1、 Control 1:VMM can only create/change the master vendor file based on approved forms and then the VMM double check the creation/change.Control 2:VMM runs SAP run vendor master change log and new vendor creation change log weekly,then deputy of VMM check the change log against the approved applicatio
2、n form.PControl 1:Sales staff updates SAP based on the approved SAP Customer creation/change form with information of customers name,address,telephone no,fax no.,proposed payment terms and order amount when opening a new customer account.Control 2:Sales staff runs SAP run customer master change log
3、and new customer creation change log weekly,then deputy of sales staff checks the change log against the approved Customer creation/change form.PControl 1:The company follows the group policy and country policy.Control 2:Before engaging each hedging transaction,the accounting manager reviews and con
4、firms whether the transaction is complied with the group policy-when PO is in place,it should be hedged.Then the FC approves the transaction in accordance with approved Group hedging policy.P Control 1:SAP required enter fields to remind VMM to fill all necessary information.Control 2:VMM runs SAP v
5、endor master change log and new vendor creation change log weekly,then deputy of VMM check the change log against the approved application form.P Key Controls Example(Purchasing&AP Process)Control 1-All purchase orders are authorized by the purchase manager.Control 2-All purchase orders are sequenti
6、ally numbered and entered into the SAP.Control 3-Goods received are inspected and received in to the store,a Goods Received Note(GRN)is prepared and signed by the storekeeper and entered in the SAP.Control 4-Invoices are received by the SSC,who check authorization of purchase,details of goods ordere
7、d,material received,details and pricing on the invoice before releasing payment(Three point matching).All these are important controls that must be documented and evaluated.This is a Key Control,which when tested will give you the comfort that all the 4 controls are operating effectively.Purchasing
8、and Accounts Payable Controls DeficienciesDesign DeficienciesOperating Deficienciesa control necessary to address a financial reporting risk is missingan existing control is not properly designed so that,even if the control operates as designed,the financial reporting risk may not always be addresse
9、dFor an existing control,which is properly designed,while due to the responsible staff intentionally or unintentionally doesnt follow the designed control procedure during operating,the financial reporting risk may not be addressed Controls will be assessed twice;once for design effectiveness and on
10、ce for operational effectiveness.If either assessment leads to the conclusion that the control is not working,an action plan must be developed.Documentcontrol Testcontrol Update deficiency log and developan action planEntity will continue to monitor control effectiveness Is control designed effectiv
11、ely?Is control operating effectively?YesYesNoNoTest of ControlRemediedAssessmenttechniquesExplanation“SOXProof”Re-performanceAscertain if the control iseffective by repeating the controlactivityYesExaminationAscertain if the control iseffective by inspecting evidence(records,documents,reports etc.)t
12、hat the control activity has beenperformed properlyYesObservationAscertain if the control iseffective by watching it beingperformed by the relevantpersonnelNoInquiryAscertain if the control iseffective by asking questions tothe relevant personnel.NoLevel ofcomfortRISKSCONTROLS KEY CONTROLS1234567ABC
13、DENA.NA.ADEXProcess TemplateControl typeAssessmentinstructionExampleReconciliationand Cut-offcontrolTrace the reconcilingtotals to the source orsupporting document.Review the reconcilingitems forreasonableness.Bank reconciliation:Tracethe GL cash balance andthe bank statementbalance to the sourcedoc
14、ument.Review thereconciling items for itemsmore than 3 months oldand for unusually largeamounts.Control typeAssessmentinstructionExampleCompliancewith policiesand proceduresand Educationand trainingThis is usuallycovered by interviewwith relevantpersonnel followed bya review of evidencethat the cont
15、rol wasperformed.Upon resignation orretirement,an employeeexit checklist iscompleted to ensure thatnecessary properties arereturned,access to thecompany is cancelled andpayroll is informedaccordingly.This can bereviewed by reviewing anemployee file forevidence of the checklist.Control typeAssessment
16、instructionExampleVerification orvouching andArithmeticaccuracyThis is usually doneby re-performance ofthe control activity.That is,performexactly the samechecks done by thecontrol executor.To test the 3 way matchof supplier invoice.Perform the 3 way matchfor the sample selected,ensuring the match f
