2010 05 20 Presentation

8/11/2019 2010 05 20 Presentation

1/91

1) Writing and ImplementingProcedures for your Department

and 2) Segregation of Duties andDelegation of Authority

Presented by: Chris Doxey, CAPP, CCSA, CICAVP, Business DevelopmentBusiness Strategy, Inc.Office: 540-882-3247Cell: [email protected]

BUSINESS STRATEGY INC.
mailto:[email protected]:[email protected]

8/11/2019 2010 05 20 Presentation

2/91


Writing and Implementing

Procedures for your Department

8/11/2019 2010 05 20 Presentation

3/91

8/11/2019 2010 05 20 Presentation

4/91

Course Content Map


Overview, Introduction, and Definitions

Writing Effective Procedures

Communication, Training, and Mentoring

Business Process Improvement

Sample Procedure

Statistics, Metrics, and Quality Tools

How Procedures Add ValueCHE

CKLI

STS

DISCUSSI

ON

8/11/2019 2010 05 20 Presentation

5/91


Introduction and Overview

8/11/2019 2010 05 20 Presentation

6/91

Overview


Policies and procedures are often required at the Company Level.Examples are:

Human Resources Code of Conduct Business Ethics Security

Delegation of Authority Corporate Finance

Policies and Procedures are also applicable at the Operating or Process Level.Examples are:

Procurement Accounts Payable Accounts Receivable Payroll

8/11/2019 2010 05 20 Presentation

7/91

Example of a Corporate PolicyFramework


8/11/2019 2010 05 20 Presentation

8/91

Definitions


8/11/2019 2010 05 20 Presentation

9/91

Definitions

This section will focus on the definitions of: Policies Procedures

Work Instructions Process Flows

All are key components of the documentationrequired to establish Standards of InternalControl.


8/11/2019 2010 05 20 Presentation

10/91

PoliciesWhat is a policy?

Basic concepts, assumptions, policies, methods, and practicesused by a company.As an example accounting policies ensure the adherence toaccounting principles and summarization into financialstatements as prescribed by GAAP.A policy can be described as what needs to happen to ensurethat accounting cycles are working within boundaries of internalcontrol high level approach. Other policies will be referenced ifapplicable.

Examples:1) All purchases must be approved in accordance with signatory

levels.

2) All purchases must utilize the approved vendor listing.


8/11/2019 2010 05 20 Presentation

11/91

ProcedureWhat is an accounting procedure?

The routine steps in processing accounting data during an accounting period.In sequence, 1) occurrence of the transaction, 2) classification of eachtransaction in chronological order (journalizing), 3) recording the classifieddata in ledger accounts (posting), 4) preparation of financial statements and5) closing of nominal accounts.A procedure ensures that a policy is properly executed and explains how.Other procedures or policies will be referenced if applicable.

Examples:1) Signatory levels will be validated for purchases by utilizing appropriate

systems and processes within the procurement department by the assignedprocurement personnel.

2) Direct and Indirect procurement orders will be reviewed by the procurementdepartment to ensure that vendors are on the approved vendor list. Depending

on the system, this will be completed either manually or systematically.


8/11/2019 2010 05 20 Presentation

12/91

Work InstructionsWhat is a work instruction?

A work instruction is a step by step document that depicts the stepsneeded to complete an activity at the transaction level.This is a detailed document that may include key stroke information.This is a very detailed how to document.

Example:1) Step 1: Log onto the signatory authorization system by accessing the

systems. Step 2: Log into the system using the assigned user ID andpassword. Step 3: Validate that the individual that has approved thepurchase has the appropriate signature authorization level. Step 4: Rejector move to processing.

2) Step 1: Validate all purchases with the vendor master listing . Step 2:Reject or move to processing.


8/11/2019 2010 05 20 Presentation

13/91

Process FlowsWhat is a process flow?

A process flow communicates the actual process currently inplace.It is a picture of the flow and sequence of work steps, tasks, oractivitiesA process flow will include: The flow or sequence of steps throughout the process. The person responsible for each task.

