An IT audit is different from a financial statement audit. While a financial audit's purpose is to evaluate whether an organization is adhering to standard accounting practices, the purposes of an IT audit are to evaluate the system's internal control design and effectiveness. This includes but is not limited to efficiency and security protocols, development processes, and IT governance or oversight. The goal is to evaluate the organization's ability to protect its information assets and properly dispense information to authorized parties. The IT audit's agenda may be summarized by the following questions:
Will the organization's computer systems be available for the business at all times when required? (Availability)
Will the information in the systems be disclosed only to authorized users? (Confidentiality)
Will the information provided by the system always be accurate, reliable, and timely? (Integrity)
The IT audit focuses on determining risks that are relevant to information assets, and in assessing controls in order to reduce or mitigate these risks. By implementing controls, the effect of risks can be minimized, but it cannot completely eliminate all risks.
Saturday, August 28, 2010
Sunday, August 22, 2010
Type of SAS-70 Auditing
Type of SAS 70 Audit: Type I and Type II
TypeI Audit: Type includes an opinion of the presentation of the service organization's descripion of controls that had been placed in operations and the suitability of the design of the controls to achieve the specified objectives.
Type II Audit: It is more through report of a SAS 70 audit because it contains a description of the controls in place and a description of auditor's test of the control effectiveness of minimum testing period( usually period is 6 months).
Type II audit testing add more testing and observing period. It is more common and often the preffered choice of SAS 70 audits because it is a comprehensive analysis of not only what control are in place, but how effective these controls are in meeting Control objective.
TypeI Audit: Type includes an opinion of the presentation of the service organization's descripion of controls that had been placed in operations and the suitability of the design of the controls to achieve the specified objectives.
Type II Audit: It is more through report of a SAS 70 audit because it contains a description of the controls in place and a description of auditor's test of the control effectiveness of minimum testing period( usually period is 6 months).
Type II audit testing add more testing and observing period. It is more common and often the preffered choice of SAS 70 audits because it is a comprehensive analysis of not only what control are in place, but how effective these controls are in meeting Control objective.
Analisys of CISA Salary
Want more money for your information security skills? Try getting a professional certification. For all the continuing debate about the real value of IT certification programs, the premiums that companies are willing to pay for certified information security professionals is actually trending upwards.
A report released last week by New Canaan, Conn.-based Foote Partners LLC shows that formally certified security professionals on average are still commanding about 10% to 15% higher salaries than noncertified individuals in comparable roles. The numbers were marginally higher than the premiums offered for certified security professionals six months ago. Among the certification programs commanding the highest premiums were Certified Information Systems Security Professional (CISSP) , Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM).
In contrast, the premiums being offered for individuals with professional certifications in other IT areas fell by about 2% over the past one year, according to the Foote report. The analysis was based on salary data from 33,800 U.S and Canadian IT professionals.
"Security certifications bucked the overall trend by growing in value from October to April, up an average of 1.7 percent across the entire group of twenty-seven security certifications that we survey," the report said. "This is a very important development, because salaries as well as skills pay for IT security professionals stopped growing and in some cases declined a few years ago following what had been a strong wave of hiring in the wake of Patriot Act, Homeland Security Act, and Sarbanes-Oxley Act legislation," the Foote report said.
That trend has begun reversing itself as demand for qualified security professionals has begun to steadily grow recently, said David Foote, CEO of Foote Partners, in an interview with Computerworld. High-profile breaches, such as the one at TJX earlier this year, have made company executives increasingly nervous about the impact of security breaches on their customer bases, Foote said. As a result many have begun to ramp up their security efforts, resulting in an overall increase in demand for qualified security professionals to their highest levels after 9/11, he said.
This trend in IT security certifications pay is an indication that, finally, there is something other than government regulation that is driving business leaders to invest more in security, Foote said. "The trend is not being driven by compliance and regulations. It is being driven by people saying customers are demanding more security," from the companies they do business with, Foote said.
Also pushing up the premiums for security certification is a new Department of Defense directive which requires over 100,000 security professionals in certain specific job roles to be certified within a five year period, Foote said. The directive affects full- or part-time military service members, contractors, or those with privileged access to DOD information systems who are performing information assurance functions.
