Unit:
Subject: Sarbanes-Oxley Act Review - Financial Reporting
Title: Risk & Control Identification
Year end:
OBJECTIVE
OBJECTIVE
CATEGORY
RISK
REFERENCE
POTENTIAL RISK
SUGGESTED CONTROLS TO MITIGATE THE POTENTIAL
RISK (Internal Audit)
ACCOUNTING POLICIES AND PROCEDURES
Management should define and communicate accounting
principles. Accounting policies and procedures should be
established in accordance with management criteria, GAAP,
and applicable laws and regulations. These policies and
procedures should be in writing and provide adequate
explanations for the company's accounting policies and
procedures.
FIN101
Financial statements / Management pack may be misstated,
inconsistent, and / or not prepared in accordance with
Management policies, GAAP and applicable laws and
regulations.
Written accounting policies and procedures exist and include
such matters as:
Chart of accounts accompanied by explanations of the items to
be included in the various accounts.
Identification and description of the principal accounting
records, recurring standard entries, and requirements for
supporting documentation. For example, this may include
information about the General Ledger, source journals,
subsidiary ledgers, and detail records for each significant class
of transactions.
Expression of the assignment of responsibilities and delegation
of authority, including identification of the individual positions
that have authority to approve various types of recurring and
non-recurring entries.
Explanations of documentation and approval requirements for
various types of recurring and non-recurring transactions and
journal entries. Documentation requirements, for example,
would include the basis and supporting computations required
for adjustments and write-offs.
Instructions for determining an adequate cut-off and closing of
accounts for each reporting period.
Appropriate revision of policies and procedures.
FIN102
Accounting policies and procedures are no longer pertinent. Accounting policy and procedure manuals are updated as
necessary. New policies and procedures or changes to
existing policies and procedures or changes to existing policies
and procedures should be documented, reviewed and approved
by management.
OBJECTIVE
OBJECTIVE
CATEGORY
RISK
REFERENCE
POTENTIAL RISK
SUGGESTED CONTROLS TO MITIGATE THE POTENTIAL
RISK (Internal Audit)
Only authorised persons can alter or establish a new
accounting principle, policy, or procedure to be used by the
company.
FIN103
Unauthorised accounting principles may be applied. The Board of Directors approves accounting principles to be
applied.
CODING AND CLASSIFICATION OF TRANSACTIONS
All reportable transactions and activities should be coded and
classified on an accurate and consistent basis, and in
accordance with company policy, GAAP, and applicable laws
and regulations.
FIN201
Inaccurate coding and classification of regulated and non-
regulated activities may occur. Misallocations between General
Ledger accounts, Cost Elements, or Cost Centres. Financial
statements may be misstated, inconsistent, and / or not
prepared in accordance with company policy, GAAP, and
applicable laws and regulations.
Reference manuals and guides which describe and define
codes and accounts should be maintained and distributed (e.g.
an Accounts Manual).
Employees should be trained on the use of proper codes.
New codes should be systematically assigned and existing
codes should be updated as appropriate.
Documents used to report transactions and activities (e.g. time
sheets, vouchers) should be reviewed and approved by
management.
Transactions or changes impacting the financial reporting
process should be reported to Corporate Accounting e.g. all
new clearing accounts, extraordinary items, prior period
adjustments, and contingent liabilities.
GENERAL LEDGER MASTER RECORDS (CHART OF ACCOUNTS)
General Ledger Master Data / General Ledger Maintenance
OBJECTIVE
OBJECTIVE
CATEGORY
RISK
REFERENCE
POTENTIAL RISK
SUGGESTED CONTROLS TO MITIGATE THE POTENTIAL
RISK (Internal Audit)
Only valid changes are made to the General Ledger master
records. (validity) The General Ledger Chart of Accounts
reflects Group requirements. New accounts will be added to
the Chart of Accounts only if they are necessary and have been
approved to help ensure efficient system processing and
accurate transaction processing.