Key decision points and their impact on the flow of work. Major inputs/outputs from/to entities outside the scope of thediagram. Example: Systems Flows.


8/11/2019 2010 05 20 Presentation

14/91

Process Flows


How is a process flow created?

A process flow is created by diagramming the business or cycle flow using the symbolsbelow. Note: A tool such as Visio, or PowerPoint can be used.

8/11/2019 2010 05 20 Presentation

15/91


What are the Key Differences Between

Policies, Procedures,Work Instructions, and Flow Charts?

8/11/2019 2010 05 20 Presentation

16/91

Definitions - Checklist

Have you defined your Audience for theprocedure?

Does the procedure support a Corporate Policy?

Are additional Work Instructions needed tosupport the Procedure?

Can you leverage Existing Documentation?


8/11/2019 2010 05 20 Presentation

17/91

How Do Procedures Add Value?


8/11/2019 2010 05 20 Presentation

18/91

Procedures Add Value in theFollowing Ways:

Establish Standards of Internal ControlProvide the Supporting Document for SOX 404and Controls Self-Assessment Programs

Identify Areas for Potential ProcessImprovementsSupport Change Management Initiatives


8/11/2019 2010 05 20 Presentation

19/91

Standards of Internal Control

What are Standards of Internal Control?Standards of Internal Control ensure that basic andconsistent internal controls are in place across allactivities and entities across the company at theCorporate, Operating, and Process Level.Standards of Internal Control set the foundation for acontrol environment and establish the controlobjectives for the company and provide a mechanismfor risk mitigation.


8/11/2019 2010 05 20 Presentation

20/91

Other Benefits of Procedures

Procedures reduce human error.Document the most efficient way to perform atask.

Provide a training document.Support internal controls.Support quality initiatives.

Document an end to end process such asProcure to Pay.Document linkages with systems.


8/11/2019 2010 05 20 Presentation

21/91

Additional Benefits of

ProceduresProcedures add controls since they mayinclude check-points, or sign-off steps thatdesignate completion or approval of a task.

Procedures provide an audit trail for theprocess.Procedures support end to end process stepswithin an accounting cycle, or operationalcycle.


8/11/2019 2010 05 20 Presentation

22/91

Adding Value - ChecklistDoes the procedure support your InternalControls Program?

Can the procedure be used to support a

Controls Self Assessment Process?Does the procedure support a Quality Program?Can the procedures be Leveraged by otherdepartments?


8/11/2019 2010 05 20 Presentation

23/91



8/11/2019 2010 05 20 Presentation

24/91

Writing Effective ProceduresProcedures can be simple or complex depending uponthe process steps or tasks being documented.In the Getting Started Phase, remember thatprocedures provide the following:

Information that is needed to perform a task. A representation of the collective knowledge of a group of

experts regarding the way a task is performed.

A representation of institutional memory of the way a taskshould be performed.


8/11/2019 2010 05 20 Presentation

25/91

Steps to Follow


InvestigateOrganizeWriteReviseValidate, Verify, Approve

Investigate Organize Write ReviseValidate,Verify,

Approve

8/11/2019 2010 05 20 Presentation

26/91

InvestigatePerform preliminary research to develop ideasabout the content.Review existing source documentation.

Interview subject matter experts.Ensure you understand the content.


8/11/2019 2010 05 20 Presentation

27/91

OrganizePrepare an outline.Identify Subject Matter Expert(s).Identify a Supervisor or Manager that will beheld accountable for the procedure. (Oftenreferred to as the Process Owner)Organize the content.Chart a flow chart for the content.


8/11/2019 2010 05 20 Presentation

28/91

WritingCreate a draft of the procedure.Write the procedure so that it is auditable.

Use a step by step format.

Define responsibilities. Refer to types of documents that can be selected

for an audit sample. (e.g. Purchase Requests,

Purchase Orders, Invoices)


8/11/2019 2010 05 20 Presentation

29/91

ReviseCheck details of the procedure.Check spelling and grammar.Make revisions after a Subject Matter Expert,Supervisor, or Manager reviews the content.


