Step-by-step guidance on creating internal controls to manage risk
Internal control is a process for assuring achievement of an organization's objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations, and policies.
This is a "toolkit" approach that addresses a practical need for a series of standards of internal controls that can be used to mitigate risk within any size organization. Inadequate internal controls can cause a myriad of problems that adversely affect its ability to provide reliable, timely, and useful financial and managerial data needed to support operating, budgeting, and policy decisions. Reliable data is necessary to make sound business decisions.
• Toolkit approach with detailed controls and risks outlined for key business processes
• Foundational for SOX 404 initiatives
• Key material to improve internal control efforts
• Guidance during M&A projects
Poor controls over data quality can cause financial data to be unreliable, incomplete, and inaccurate - this book helps you control that quality and manage risk.
Table of Contents
Introduction to The Internal Controls Toolkit 9
Introduction 9
Internal Controls And Fraud Prevention 9
Internal Controls And Fraud Prevention: Additional Statistics 10
Who Will Benefit From This Toolkit 11
About The Standards of Internal Control 12
How Were The Standards Developed? 12
How Are The Standards Used? 12
What Is The Basic Premise of The Standards? 12
When Should The Standard Be Updated? 12
What Is A Best Practice For Implementing And Using The Standards? 12
General Standards of Internal Control 13
How This Toolkit Is Organized 14
1.0 Background On Internal Controls 15
The Goals And Challenges of Internal Controls 15
Risk Based Internal Controls 15
Application of Internal Controls 16
The Three Critical Corporate Controls 17
The Background And History of Internal Controls 19
Securities Act of 1933 19
Securities Exchange Act of 1934 19
Trust Indenture Act of 1939 19
Investment Company Act of 1940 19
Investment Advisors Act of 1940 19
Foreign Corrupt Practices Act (Fcpa) of 1977 19
Comprehensive Crime Control Act - 1984 20
Federal Sentencing Guidelines For Organizations - 1991 20
Internal Control - Integrated Framework - 1992 And 2013 20
Coso’s Monitoring Guidance 21
Cobit - 1996 23
Systrust - 1999 23
Corporate Frauds - 2001-2002 23
U.S. Sarbanes Oxley Act of 2002 24
Enterprise Risk Management (Erm) Integrated Framework - 2004 And 2013 25
Example: Enterprise Risk Management (Erm) And The Application to The Procure to Pay (P2p) Cycle 26
An Erm Checklist 27
Internal Control Over Financial Reporting - Guidance For Smaller Public Companies - 2006 28
Guidance On Monitoring Internal Control Systems - 2009 28
Definition of Internal Controls 29
Types of Internal Controls And Control Mechanisms 29
Major Types of Internal Control 29
Compensating Controls 30
Other Controls 30
Organization Controls 30
Policy Controls 31
Procedure Controls 31
Supervisory Controls 31
Review Controls 31
Leveraging The Standards of Internal Control to Implement A Controls Self-Assessment (Csa) Program 32
Ethics And “Tone At The Top” 34
What Is ‘Tone At The Top’? 34
What Are The Components of An Effective Ethics Policy? 34
What Are The Components of A Well-Defined Code of Conduct? 34
What Are Examples of Poor “Tone At The Top”? 35
Code of Conduct Considerations 35
Entity Level Controls 36
Benefits For Entity Level Controls 36
“Tone At The Top” 36
Roles And Responsibilities For Internal Control 38
2.0 The Order to Cash (O2c) Process 42
2.1 Order Entry/Edit 45
2.1 Order Entry/Edit (Continued) 46
2.1 Order Entry/Edit (Continued) 47
2.2 Export Controls 48
2.2 Export Controls (Continued) 50
2.2 Export Controls (Continued) 51
2.3 Sales Contracts 53
2.3 Sales Contracts (Continued) 54
2.4 Credit 55
2.4 Credit (Continued) 56
2.5 Shipping 58
2.5 Shipping (Continued) 59
2.5 Shipping (Continued) 60
2.6 Revenue Recognition/Billing 61