The two trends are creating a "perfect storm" in terms of pushing up premiums for IT security certifications at a time when other certification programs are commanding lower premiums than they used to, he added.
A report released last week by New Canaan, Conn.-based Foote Partners LLC shows that formally certified security professionals on average are still commanding about 10% to 15% higher salaries than noncertified individuals in comparable roles. The numbers were marginally higher than the premiums offered for certified security professionals six months ago. Among the certification programs commanding the highest premiums were Certified Information Systems Security Professional (CISSP) , Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM).
In contrast, the premiums being offered for individuals with professional certifications in other IT areas fell by about 2% over the past one year, according to the Foote report. The analysis was based on salary data from 33,800 U.S and Canadian IT professionals.
"Security certifications bucked the overall trend by growing in value from October to April, up an average of 1.7 percent across the entire group of twenty-seven security certifications that we survey," the report said. "This is a very important development, because salaries as well as skills pay for IT security professionals stopped growing and in some cases declined a few years ago following what had been a strong wave of hiring in the wake of Patriot Act, Homeland Security Act, and Sarbanes-Oxley Act legislation," the Foote report said.
That trend has begun reversing itself as demand for qualified security professionals has begun to steadily grow recently, said David Foote, CEO of Foote Partners, in an interview with Computerworld. High-profile breaches, such as the one at TJX earlier this year, have made company executives increasingly nervous about the impact of security breaches on their customer bases, Foote said. As a result many have begun to ramp up their security efforts, resulting in an overall increase in demand for qualified security professionals to their highest levels after 9/11, he said.
This trend in IT security certifications pay is an indication that, finally, there is something other than government regulation that is driving business leaders to invest more in security, Foote said. "The trend is not being driven by compliance and regulations. It is being driven by people saying customers are demanding more security," from the companies they do business with, Foote said.
Also pushing up the premiums for security certification is a new Department of Defense directive which requires over 100,000 security professionals in certain specific job roles to be certified within a five year period, Foote said. The directive affects full- or part-time military service members, contractors, or those with privileged access to DOD information systems who are performing information assurance functions.
The two trends are creating a "perfect storm" in terms of pushing up premiums for IT security certifications at a time when other certification programs are commanding lower premiums than they used to, he added.
Wednesday, August 11, 2010
Best Practices & Controls-Accounts Recievables-2
Receivables Monitoring..contd..
CO: The receivables from the customer are managed within the Company’s norms
RS: Information on receivables is not available.
CN: Age analysis report of receivables is generated by each Unit and forwarded to Unit Coordinators.
Days Sales Outstanding (DSO) is presented and discussed in the Monthly Sales Meeting.
CO: Timely collection of accounts receivable is monitored.
RS: Doubtful accounts have not been appropriately identified and considered.
CN: Accounts receivable aging reports are prepared regularly and analyzed by management.
Customer open items reports are prepared and analyzed by management.
6.Collections...
a. CO: Cash receipts are accurately recorded.
RS: The amount of cash receipts are inaccurately recorded.
CN: Accounts Manager approves the amount recorded on review.
b. CO: Cash receipts are accurately recorded.
RS: Cash receipts are recorded in the improper period.
CN: "Accounts Manager approves the amount recorded.
Cut off procedures and close procedure are implemented"
c. CO: Cash receipts are accurately recorded.
RS: The entity's bank statements are inconsistent with that recorded by the bank.
CN: Regularly reconcile recorded balances and activities with balances and activities reported by its banks.
d. CO: Cash receipts are accurately recorded.
RS: Inappropriate access to receive and record cash receipts.
CN: Access levels are pre-defined based on clear job responsibility.
e. CO: Cash receipts are accurately recorded.
RS: Cash receipts are not protected before they are deposited.
CN: Cash receipts are stored in a manner which protects them from physical destruction or manipulation. Backups of cash receipts are made.
f. CO: Cash receipts are recorded in the period in which they are received.
RS: Cash receipts are not recorded in the period in which they are received.