8/11/2019 2010 05 20 Presentation

30/91

Validate, Verify, and ApproveReview the content with the subject matterexpert.Verify that the procedure is clearly documented.

Verify the accuracy of the procedure.Verify that the level of detail is appropriate.

Ensure that the procedure is approved by aSubject Matter Expert, Supervisor, or Manager.


8/11/2019 2010 05 20 Presentation

31/91

Writing Tips


8/11/2019 2010 05 20 Presentation

32/91

Writing TipsDevelop consistent syntax.Use clear vocabulary.Use useful headings.

Use the correct level of detail.How to specify numerical information.

Use consistent format.Hints for cross-references.


8/11/2019 2010 05 20 Presentation

33/91

Consistent SyntaxUse short sentences in process steps.

Break long sentences into shorter sentences.Write steps that are concise and can bevalidated by internal controls testing.Write action instructions in the active voice.Write steps as positive commands.Avoid negative statements.Provide examples or cross references.

Review and reference source documents. BUSINESS STRATEGY INC.

8/11/2019 2010 05 20 Presentation

34/91

8/11/2019 2010 05 20 Presentation

35/91

Clear VocabularyUse words consistently within the procedure.Use short, simple words that are common instandard American English.

Avoid words that may be misunderstood.Provide definitions if applicable.

Restrict the use of abbreviations andacronyms.


8/11/2019 2010 05 20 Presentation

36/91

Use Consistent HeadingsMake sure that the headings summarize the

information discussed within a section.Repeat the subject in the first sentence of theparagraph following a heading.

Headings should identify key points and serve astransitions between subject matter.

Headings show the overall structure of thedocument.Headings identify specific sections for selective

reading. BUSINESS STRATEGY INC.

8/11/2019 2010 05 20 Presentation

37/91

Level of DetailWrite procedures at an appropriate level of detail,

presenting the correct amount of information.The appropriate level of detail will vary according to thetype of procedure, the frequency with which the

procedure is performed, and the experience level of theusers.Feedback is an important step throughout the writing

process.Avoid assumed knowledge.Ensure that the audience for the procedure is properly

analyzed. BUSINESS STRATEGY INC.

8/11/2019 2010 05 20 Presentation

38/91

Numerical InformationProcedures should use Arabic numbers (e.g.0,1,2,3) rather than spelled-out numbers orRoman numerals.

Account numbers should be defined (e.g. GRIRClearing Account 0001223344)


8/11/2019 2010 05 20 Presentation

39/91

FormatUse a consistent type size and font.

Use place keeping aids, such as blank lines or boxes todesignate process steps.Use emphasis to let the reader know what is important.

Emphasis techniques should be used consistently.Examples are:

Bolding Italicizing Underling ALL CAPITALS (Brackets) Quotation Marks


8/11/2019 2010 05 20 Presentation

40/91

Cross ReferencesExplicit cross-references direct the user to referto another procedure or another part of thesame procedure.

Key words should be used to indicate each typeof cross reference. (e.g. invoice or purchaseorder)


8/11/2019 2010 05 20 Presentation

41/91

ChecklistIs the procedure written in a Step by Step

format?Is the format Consistent?Has the System supporting the BusinessProcess been considered?Are Key Controls documented?

Can the procedure be Audited ?Is the procedure written in Plain English ?

Can it be used as a Training Document ? BUSINESS STRATEGY INC.

8/11/2019 2010 05 20 Presentation

42/91


Tackling RoadblocksCommunication, Training, and Mentoring

8/11/2019 2010 05 20 Presentation

43/91

Communication Defined1. An exchange of information2. An act or instance of transforming information3. A verbal or written message

4. A technique for expressing ideas effectively


8/11/2019 2010 05 20 Presentation

44/91

Factors Affecting

Communication1. The receiver hearing what he/she wants to

hear2. The sender and receiver having different

perceptions3. The receiver evaluating the message before

accepting it4. Words meaning different things to different

people


8/11/2019 2010 05 20 Presentation

45/91

Benefits of Effective

CommunicationDeliver Consistent Information and UpdatesGain Commitment Inform People