17、orsupplier ID and name,description of goodspurchased,quantity andprice.Control typeAssessment instructionReview andAuthorisationThis is usually done by looking for evidence ofreview or authorisationSegregation ofdutiesThis is usually done by interviewing the relevantmanager of the function,supported
18、 by observationof the actual activity.For segregation enforced bythe system,testing can be done by reviewing a listof user access generated from the system.Physical accesscontrolThis is usually done by interviewing the relevantmanager of the function,supported by observationof the actual activity.Co
19、ntrol typeAssessment instructionIT configurationor programmedcontrolThis can usually be tested by a systemswalkthroughIT accesscontrolThis can usually be tested by reviewing a list ofusers access generated from the system.Note:If the sample size available is less than the targeted sample size,the sa
20、mple should be 100%of the available population.DocumentationA.Documentsub-processesB.DocumentRisks&ControlsD.Assess ControlsE.AssessRisks F.Report&sign-offG.Audit&final sign-offH.Filing to SEC and archiveAssessmentsReporting&sign-offExecutionC.ExecuteControlsA.Documentsub-processesB.DocumentRisks&Co
21、ntrolsC.ExecuteControlsD.Assess ControlsE.AssessRisks F.Report&sign-offG.Audit&final sign-offH.Filing to SEC and archiveThreshold inMillions ofU.S.DollarsMinimumAccountCoverage25.0 a5.0 60%2.0 60%2.0 60%0.5 60%aMinimum account coverage achieved through the selection of significant locations.LevelGro
22、upSub-reporting UnitLocationClass of TransactionsReporting UnitReporting UnitMinimum Account Coverage Balance3Sub-reporting Unit 1Account balance2.1 aSub-reporting Unit 2Account balance0.8 bSub-reporting Unit 3Account balance0.7 bSub-reporting Unit 4Account balance0.6Other Sub-reporting Units Accoun
23、t balanceless than 0.6a.Significant Accounts identified by thresholdsb.Significant Accounts identified by minimum coverageRemote(or=5%of Occurence)ThresholdSignificantAccountsInsignificantAccountsPossible SignificantAccountsConsider QualitativeFactorsMagnitude of AccountLikelihood of MisstatementFac
24、torAssessment CriteriaQuantitative Factor Size and composition of accountPrior year end actual results and current year end forecast in excess of established threshold or not in excess of established thresholdQualitative Factors Nature of account(for example,suspense accounts generally warrant great
25、er attention)Routine,Non-routine,or EstimationVolume of activity processedLow or HighA.Documentsub-processesB.DocumentRisks&ControlsC.ExecuteControlsD.Assess ControlsE.AssessRisks F.Report&sign-offG.Audit&final sign-offH.Filing to SEC and archiveA.Documentsub-processesB.DocumentRisks&ControlsC.Execu
26、teControlsD.Assess ControlsE.AssessRisks F.Report&sign-offG.Audit&final sign-offH.Filing to SEC and archivelThe execution of control activities should be the part of the day to day business activities performed by the relevant personnel.lIn this step,we perform a gap analysis between the control act
27、ivities in step B and C.Develop action plan to implement missing control activitiesA.Documentsub-processesB.DocumentRisks&ControlsC.ExecuteControlsD.Assess ControlsE.AssessRisks F.Report&sign-offG.Audit&final sign-offH.Filing to SEC and archivelThe execution of the control activities needs to be rev
28、iewed on a regular basis to ensure that the control activities are effectivelThe assessment should be performed by someone independent of the execution of the controlExample:To continue from the previous example,Control assessor:AP managerAssessment instruction:Select 3 items for payment.Trace to su
29、pplier invoice,review for evidence of receipt of goods(goods received notes)or services(acknowledgement by recipient).Assessment frequency:QuarterlyA.Documentsub-processesB.DocumentRisks&ControlsC.ExecuteControlsD.Assess ControlsE.AssessRisks F.Report&sign-offG.Audit&final sign-offH.Filing to SEC an
30、d archivelRisk assessment is the evaluation of the impact of control deficiencies on the financial statements.lNote that a single account can be impacted by one or more control deficiencies.lRisk assessment is based on the process owners judgement using the results from the control assessment.lAsses
31、s the compensating controls.A.Documentsub-processesB.DocumentRisks&ControlsC.ExecuteControlsD.Assess ControlsE.AssessRisks F.Report&sign-offG.Audit&final sign-offH.Filing to SEC and archiveControl Executor Control Assessor Process Owner CEOCFO DivisionBusiness UnitReporting Unit Detailed levelHigh l
32、evelPerforms control activities as part of normal business operations.Tests effectiveness of the control activities.Performs risk assessment based on results from control assessmentsSign off at various levels InitiateAuthorizeRecordProcessReportProcessDecisionPointReportFinancialSystem12Symbol for GapActivity OwnerActivity OwnerActivity OwnerSymbol for key control