CN: Cash sales are recorded using a cash register. Customers are provided with a copy of the register receipt and total daily receipts per the register are balanced to cash deposited to the bank. 7/7/09 deepti
CO: Cash receipts are accurately recorded.
g. RS: Cash receipts are accurately calculated and recorded
CN: Available cash discounts are automatically calculated by the application system, using standard programmed algorithms and established terms of sale.
Cash receipts should be generated in duplicate a sign off from the recipients should be taken
h. CO: Cash receipts are accurately recorded.
RS: Cash receipts do not relate to sales and/or are not recorded against the correct customer or invoice.
CN: Reconciliation of subsidiary ledger accounts receivable and sales ledger balances to general ledger balances or other control totals on a regularly scheduled basis.
i. CO: Cheques received are deposited promptly.
RS: Cheques and drafts may not be deposited immediately on receipt
CN: "Cheque and draft received are recorded in the collection register and deposited in the Bank the following day.
Deposit slip is reconciled with the days collection register"
j. CO: Cheques received are timely Credited Company's Bank Account
RS: Cheques deposited may not be credited on time.
CN: The AR Team verifies the daily transaction report of the Bank to ensure all cheques deposited by are credited on time.
k. CO: Timely accounting of Sales realizations.
RS: The Sales realization may not be accounted on timely basis.
CN: Sales collections are accounted in the accounting system on receipt of credit in Bank Account based on the daily transaction report.
l. CO: Export Realization are collected and accounted on time.
RS: The Export realization may not be accounted immediately resulting to overstatement of debtors.
CN: "The AR Team will send the documents to the Bank for collections through banking channel. The Executive - AR is maintaining a Excel Control Sheet to ensure that the documents are sent to the Bank on due date.
Based on Excel Control Sheet, the AR Team monitors receipt of credit in Bank on timely basis.
Foreign exchange realization are accounted on receipt of Bank Advice."
7. Sales Return..
CO: Sales Return are authorized and recorded
RS: Acceptance of returned goods may not be authorized
CN: "Customers are instructed to obtain authorization from responsible management prior to returning goods (i.e. RGA number) and affix the RGA number to the packing slip.
Returned goods authorizations are matched to incoming goods prior to acceptance.
b. CO: Sales Return are authorized and recorded
RS: Returned goods transactions may not be recorded, or may not be recorded in a timely manner.
CN: "Authorizations for goods returned are matched with receiving reports and are numerically or otherwise controlled in a manner that ensures all sales returns activity has been recorded.
Returned goods are booked in the general ledger upon receipt.
Returned goods are periodically compared to their related general ledger account balance.
c. CO: Sales Return are authorized and recorded
RS: Returned goods may be mishandled, misappropriated, or damaged. "
CN: Returned goods are physically segregated upon receipt (i.e. returned goods area for product inspection). Further, free issues are made against the returned goods received back in office. (Attempt to be made in issue of Cr Note be avoided)
Access to returned goods is restricted to authorized personnel
Returned goods are adequately protected from adverse environments (i.e. returned goods will not be mistakenly stocked into inventory).
8. Credit/Debit Notes
a. CO: To ensure that the Credit notes are raised after the necessary approval
RS: Unauthroised Discounts may be passed on to the Customer.
CN: Customer eligible to discount and the percentage is decided by a Committee
b. CO: To ensure adequate approval for Credit/ Debit Notes raised
RS: Credit /Debit notes may not be adequately authorized
CN: All credit/debit notes are reviewed by the respective Account Managers and approved by the Head of Accounts
c. CO: Credit notes and adjustments to accounts receivable are accurately calculated and recorded.
RS: Credit notes and adjustments to accounts receivable are not accurately calculated and recorded.
CN:
1. Management approves credit notes, bad-debt write-offs, and other adjustments to accounts receivable.
2. Management monitors the nature, volume and amount of recorded credit notes, write-offs, and other adjustments to accounts receivable.
3. All returned goods are logged when received. The log details items such as customers, goods, defects, inspections and assessment by quality control. Return details per the log are compared to credit notes issued to ensure that credit is issued in the correct period and in accordance with company policy.
d. CO: Credit notes issued are recorded in the appropriate period.
RS:
1. "Goods returned by customers are not recorded in the appropriate period.