Involve People Open Feedback Motivate People


8/11/2019 2010 05 20 Presentation

46/91

Communication MethodsHard Copy PrintPresentationsElectronicIntranetEmails

PostersBulletin BoardsBrochures/PamphletsTrainingTeam MeetingsFocus GroupsTown MeetingsConference Calls


8/11/2019 2010 05 20 Presentation

47/91

Communication Methods for

New Procure to Pay Procedures


Printed

ProceduresTraining

New Forms

Posters

Focus Groups

Emails

Pamphlets

Newsletter

8/11/2019 2010 05 20 Presentation

48/91

Training MethodsLectures/ClassroomWeb BasedInteractive Web Based

WorkshopsDepartment MeetingsStructured On-The-Job-Training

Multimedia TrainingComputer BasedComputer Assisted Network Discussion Groups


8/11/2019 2010 05 20 Presentation

49/91

Communications, Training, and

Mentoring - ChecklistHave you defined a Communication Strategy and aTraining Strategy for rolling out procedures?Are the procedures New or Updates?What is the Impact Company Wide, Divisional,Regional, or Department Specific?Have you identified Communication and TrainingMethodologies?

What about Timing?Have Mentors or Subject Matter Experts been enlisted?


8/11/2019 2010 05 20 Presentation

50/91


How Well Are Your Procedures

Working?


8/11/2019 2010 05 20 Presentation

51/91

Tips for Implementing a

Statistics and Metrics ProcessMetrics need to be consistently defined.Data should be easily gathered (automated).Data needs to be correct.Trends need to be analyzed.Communicate linkages with performance.

Identify your audience Executive Operational

Define frequency of reporting.Prepare a commentary or narrative.Focus on highlights.Provide graphics.Be prepared to implement an action plan.


8/11/2019 2010 05 20 Presentation

52/91

Sample Procure to Pay Metrics


Cost Per InvoiceDays Payable Outstanding (DPO)

Vendor Payment With ErrorsDuplicate PaymentsNumber of Payments Made Per MonthPercentage Use of Electronic InvoicingPercentage Use of Electronic Payments

Invoices Paid Within Specified TermsPolicies for Taking Vendor DiscountsNumber of PaymentsReduction of Number of PaymentsProcessor Productivity

Percentage of Electronic Invoice ProcessingPercentage of Electronic PaymentProcessingInvoice > Payment Cycle TimeOn Time Payments

Monthly Invoices

Number of voided checksNumber & $ of invoices paid > 60 days,POs created after the factInvoices matched to PO 1st timeNumber of new vendors addedNumber of duplicate vendors and remitscorrectedStratification of non- electronic invoices

Vendor website hits and hot line call stats% of wires and checks.

8/11/2019 2010 05 20 Presentation

53/91

Metrics - ChecklistUse Common Sense and Organizational Sensitivity.Provide regular Feedback.Set clear Goals with Supporting Metrics.

Potential problem areas should not be consideredNegative.Do not focus on Just One Metric.

Define Actionable Plans.Communicate Results.


8/11/2019 2010 05 20 Presentation

54/91


How Can Procedures Improve aDepartment?


8/11/2019 2010 05 20 Presentation

55/91

Business Process

Improvements


1. Establish the difference between perception, intuition and reality.2. Gather all the facts.

3. Identify and verify potential problem areas.4. Validate the process and determine if performance is the issue.5. Document the issue and develop an action plan.6. Provide a baseline for performance improvement.7. Track improvements.8. Decide if a process is stable or predictable

Metrics create a common language to identify areas forBusiness Process Improvements.

8/11/2019 2010 05 20 Presentation

56/91


- ChecklistDetermine if there is a Communication Issuerather than a Business Process Improvementopportunity.

Determine if an Old Form or Procedure is stillbeing used.Is there a Control Issue?Is there need to deliver additional Training?Was the procedure Poorly Written?