FIN301
Invalid changes are made to the General Ledger master
records.
A procedure is established that changes to the General Ledger
master record are documented on a valid source document and
approved by Senior Management. All information entered
during General Ledger master record creation and / or change
is automatically validated by SAP. Upon entry in the field, the
system automatically checks the value entered against the
values available in the configuration tables. An error message
is generated if the value entered is not available. Standard SAP
functionality prevents General Ledger accounts from being
deleted until accounts are void of all activity. General Ledger
accounts cannot be marked for deletion until they have been
blocked from posting for a specified length of time, (e.g. end of
fiscal year). Procedures are established for the official
responsible for the creation of new General Ledger accounts to
perform a matchcode search when creating a new General
Ledger account to ensure that General Ledger accounts do not
proliferate. Searches can be performed on the following codes:
Chart of Accounts; General Ledger Account #, General Ledger text & company.
All valid changes to General Ledger master records are
processed. (
completeness)
FIN302
Not all valid changes to the General Ledger master records are
input and processed.
Requests to change General Ledger master records are
submitted on standard prenumbered forms (e.g. a "General
Ledger master record form"). To ensure that all request
changes are processed , the numerical sequence of such
forms is accounted for after processing (e.g. by reconciliation
to a SAP report of General Ledger master record changes e.g.
RFSABL00 - change documents).
Changes to the General Ledger master records / Chart of
Accounts will be communicated to the user community in a
timely manner to prevent processing errors.
FIN303
System interruptions. Misallocations.
A list of users affected by the changes made to General Ledger
master records should be maintained. Before performing a
change, the official making the change should notify and verify
the change with all these users to ensure that the change will
be properly implemented without causing system interruption.
General Ledger master record information is recorded in a
consistent and complete fashion.
FIN304
Incomplete data may be entered in the General Ledger master
records. Critical fields that must be entered are not specified as
mandatory.
The field status group defines the fields that are mandatory and
optional when using the General Ledger account.
OBJECTIVE
OBJECTIVE
CATEGORY
RISK
REFERENCE
POTENTIAL RISK
SUGGESTED CONTROLS TO MITIGATE THE POTENTIAL
RISK (Internal Audit)
Changes to General Ledger master records are correctly
processed. (
accuracy)
FIN305
Changes to General Ledger master records may be incorrectly
processed.
The official (responsible for maintenance of General Ledger
master records) shall process all requests for modification of
the General Ledger master records after having checked the
contents and the accuracy of the data supplied. Each change
to General Ledger master records is prepared from appropriate
source documents (e.g. a "General Ledger master record
amendment form"). SAP edits and validates General Ledger
master records online, identified errors are corrected promptly.
Notifications of changes to General Ledger master records are
processed timeously. (
proper period) All new accounts will be
added in a timely manner so they are available for transaction
processing in the correct period.
FIN306
Changes to the General Ledger master records are not
processed timeously. Payroll may be incorrectly computed for
the relevant period.
A procedure should be established that the change to General
Ledger master records is made within an established time
period after the source document (e.g.: General Ledger master
record amendment form) has been received. By processing the
change immediately after the source document has been
received, the General Ledger master record is kept current and
the possibility of incorrect changes being made is minimised.
Requests to change General Ledger master record data are
logged. The log is reviewed to ensure that all request changes
are processed timeously.
Changes to General Ledger master records are authorised by a
responsible official. (authorisation
) Maintenance to the Chart of
Accounts will be properly approved to ensure that the changes
will be properly implemented.
FIN307
Changes to General Ledger master records may not be
authorised.
Significant changes to General Ledger master records are
approved by management.
General Ledger master records remain pertinent. Maintenance
of the Chart of Accounts will be conducted for operating
efficiency. General Ledger master records are periodically
checked by a responsible official (for inter alia completeness
and accuracy).
FIN308
General Ledger master records do not remain pertinent.