2. Credit notes issued are recorded in the wrong period resulting in misstated receivables"
CN: Goods returned by customers at, before, or after the end of an accounting period are scrutinized and/or reconciled to ensure complete and consistent recording in the appropriate accounting period.
9. Bad Debt Provision & Write-off
a. CO: Bad debts are analyzed, minimized and approved.
RS: Bad debts may not be recognized
CN:
1. "Review of the debtor balances and their recoverability is done on a monthly basis by the accounts department and the related Account managers.
2. A Policy should be laid down by the company describing the period after which a debt should be recognized as bad
3. Any amount not recoverable as per such policy is transferred to bad debts which is authorized by Head Accounts"
b. CO: Bad debts are analyzed, minimized and approved.
RS: Bad debts are not formally approved and analyzed.
CN:
1. The request for Bad Debts is prepared by the Sales Team which is signed by the concerned Sales Manager on review
2. The reason/ justification for Bad debts is recorded and documented on the request.
3. The request for Bad Debts should be approved as per the Delegation of Authority Matrix.
4. The copy of approved request is sent to Accounts Department to ensure adjustments in the Books of Accounts.
c. CO: Bad debts are analyzed, minimized and approved.
RS: Account write-offs may be unauthorized or improper
CN: "The controller’s approval is required for all write-offs of uncollectible receivables, and the write-off for uncollectibility is against the reserve for bad debt.
Accounts written off are periodically reviewed for subsequent collectibility."
d. CO: Bad Debts provision are adequate
RS: The provision for uncollectible accounts receivable may be inappropriate.
CN:
1. Specific criteria are used in determining the appropriate level of bad debt reserve (historical trends, specific problems, industry experience, etc.).
2. Accounts receivable are aged and reviewed by Accounting personnel on a regular basis (i.e., Independent of Credit). Overdue accounts are promptly investigated.
3. The adequacy of the bad debt reserve is analyzed at least quarterly and reviewed by management
e. CO: Account write offs are approved by appropriate management
RS: Accounts may be inappropriately written off
CN:
1. Accounts and notes receivable, disputed items& bad debts written off and recoveries of bad debts are reviewed by appropriate management
2. Reports of all provisions and write-offs are reviewed by an appropriate independent employee
3. Access to effect write offs of customer accounts is appropriately restricted to authorized personnel
10. Revenue recognition
a. CO: Corporate Accounting Policies & Procedures for revenue recognition are adhered to.
RS: Revenue may not be recognized in accordance with Corporate Accounting
Policies/Procedures
CN: Detailed policies and procedures exist governing the recognition of revenue and include reference to Indian GAAP and are updated on a timely basis and distributed.
b. CO: New product introduction - Incentives are appropriately considered for revenue recognition implications
RS: Incentives provided for new product introductions are not appropriately considered for revenue recognition implications
Unusual transactions and/or new contracts may not be reviewed for revenue recognition implications
CN: "Procedures exist to ensure review and approval of new or modified sales terms and contracts by commercial, accounting, and legal personnel
New contracts and/or unusual transactions are reviewed by Finance for appropriate accounting treatment. A process to generate exceptional report relating to unusual transactions should be existing."
c. CO: Sales returns provision is recorded in accordance with provisions of Indian GAAP
RS: A provision for sales returns may not be appropriately calculated and recorded.
CN: "A reserve for sales returns is recorded in accordance with Corp. Policy.
Reserve calculations are reviewed and approved by appropriate individuals on a periodic basis using up-to-date information."
c. CO: Promotional/sales incentive programs are approved by Management and reviewed by Finance for revenue recognition implications.
RS: Incentives provided for new product introductions are not appropriately considered for revenue recognition implications
CN: Promotional programs are reviewed and approved by appropriate senior financial, marketing and general management based on designated authority levels prior to implementation (the amount approved is based on total financial impact of discounts, extension offers etc.)
d. CO: Promotional/sales incentive programs are approved by Management and reviewed by Finance for revenue recognition implications.