8/11/2019 2010 05 20 Presentation

57/91

In Closing, Procedures Can:1. Improve Customer Satisfaction

2. Improve Business Processes3. Reduce Cost and Cycle Time4. Improve Service Levels and Response Times

5. Enhance Quality and Flexibility6. Improve Employee Productivity and Morale7. Standardize and Streamline Business Processes8. Avoid Duplication of Efforts9. Identify Automation Opportunities10. Support Internal Controls and Controls Self Assessment

Initiatives


8/11/2019 2010 05 20 Presentation

58/91


A Sample Procedure

8/11/2019 2010 05 20 Presentation

59/91

Sample Procedure FormatPurposeRevision HistoryPersons Affected (Scope)

PolicyDefinitions

ResponsibilitiesProcedures


8/11/2019 2010 05 20 Presentation

60/91

Sample Procedure


Document Number:Effective Date:Revision Date:Revision Number:Page Number:

Title of Procedure

Approval:

1.0 Purpose : Describes objectives for writing a policy or procedure.

2.0 Revision History : Shows a list of changes to this document.

3.0 Persons Affected : Identifies the user of this document.

4.0 Policy: Indicates the Corporate Policy supported.

5.0 Definitions: Defines forms, key words, and technical terms.

6.0 Responsibilities: Summarize the roles and responsibilities of all individuals supporting the

process represented by the procedure.

7.0 Procedure: Defines and outlines the rules, regulations, methods, timing, place, andpersonnel responsible for accomplishing the policy as stated in the Policy section above.

8/11/2019 2010 05 20 Presentation

61/91

8/11/2019 2010 05 20 Presentation

62/91

8/11/2019 2010 05 20 Presentation

63/91

Sample Procedure (3 of 9)


Document Number: 1000Effective Date: 8/1/05Revision Date:Revision Number: 1.0Page Number: 3 of 9

Ordering Maintenance, Repair, andOperating (MRO) Supplies

Approval: Penny Procurement

Defini tions: (Continued)

5.3 Request for Quotation (RFQ)

Process used by the procurement department to request bids from supplier. Arequest for quotation is a means of inviting bids from prospective suppliers. The RFQis the buyers first official contact with suppliers. The quality and content of the RFQcan determine the outcome of the bidding process because it sets the stage fordiscussions and negotiations.

5.4 Purcha se Order (PO)

A systematic or manual form used by the procurement department to establish alegal contract between the Company and a supplier. The PO is written evidence of acontract between the buyer and supplier for the purchase of supplies and services atan agreed upon price and delivery date. The issuance of the PO is based on formalor informal bids and proposals. The PO should contain general instructions, standardterms and conditions, description of the agreement, and the approval of anauthorized procurement agent.

5.5 Receiver

A manual or systematic form that is used to create a receiving document from anissued PO. The receiver serves as proof of delivery and is the document that recordsthe inspection, acceptance, of goods and services, and the approval for payment.

8/11/2019 2010 05 20 Presentation

64/91



Docum ent Number: 1000Effective Date: 8/1/05Revision Date:Revision Number: 1.0Page Number: 4 of 9

Ordering Maintenance, Repair, andOperating (MRO) Su pplies

Approval: Penny Procu rem ent

Definit ion s: (Continue d)

5.6 Packin g Sh eet (PS) A form a s uppli er use d to acc ompa ny the orde r to theCompany. N ormally, a PS is a two-part, pre-num ber ed form used by a supplier whenfilling the order. This form shoul d accompa ny any items being shipp ed to thecompany from a supplier. All packing she ets must m ake reference to an a uthorizedand issued PO number.

5 Responsibil i t ies:

6.1 The procurement department executive shall ensure compliance to this procedure.

6.2 Requestors are expected to select the most current PR a nd adhere to the guidelinesof this proced ure when reques ting MRO supplies . Requestors will obtain thenecessary approvals.

5.3 The procureme nt assistant will review all incoming PRs to ensure that the PRs arecompleted in accordance with current procureme nt policies and proced ures. Any

discrepancies will be coordinated with the requestor. The procurement assistantforwards all app roved PRs to the procurem ent mana ger for review a nd election of abuyer.