2.6 Revenue Recognition/Billing (Continued) 62
2.6 Revenue Recognition/Billing (Continued) 63
2.6 Revenue Recognition/Billing (Continued) 64
2.7 Accounts Receivable (Ar) 66
2.7 Accounts Receivable (Ar) (Continued) 67
2.8 Collection 69
2.9 Cash Receipts And Application 70
2.9 Cash Receipts And Application (Continued) 71
2.10 Price Establishment 72
2.10 Price Establishment (Continued) 73
2.11 Promotional Activities 74
2.11 Promotional Activities (Continued) 75
2.11 Promotional Activities (Continued) 76
3.0 Treasury Process 77
3.1 General Treasury Controls 80
3.1 General Treasury Controls (Continued) 81
3.1 General Treasury Controls (Continued) 82
3.2 Financing Operations 83
3.2 Financing Operations (Continued) 84
3.3 Investment of Available Funds 85
3.3 Investment of Available Funds (Continued) 86
3.4 Foreign Exchange 87
3.4 Foreign Exchange (Continued) 88
4.0 Procure to Pay (P2p) Process 89
4.2 Purchasing/Ordering 99
4.2 Purchasing/Ordering (Continued) 100
4.2 Purchasing/Ordering (Continued) 101
4.2 Purchasing/Ordering (Continued) 102
4.3 Import Controls 103
4.3 Import Controls (Continued) 104
4.4 Receiving 105
4.4 Receiving (Continued) 106
4.4 Receiving (Continued) 107
4.5 Accounts Payable 108
4.5 Accounts Payable (Continued) 109
4.5 Accounts Payable Continued) 110
4.6 The Payment Process - General 111
4.6 The Payment Process - General (Continued) 112
4.6 The Payment Process - General (Continued) 113
4.7 The Payment Process - Travel And Entertainment 114
4.7 The Payment Process - Travel And Entertainment 115
4.8 Research And Product Development 116
4.8 Research And Product Development (Continued) 117
4.8 Research And Product Development (Continued) 118
4.9 Procurment Cards (P-Cards) 119
4.9 Procurment Cards (P-Cards) (Continued) 120
4.9 Procurment Cards (P-Cards) (Continued) 121
5.0 Hire to Retire (H2r) Process 122
5.1 Payroll Preparation And Security 125
5.1 Payroll Preparation And Security (Continued) 126
5.2 Payroll Payment Controls 128
5.2 Payroll Payment Controls 129
5.3 Distribution of Payroll 130
5.4 Compensation And Benefits 131
5.4 Compensation And Benefits (Continued) 132
5.5 Hiring And Termination 133
5.5 Hiring And Termination (Continued) 134
5.6 Education, Training, And Development 135
5.7 Contingent Workforce 136
5.7 Contingent Workforce (Continued) 138
6.0 The Supply Chain Process 139
6.1 Planning & Control 142
6.1 Planning & Control (Continued) 143
6.2 Inventory Control 144
6.2 Inventory Control (Continued) 145
6.2 Inventory Control (Continued) 146
6.3 Inventory Verification 147
6.3 Inventory Verification (Continued) 148
6.4 Inventory Valuation 149
6.5 Product Cost Management 150
6.5 Product Cost Management (Continued) 151
6.5 Product Cost Management (Continued) 152
6.6 Original Equipment Manufacturers (Oems) / Alliance Partners 153
6.6 Original Equipment Manufacturers (Oems) / Alliance Partners (Continued) 154
6.6 Original Equipment Manufacturers (Oems) / Alliance Partners (Continued) 155
6.8 Tranportation And Logistics 158
6.8 Tranportation And Logistics (Continued) 159
7.0 Record to Report (R2r) 161
7.1 International Transfer Pricing 166
7.2 Intercompany Transactions 167
7.2 Intercompany Transactions (Continued) 168
7.3 Accumulation of Financial Information 169
7.3 Accumulation of Financial Information (Continued) 170
7.4 Processing And Reporting of Financial Information (The Final Mile) 171
7.5 Fixed Assets 174
7.5 Fixed Assets (Continued) 175
7.5 Fixed Assets (Continued) 176
8.0 Government Contracts 177
8.1 United States Government Contracts - General 178
8.1 United States Government Contracts - General (Continued) 179
8.1 United States Government Contracts - General (Continued) 180
8.1 United States Government Contracts - General (Continued) 181
8.1 United States Government Contracts - General (Continued) 182
8.2 United States Government Contracts - Non-Commercial Products 183
8.2 United States Government Contracts - Non-Commercial Products (Continued) 184