RS: Incentives provided for new product introductions are not appropriately considered for revenue recognition implications
CN: Promotional programs are reviewed and approved by appropriate senior financial, marketing and general management based on designated authority levels prior to implementation (the amount approved is based on total financial impact of discounts, extension offers etc.)
e. CO: Revenue is only recognized once title and risk of loss have been transferred to the customer.
RS: Revenue may be recognized before title and risk of loss have transferred to the customer
CN: "Shipping terms are clearly defined. (Typically these are FOB Destination or FOB Shipping)
Management has reviewed sales contracts (terms & conditions) to determine when title and risk-of-loss have transferred and revenue is not recognized until the risk & rewards are transferred."
f. CO: Other income is properly recorded and classified
RS: Gains on sales of assets or up front payments received from distributors may be incorrectly recognized and classified
CN: "Procedures exist to record gains on sales of assets net of the asset book value in ""Other Income""
Procedures exist to record up-front payments received as part of distributor agreements as ""Other Income"" over the life of the contract."
g. CO: Revenue is only recognized for sales on credit when collectibility is reasonably assured
RS: Revenue may be recognized when collectibility is not reasonable assured.
CN: Procedures exist for credit & collections personnel to identify customers in bankruptcy and inform finance. The recognition of revenue is deferred until the goods are paid for or collections is otherwise reasonable assured.
h.CO: Sales are periodically evaluated to determine whether they should be accounted for as consignment sales.
RS: Sales which represent consignment sales may be improperly recognized as revenue.
CN: An analysis is periodically performed by the Appropriate Authority to determine whether sales should be accounted for under the consignment method. (Circumstances which should be evaluated include when shipments were a result of incentives, shipments would cause excess inventory levels relative to the wholesaler's ordinary course of business inventory level, where the Company would extend incentives based on levels of excess inventory in connection with future purchases and where incentives would cover substantially all, and vary directly with, the wholesaler's cost of carrying inventory in excess of wholesaler's ordinary course of business inventory level).
CO: The receivables from the customer are managed within the Company’s norms
RS: Information on receivables is not available.
CN: Age analysis report of receivables is generated by each Unit and forwarded to Unit Coordinators.
Days Sales Outstanding (DSO) is presented and discussed in the Monthly Sales Meeting.
CO: Timely collection of accounts receivable is monitored.
RS: Doubtful accounts have not been appropriately identified and considered.
CN: Accounts receivable aging reports are prepared regularly and analyzed by management.
Customer open items reports are prepared and analyzed by management.
6.Collections...
a. CO: Cash receipts are accurately recorded.
RS: The amount of cash receipts are inaccurately recorded.
CN: Accounts Manager approves the amount recorded on review.
b. CO: Cash receipts are accurately recorded.
RS: Cash receipts are recorded in the improper period.
CN: "Accounts Manager approves the amount recorded.
Cut off procedures and close procedure are implemented"
c. CO: Cash receipts are accurately recorded.
RS: The entity's bank statements are inconsistent with that recorded by the bank.
CN: Regularly reconcile recorded balances and activities with balances and activities reported by its banks.
d. CO: Cash receipts are accurately recorded.
RS: Inappropriate access to receive and record cash receipts.
CN: Access levels are pre-defined based on clear job responsibility.
e. CO: Cash receipts are accurately recorded.
RS: Cash receipts are not protected before they are deposited.
CN: Cash receipts are stored in a manner which protects them from physical destruction or manipulation. Backups of cash receipts are made.
f. CO: Cash receipts are recorded in the period in which they are received.
RS: Cash receipts are not recorded in the period in which they are received.
CN: Cash sales are recorded using a cash register. Customers are provided with a copy of the register receipt and total daily receipts per the register are balanced to cash deposited to the bank. 7/7/09 deepti
CO: Cash receipts are accurately recorded.
g. RS: Cash receipts are accurately calculated and recorded
CN: Available cash discounts are automatically calculated by the application system, using standard programmed algorithms and established terms of sale.
Cash receipts should be generated in duplicate a sign off from the recipients should be taken
h. CO: Cash receipts are accurately recorded.
RS: Cash receipts do not relate to sales and/or are not recorded against the correct customer or invoice.