5.4 A procureme nt manager will review the PRs and as sign the approp riate buyer.

5.5 The buyer will revie w the requisition, select at least three sources (supplie rs), solicitbids, review bid packages, s elect a supplier, issue a PO, and mo nitor the receipt o fthe supplies.

8/11/2019 2010 05 20 Presentation

65/91

8/11/2019 2010 05 20 Presentation

66/91






Procedures: (Continued)

Establishing Need: (Continued)

7.1.1 Upon receipt of the appropriate approval, the requestor will forward thePR to the finance department for review of the budget and for approval.

7.1.2 If approved, the requestor will forward the PR to the procurementdepartment systematically.

7.2 Procurement Department Activi ties:

7.2.1 A procurement assistant will review all incoming PRs to ensurecompliance with this procedure. The PR will be reviewed to ensure that

the information in required fields is correct and appropriate approvalshave been obtained.

7.2.2 A procurement manager reviewed PRs and assigned them to theappropriate buyer responsible for the purchase of MRO supplies. Themanager will approve the PR and assign a buyer.

8/11/2019 2010 05 20 Presentation

67/91






Procedures: (Continued)

Procurement Department Activities: (Continued)

7.1.1 The buyer will review the PR and begin the necessary negotiations withselected supplier to find the most competitive bid.

7.1.1.1 At least three suppliers are selected to participate in the biddingprocess. The buyer allows two to three weeks for the supplier tosubmit the bid package.

7.1.1.2 The buyer reviews the submitted bid packages and makes aselection. In some cases, the suppliers will be contacted forfurther discussions about price and services offered.

7.1.1.3 The buyer selects the most appropriate bid based on objectivecriteria. Note: The RFQ or bid process is not necessary for allPRs.

8/11/2019 2010 05 20 Presentation

68/91


Sample Procedure (8 of 9)Document Number: 1000Effective Date: 8/1/0 5Revision Date:Revision Number: 1.0Page Number: 8 of 9

Ordering Maintenance, Repair, andOperat ing (MRO) Sup pl ies

Approval: Penny Procu rem ent

Procedures : (Cont inued)

Procurem ent Depar tment Act iv i t ies : (Cont inue d)

7.1.1 A PO is awarded to the selected supplier. The PO is provided to thesupplier, accounts payables, and the receiving department.

7.1.1.1 The supplier will review the order and acknowledg e receipt to thebuyer.

7.1.1.2 The buyer will re vie w changes recom mende d by the supplier.7.2 Receiving Depar tment Process :

7.2.1 Upon receipt of the PO, the receiving department shall create a receivingdocument or receiver based on the iss ued PO.

7.2.2 Upon receipt of the order from the supplier, the receiving departmentcompares the mate rial received to the packing sheet and the receiver.The receiving information is recorded and any discrepancies are not ed.

7.2.2.1 The buyer receives a manual or system atic copy of the receiver.

7.2.2.2 The accou nts payable department receives a manu al orsystematic copy of the receiver.

7.2.2.3 The receiving departme nt retains a manual or systematic copy ofthe receiver.

8/11/2019 2010 05 20 Presentation

69/91


Sample Procedure (9 of 9)Document Number: 1000Effecti ve Date: 8/1/05Revision Date:

Revision Number: 1.0Page Number: 9 of 9Ordering Maintenance, Repair, andOperating (MRO) Supplies

Approval: Penny Procu rement

Procedures: (Continued )

7.1 Account s Payabl e Process:

7.1.1 The accounts payable department will perform a three-way match of thePO, receiver, and invoice. If the three-way match is successful, thepayment process is initiated.

7.1.2 The payment is provided to the supplier following the terms andconditions of the PO.

7.1.3 Payment information is recorded on the PO.

7.1.4 The accounts payable department ensures that the correct generalledger accounts are recorded.

8/11/2019 2010 05 20 Presentation

70/91


How Did We Do?Overview, Introduction, and Definitions


Communication, Training, and Mentoring


Sample Procedure


How Procedures Add Value CHEC

KLISTS

DISCUSSI

ON

8/11/2019 2010 05 20 Presentation

71/91


Questions?

