Financial Internal Controls Best Practices E-Book

Contents

Cover

Title Page

Copyright

Chapter 22: Financial Internal Controls Best Practices

22.1 OVERVIEW

22.2 COSO II

22.3 AUTOMATION OF CONTROLS

22.4 TYPES OF AUTOMATED CONTROLS

22.5 PRIMARY FINANCIAL CONTROL CONSIDERATIONS

22.6 COMBINING COMPLIANCE AND OPERATIONAL REQUIREMENTS TO ACHIEVE AN ROI ON COMPLIANCE EXPENDITURE

22.7 FURTHER CONSIDERATIONS

22.8 CONCLUSION

Notes

Copyright © 2008 by John Wiley & Sons, Inc. All rights reserved.

Disclaimer: This content is excerpted from Governance, Risk, and Compliance Handbook, by Anthony Tarantino (9780470095898, February 2008), with permission from the publisher John Wiley & Sons. You may not make any other use, or authorize others to make any other use of this excerpt, in any print or non-print format, including electronic or multimedia.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

This chapter from Governance, Risk, and Compliance Handbook, edited by Anthony Tarantino, provides an overview of best practices for financial internal controls. It covers COSO II guidance, automation of controls, and other primary considerations. It also discusses how to achieve ROI on compliance investments.

Derived from Tarantino, Anthony. Governance, Risk, and Compliance Handbook. Hoboken, NJ: John Wiley & Sons, Inc., 2008. 9780470095898; 972 pp.

978-0-470-90967-6978-0-470-90966-9

CHAPTER 22

FINANCIAL INTERNAL CONTROLS BEST PRACTICES

Ian Rodgers

22.1 OVERVIEW

(a) Controls over Planning and Budgeting

(b) Controls over Operational Risk

(c) Controls over Financial Statement Risk

(d) Compliance-Related Controls

(e) The Audit Imperative

(f) Remediation

(g) Enterprise Risk Management, COSO ERM

22.2 COSO II

(a) Assessment of Controls

(i) Design Effectiveness and Operational Effectiveness

(ii) Scoping of the Audit Requirement

(iii) Materiality

(iv) Relevance

(v) Top-Down Approach to Controls Assessment

22.3 AUTOMATION OF CONTROLS

(a) Prevention versus Detection

(b) Field-Level Audit

22.4 TYPES OF AUTOMATED CONTROLS

(a) Access Controls

(b) Process Controls

(c) Continuous Monitoring

(i) Control Areas

(d) Transaction Controls

(e) Master Data Controls

(f) System Configuration Controls

(i) Accounting, Consolidation, and Financial Reporting Controls

(ii) Subsidiary Ledger Controls

22.5 PRIMARY FINANCIAL CONTROL CONSIDERATIONS

(a) Revenue Cycle

(b) Procurement Cycle

(c) Intangibles

(d) Property, Plant, and Equipment Cycle

(e) Inventory/Production Cycle

(f) HR/Payroll Cycle

(g) Equity Cycle

(h) Financial Close and Reporting Cycle

(i) Tax Cycle

(j) Legal Cycle

22.6 COMBINING COMPLIANCE AND OPERATIONAL REQUIREMENTS TO ACHIEVE AN ROI ON COMPLIANCE EXPENDITURE

(a) Practical Considerations

22.7 FURTHER CONSIDERATIONS

(a) Company-Level Controls and the Control Environment

(b) International Considerations

(c) COBIT

22.8 CONCLUSION

NOTES

22.1 OVERVIEW

In its pure essence, a business exists to generate profits. The accounting and financial reporting disciplines within it allow the owners of the business and potential investors to value the business by inspecting those profits and evaluating the costs incurred in generating them. The business operations and risk management functions ensure that the firm conducts its processes in the most efficient and cost-effective manner. Without the assurances provided by internal controls over financial reporting, this assessment of profitability would be impossible. Without controls over operational risk management, that same investor has no assurance that this performance is sustainable. Finally, that same business has a legal and social responsibility to conduct its operations in a manner that conforms to generally accepted accounting principles (GAAP) and the various other prescribed regulatory constraints. Compliance-related controls enforce these rules.

As discussed in earlier chapters of this volume, therefore, an Enterprise Risk Management (ERM) model must address the enterprise's objectives with the following categories of control objectives:

Put simply, the internal controls in each area ensure that the business is being run in accordance with the overall plan, that the financial statements and management reporting present an accurate view of the operations, and that all activities (including reporting) that are covered by statutory regulations are being carried out within the constraints of those regulations.

Let us take for example a major sales transaction (say 20 percent of sales for the quarter) that is intentionally counted twice in order to boost apparent profits, or a significant cost that is counted twice, thereby reducing apparent profits. (If the main criterion for the deception or error is to boost or reduce the level of taxable income, the same violations might be committed in reverse.)

It would be reasonable to expect that effective internal controls would either prevent such a transaction from being booked a second time or detect that the duplication has happened.