8.3 United States Government Contracts - Commercial Products 185
8.3 United States Government Contracts - Commercial Products (Continued) 186
8.3 United States Government Contracts - Commercial Products (Continued) 187
8.4 Contracts With State And Local Governments And Educational Institutions Within The United States 188
8.5 Contracts With Governments Outside The United States 190
8.5 Contracts With Governments Outside The United States (Continued) 191
9.0 Records And Information Management 192
9.2 Standards of Internal Record Keeping Requirements 197
9.2 Standards of Internal Record Keeping Requirements (Continued) 198
9.2 Standards of Internal Record Keeping Requirements (Continued) 198
10.0 Computer, Telecommunication And Systems Controls 201
10.1 Owners, Users, And Service Providers 206
10.1 Owners, Users, And Service Providers 207
10.1 Owners, Users, And Service Providers (Continued) 208
10.1 Owners, Users, And Service Providers (Continued) 209
10.3 Computer Access Control 214
10.4 Network Operations And Security Controls 224
10.4 Network Operations And Security Controls (Continued) 225
10.5 Systems Development Methodology 228
10.5 Systems Development Methodology (Continued) 229
10.5 Systems Development Methodology (Continued) 230
10.6 Change Management 231
10.6 Change Management (Continued) 232
10.7 Computer And Telecommunications Backup For Production Restart/Recovery 235
10.8 Disaster Recovery And Business Contingency Planning 237
10.8 Disaster Recovery And Business Contingency Planning (Continued) 241
10.8 Disaster Recovery And Business Contingency Planning (Continued) 242
10.9 Input Controls 243
10.10 Output Controls 245
10.11 Paperless Transactions, Electronic Commerce, And Edi 247
10.12 Non-Company Networks And Bulletin Boards 250
11.0 Protection of Assets: Human, Physical And Intellectual 256
11.1 Security Framework 258
11.1 Security Framework (Continued) 259
11.1 Security Framework (Continued) 260
11.2 Perimeter Security 261
11.2 Perimeter Security (Continued) 262
11.3 Interior Security 264
11.3 Interior Security 265
11.4 Protecting Intellectual Property 266
12.0 The Insurance Process 268
12.1 Protection Against Physical Damage And Other Accidents 269
12.2 Insurance (Property & Casualty Risks) 270
12.3 Business Continuity 272
13.0 Environmental, Health, And Safety (Eh&S) 273
13.1 General Controls 275
13.1 General Controls (Continued) 276
14.0 Customer Services 277
14.1 Policy 279
14.1 Policy (Continued) 280
14.1 Policy (Continued) 281
14.2 Call Center Management 282
14.2 Call Center Management (Continued) 283
14.3 Warranty 284
14.3 Warranty (Continued) 285
14.3 Warranty (Continued) 286
14.4 Support Sales 287
15.0 Professional Services (Ps) 288
15.1 General Controls 290
15.1 General Controls (Continued) 291
15.2 Opportunity-Bid Process 292
15.2 Opportunity-Bid Process (Continued) 293
15.2 Opportunity-Bid Process (Continued) 294
15.3 Program Management 295
15.3 Program Management (Continued) 296
15.3 Program Management (Continued) 297
15.3 Program Management (Continued) 298
15.3 Program Management (Continued) 299
15.4 Customer Order Management 300
15.4 Customer Order Management (Continued) 301
15.4 Customer Order Management (Continued) 302
16.0 Entity Level Controls 303
16.1 Compliance And Compliance Screening 305
16.1 Compliance And Compliance Screening (Continued) 306
16.2 Internal Controls Roles And Responsibilities 308
16.2 Internal Controls Roles And Responsibilities (Continued) 309
16.4 Audit Committee Controls 313
16.4 Audit Committee Controls (Continued) 314
16.4 Audit Committee Controls (Continued) 315
17.0 Glossary 318
18.0 Addendum - Additional Tools 327
18.1 Example Internal Controls Policy 327
18.2 Delegation of Authority (Doa) Policy 330
18.3 Segregation of Duties (Sod) Policy 338
18.4 System Access (Sa) Policy 352
18.5 Pricing Policy Example 355
18.6 Testing Internal Controls And Selecting Sample Sizes 357
References 361