8/11/2019 2010 05 20 Presentation

72/91


Referenceswww.group.slac.stanford.edu

www.coso.orgwww.sec.gov7 Steps to Better Written Policies and Procedures by Stephen Page,Process Improvement Publishing, Westerville, Ohio, 2004.

Achieving 100 Compliance of Policies and Procedures by Stephen Page,Process Improvement Publishing, Westerville, Ohio, 2004.Best Practices in Policies and Procedures by Stephen Page, ProcessImprovement Publishing, Westerville, Ohio, 2002.

Procedure Writing Principles and Practices by Douglas Wieringa,Christopher Moore, and Valerie Barnes, Battelle Press, Columbus, Ohio,1998.
http://www.group.slac.stanford.edu/http://www.coso.org/http://www.sec.gov/http://www.sec.gov/http://www.coso.org/http://www.group.slac.stanford.edu/

8/11/2019 2010 05 20 Presentation

73/91


Segregation of Duties and

Delegation of Authority

8/11/2019 2010 05 20 Presentation

74/91


Contents

Types of ControlsSegregation of Duties (SoD) Example SoD Policy

Delegation of Authority (DoA)Linkage to Ethics and Tone at the Top

Objectives To Be Addressed

8/11/2019 2010 05 20 Presentation

75/91

5/20/2010

1. What are the most important Control Objectives within theAccounts Payable Cycle?

2. Are your Internal Controls robust enough to detect andprevent disbursement fraud?

Object ves o e dd essed

Today

8/11/2019 2010 05 20 Presentation

76/91

5/20/2010

Types of Controls

Risk ManagementObjective

Control Measure Type of Control

Segregation/ Authorization

Physical and logical access control Audit trails

Preventive Detective

Accuracy Automatic validation Data verification Application change control Audit trails

Preventive Detective or

Corrective Preventive

DetectiveCompleteness Application change control

Record counts Cross-totals Audit trails

preventive detective detective detective

Confidentiality Physical and logical access control Audit trails

Preventive Detective

Audibility Only access production datathrough authorized programs

Audit trails

Preventive

Detective

Continuity/Recovery Backups and recovery plans Corrective

Example of an Accounts Payable

8/11/2019 2010 05 20 Presentation

77/91

5/20/2010

Example of an Accounts Payable

Control Objective and Control Activity

For example, a control objective for an accounts payablefunction might be: Payments are only made to authorizedvendors for goods or services received.

A typical control activity designed to achieve this objectiveis: The accounts payable system compares the purchaseorder, receiving record, and vendor invoice prior to

authorizing payment.

8/11/2019 2010 05 20 Presentation

78/91

5/20/2010

The Key Controls Within the AP Cycle

1) Segregation of Duties (SoD)2) Delegation of Authority (DoA)

Segregation of Duties

8/11/2019 2010 05 20 Presentation

79/91

5/20/2010

Segregation of Duties

(SoD)Concepts

Authorization

Reviewing and Approving transactions

Reconciliation

Assurance that transactions are proper

Record Keeping

Creating and Maintaining records

Asset Custody

Access to and/or control of assets

Examples of SoD Conflicts

Authorizing purchases and receiving goods purchasedfrom the transaction

Ability to modify an evaluated-receipts contract andreceive against a PO

Setting up a vendor in A/P and executing the payments

More Segregation of Duties

8/11/2019 2010 05 20 Presentation

80/91

5/20/2010

g g

(SoD) ConceptsConflict Types

In the context of information systems security, there are two types of SoD conflicts. We examined both typesof conflicts during our review. These are:

Conflicts that arise from a security object (profile/role/class/etc.) being defined with excessive,conflicting privileges (intra-conflicts)

Conflicts that arise from multiple security profiles/roles/classes being assigned to a user account suchthat the cumulative privileges of the user are excessive and conflicting (extra-conflicts)

Intra-Conflicts Extra-Conflicts

User SecurityObject

Privilege

PrivilegeUser

SecurityObject Privilege

SecurityObject Privilege

The conflicting privileges introduce risk whenassigned to a user through a single security

object .