General Ledger master records) may not be properly
maintained. General Ledger master records no longer needed
are not deleted / archived from the system.
General Ledger master record data is periodically reviewed by
management for accuracy and ongoing pertinence.
Management review the Chart of Accounts annually to identify
unused, duplicates, or possible additions to the values.
An audit trail will exist for all changes to the Chart of Accounts.
All changes to, and deletion of General Ledger master records
must be properly logged, documented and retained.
FIN309
Unauthorised changes to General Ledger master records
(including creation or deletion of accounts) may go undetected.
Errors in capturing General Ledger master records are not
timeously identified. No responsibility is assigned for regularly
reviewing audit trails of change information. (No master data
amendment report is generated to ensure that the information
processed is correct and accurate.) Changes to General
Ledger master records are not supported by valid
documentation. Required documentation is not retained for
mandatory retention periods.
The Financial Accountant reviews the General Ledger account
change report on a monthly basis to ensure changes are
performed in compliance with General Ledger maintenance
requests. Changes to critical General Ledger master details are
reviewed by senior management. A master data amendment
report showing data before and after changes is approved
(based on a comparison to source documents where
appropriate) by an independent person. A SAP report (e.g.
RFSABL00) is generated with date and time of change, old and
new values for fields and also the user who entered the
change. Procedures exist to retain all documentation on any
Chart of Accounts maintenance requests.
OBJECTIVE
OBJECTIVE
CATEGORY
RISK
REFERENCE
POTENTIAL RISK
SUGGESTED CONTROLS TO MITIGATE THE POTENTIAL
RISK (Internal Audit)
GENERAL LEDGER ENTRIES
General Ledger Posting: Recording of entries in the General Ledger from cashbook, sales, accounts payable and other subsidiary systems.
General Ledger entries are prepared with genuine information.
(
validity) The authenticity of the transaction source is validated.
FIN401
Transaction may not be genuine.
Rejected items require re-entry on a timely basis subject to the
same input controls as new transactions. (completeness)
FIN402
Rejected items not re-entered. All rejected items should be reviewed for errors and re-entered
in the same manner under management supervision.
Application systems provide audit trails of significant
transaction activity.
FIN403
Historical General Ledger detail, including supporting
documentation is not available when needed. No audit trail,
resulting in fraud and errors not being identified or corrected.
Standard SAP functionality tracks all transactions and access
to the system is restricted. Review and approval of audit trail
reports on a timely basis.
All General Ledger entries are recorded. (completeness)
Application controls ensure all transactions input are
processed.
FIN404
Not all valid transactions are processed.
Recurring entries: Some financial documents have to be posted
every month to the General Ledger. SAP has the recurring
entries option available where documents are entered only once
in the system and SAP is told when to process the document
again automatically. Reconciliation of General Ledger
accounts.
General Ledger entries are correct in respect of amounts
(
accuracy).
FIN405
Transactions processed are inaccurate. Field status groups define the fields that are mandatory and
optional when using the General Ledger account during
processing. The field status groups were configured during
implementation and help to ensure the accurate entry of
financial postings. Financial documents are automatically
checked during entry to ensure that debit and credit balance.
Creation of the document is only possible after the error has
been corrected.
Foreign exchange gains and losses are calculated correctly and
posted to the correct account.
FIN406
VAT, sales tax (Usutu?) and foreign exchange gains and
losses are calculated incorrectly or posted to the incorrect
account.
SAP can be configured per company and per foreign currency
how much the exchange rate on the document header may
differ from the exchange rate currently known in the system.
General Ledger entries are posted to the correct account.
(
classification)
FIN407
Items are matched to the incorrect open item managed account
or to the incorrect line item in an open item managed account.
Financials are inaccurate and are not comparable due to
misclassifications.
SAP is configured to establish account assignment models to
reduce data entry errors. Financial document types define the
type of account that a document can be posted to.
Reconciliation of General Ledger accounts.
