneral
c
ounsel reviewed draft of self
-
assessment report; and



The
b
oard reviewed final draft of the self
-
assessment

report
.

IV.

SELF
-
ASSESSMENT RESULTS

Based upon the self
-
assessment process outlined above, the design of internal
controls for
key operations and budget processes range from effective to highly effective.

The following
graph depicts overall results by process area.

(I
nsert graph)

The self
-
assessment identified many well
-
designed controls, including various
reconciliat
ions, analyses, reviews, approvals, pr
otocols, procedures,

and system
-
based
controls, that help ensure accuracy and completeness of financial reports.

The self
-
assessment
process
also revealed a number of opportunities to improve the internal control
envir
onment, most of which had previously been identified by management and were
actively being addressed at the time of this self
-
assessment.


Opportunities to enhance the internal control environment include the following areas
:

A.

Overall

1.

Policies,

Procedures, Standards

and Guidelines

Many of the policies, procedures, standards and guidelines that provide the
foundation for business and informa
tion technology processes exist

but have not
been formally documented and approved by the appropriate level
s

of management.

M
anagement is in the process of formalizing, or plans to formalize in
(year)
,
key
documents, such as accounting policies and certain information technology policies
and procedures.


B.

Business

1.

System Access / Segregation of Duties

Access to the financial systems (including
g
eneral
l
edger,
a
ccounts
p
ayable,
a
ccounts
r
eceivable,
and
f
ixed
a
ssets) and financial reporting system
s

have

been
restricted to appropriate users (e.g., the
f
inance
d
ivision
); however, access to
individual
functions within these systems has not been restricted based upon the
specific business needs of the individual users
.

Even though management has
appropriately established who
should

perform certain functions, preventative
access controls in
the systems
do

not restrict who
can

perform certain functions.

As a result, system users may be able to perform inappropriate or incompatible

Source: KnowledgeLeader

http://www.knowledgeleader.com

4

functions.

Management is in the process of
establishing user access
roles
in the
systems a
nd restricting access based upon defin
ed business needs.



Spreadsheets

End
-
user computing technologies (e.g., Microsoft Excel
, Access, Word
) that
are used to generate financial data or disclosures in the financial reports are
not subject to a level of control commensurate with other key financi
al
application systems.

Though access to the spreadsheets is restricted to the
f
inance
d
ivision
, the spreadsheets themselves are not subject to an appropriate
level of security or change management control.

The file is not password
protected, changes are n
ot logged, and file versions are not managed.

Company XYZ

plans to deploy
a system
in
(year)

to manage documentat
ion
throughout the enterprise
.

This system has the ability to restrict access to
specific files and manage software versions.



Other Business
and Control Process Improvement Opportunities

The self
-
assessment also revealed some specific process improvement
opportunities that are being considered by management, including:



R
outing all invoices directly to the
a
ccounts
p
ayable
d
ivision
;



E
stablishing

a formal dollar threshold for obtaining competitiv
e bids for
products or services;
and



D
eveloping standard forms for requesting and authorizing certain business
activities (e.g., establishing user access, modifying salaries)
.

C.

Information Technology

1.

Password Controls

Though mandated by the IT
p
assword
s
ecurity
p
olicy, end users are not forced to
change their passwords on a periodic basis.

Due to ongoing Information
Technology initiatives impacted by periodic password changes, this functionality
has been disabled for the remainder of
(year)
.

In
(year)
, the
X
-
day password
expiration interval will be reactivated.

2.

Monitoring of Information Tech
nology

Management has established standard procedures and deployed various systems
to monitor information technology performance and

certain events or activities
.

The
primary focus of existing monitoring controls is to identify operational anomalies or
po
tential security
violations in a timely manner
.

Opportunities exist to enhance
information technology monitoring by defining
information technology
operational
metrics, improving data accumulation, and expanding communication.

Management has initiated a pr
oject to formally define all relevant
information
technology
operational metrics and deploy tools to accumulate related information.
Management plans to complete this initiative in
(year)
.

Though reviews are occasionally
performed on an as
-
needed basis,

m
anagement
does not proactively and consistently monitor system access and system settings
to help ensure that the information technology environment is controlled in a
manner consistent with existing standards or guidelines, accepted industry
standards, or

management’s intentions.

Over time, there is a risk that system
access and system settings may deviate from that required to appropriately support
and protect the business.

Periodic reviews of system access and system settings
help enforce, or ensure comp
liance with, information technology policies,
procedures, standards and guidelines.


Source: KnowledgeLeader

http://www.knowledgeleader.com

5

3.

Other Business and Control Process Improvement Opportunities

The self
-
assessment also revealed some specific process improvement
opportunities that are being considered by
management, including:



D
eveloping standard forms for requesting and authorizing certain business
activities (e.g., establishing user access
);



P
erforming periodic te
sts of data recovery procedures;

and



D
eveloping a more robust environment for testing system

changes.

V.

CONCLUSION

Management is committed to the continuous improvement, or maturation, of the internal
control environment and
,

as previously indicate
d, has either taken,

or is planning to take,
action in each of these areas.

Though these improvement
opportunities represent risk to the accuracy and completeness
of financial reports and data, that risk is mitigated or minimized by other compensating
controls.

During this self
-
assessment, management performed a high
-
level assessment of
compensating contr
ols associated with each observation.

In all cases, one or more controls
were specifically identified to compensate for the noted control weakness.