The conflicting privileges introduce risk whenassigned to a user through multiple securityobjects.

8/11/2019 2010 05 20 Presentation

81/91

More on Delegation of

8/11/2019 2010 05 20 Presentation

82/91

5/20/2010


Authority (DoA)Certain types and levels of expenditures will require BOD approval.

Example: M&A, CAPEX >$25M

BoD approvals are documented in BoD meeting minutes.

Out of office delegations should be maintained systemically via email or bythe appropriate delegation form.

Important: Always maintain an audit trail.

Permanent authority is often granted to the next level down within anorganization.


8/11/2019 2010 05 20 Presentation

83/91

5/20/2010


Authority (DoA)The delegation of authority control is a company wide policy

that establishes signing authorities by level or position withinthe organization. The best way to implement this control issystematically. Officers and employees who delegate theirauthority remain responsible for monitoring and reviewingthe actions of those to whom authority has been granted.Utmost care should be exercised in the selection ofdesignees and the documentation, notification, and timelyrescission of authority. Officers and employees are usuallypermitted to delegate their responsibilities and authorities toemployees who report directly to them.


8/11/2019 2010 05 20 Presentation

84/91

5/20/2010


Authority (DoA)Delegation of authority is an excellent preventative controlfor internal, external, and conspiracy or collusion fraud sinceproper signing authorization process should be in place.

In fact, some organizations have taken the delegation ofauthority control a step further and have incorporatedsegregation of duties controls. Having a finance manager

approve an expenditure of a certain dollar amount with theoperational manager evidences this process. The process isreferred to as the double key method.

Societe General Case Study

8/11/2019 2010 05 20 Presentation

85/91

5/20/2010

Societe General Case Study

$7.1BThe fraud, perpetrated by a 31-year-old trader, was not a simple case ofcomputer security fraud. Though the perpetrator, Jerome Kerviel, didmanage to manipulate the banks computer systems to conceal hisfraudulent trades, his crimes were not , as some early reports suggested,the product of hacking or other system breach. Rather, according to thebank itself, Kerviel stole computer passwords and faked documents togain access to the computer trading system for which he lackedauthorization.

More importantly, to prevent his supervisors from detecting his high-stakes trades, he systematically erased them before the compliancechecks took place and simply created new ones immediately afterwards.

Ho Does Ethics Impact An Internal

8/11/2019 2010 05 20 Presentation

86/91

5/20/2010

Ethics and Code of Conduct set the foundation for aninternal Controls Program.

The Integrity of a company is established by the Tone atthe Top.

Tone at the Top directs how Employees, Shareholders,

and Stakeholders of a Company will behave.

How Does Ethics Impact An Internal

Controls Program?

The Definition of Tone at the

8/11/2019 2010 05 20 Presentation

87/91

5/20/2010

The values and principles that define the organizationsculture are a direct product of its leaders.

In other words, setting the tone of the companys cultureis how top management conveys to the entire workforcethe level of integrity it expects from everyone.

The Definition of Tone at the

Top..

What happens when Tone at the Top

8/11/2019 2010 05 20 Presentation

88/91

5/20/2010

Insider or related-party dealings, override of internal controls,and favorable key-employee treatment are just three examplesof management looking out for managementwhereby the

ethical tone of the companys culture is set at a dismally lowlevel.

is not working?

Business Strategy, Inc.

8/11/2019 2010 05 20 Presentation

89/91

5/20/2010

Business Strategy, Inc.

Partnerships
http://www.fujitsu.com/us/http://www.kofax.com/http://www.microsoft.com/en/us/default.aspx/http://www.onbase.com/http://www.premierinc.com/http://www.amerinet-gpo1.com/amerinet.aspxhttp://www.vha.com/portal/server.pthttp://www.dmainc.com/

8/11/2019 2010 05 20 Presentation

90/91


Questions?

8/11/2019 2010 05 20 Presentation

91/91

Documents

2010 05 20 Presentation