CN: Reconciliation of subsidiary ledger accounts receivable and sales ledger balances to general ledger balances or other control totals on a regularly scheduled basis.
i. CO: Cheques received are deposited promptly.
RS: Cheques and drafts may not be deposited immediately on receipt
CN: "Cheque and draft received are recorded in the collection register and deposited in the Bank the following day.
Deposit slip is reconciled with the days collection register"
j. CO: Cheques received are timely Credited Company's Bank Account
RS: Cheques deposited may not be credited on time.
CN: The AR Team verifies the daily transaction report of the Bank to ensure all cheques deposited by are credited on time.
k. CO: Timely accounting of Sales realizations.
RS: The Sales realization may not be accounted on timely basis.
CN: Sales collections are accounted in the accounting system on receipt of credit in Bank Account based on the daily transaction report.
l. CO: Export Realization are collected and accounted on time.
RS: The Export realization may not be accounted immediately resulting to overstatement of debtors.
CN: "The AR Team will send the documents to the Bank for collections through banking channel. The Executive - AR is maintaining a Excel Control Sheet to ensure that the documents are sent to the Bank on due date.
Based on Excel Control Sheet, the AR Team monitors receipt of credit in Bank on timely basis.
Foreign exchange realization are accounted on receipt of Bank Advice."
7. Sales Return..
CO: Sales Return are authorized and recorded
RS: Acceptance of returned goods may not be authorized
CN: "Customers are instructed to obtain authorization from responsible management prior to returning goods (i.e. RGA number) and affix the RGA number to the packing slip.
Returned goods authorizations are matched to incoming goods prior to acceptance.
b. CO: Sales Return are authorized and recorded
RS: Returned goods transactions may not be recorded, or may not be recorded in a timely manner.
CN: "Authorizations for goods returned are matched with receiving reports and are numerically or otherwise controlled in a manner that ensures all sales returns activity has been recorded.
Returned goods are booked in the general ledger upon receipt.
Returned goods are periodically compared to their related general ledger account balance.
c. CO: Sales Return are authorized and recorded
RS: Returned goods may be mishandled, misappropriated, or damaged. "
CN: Returned goods are physically segregated upon receipt (i.e. returned goods area for product inspection). Further, free issues are made against the returned goods received back in office. (Attempt to be made in issue of Cr Note be avoided)
Access to returned goods is restricted to authorized personnel
Returned goods are adequately protected from adverse environments (i.e. returned goods will not be mistakenly stocked into inventory).
8. Credit/Debit Notes
a. CO: To ensure that the Credit notes are raised after the necessary approval
RS: Unauthroised Discounts may be passed on to the Customer.
CN: Customer eligible to discount and the percentage is decided by a Committee
b. CO: To ensure adequate approval for Credit/ Debit Notes raised
RS: Credit /Debit notes may not be adequately authorized
CN: All credit/debit notes are reviewed by the respective Account Managers and approved by the Head of Accounts
c. CO: Credit notes and adjustments to accounts receivable are accurately calculated and recorded.
RS: Credit notes and adjustments to accounts receivable are not accurately calculated and recorded.
CN:
1. Management approves credit notes, bad-debt write-offs, and other adjustments to accounts receivable.
2. Management monitors the nature, volume and amount of recorded credit notes, write-offs, and other adjustments to accounts receivable.
3. All returned goods are logged when received. The log details items such as customers, goods, defects, inspections and assessment by quality control. Return details per the log are compared to credit notes issued to ensure that credit is issued in the correct period and in accordance with company policy.
d. CO: Credit notes issued are recorded in the appropriate period.
RS:
1. "Goods returned by customers are not recorded in the appropriate period.
2. Credit notes issued are recorded in the wrong period resulting in misstated receivables"
CN: Goods returned by customers at, before, or after the end of an accounting period are scrutinized and/or reconciled to ensure complete and consistent recording in the appropriate accounting period.
9. Bad Debt Provision & Write-off
a. CO: Bad debts are analyzed, minimized and approved.
RS: Bad debts may not be recognized
CN:
1. "Review of the debtor balances and their recoverability is done on a monthly basis by the accounts department and the related Account managers.
2. A Policy should be laid down by the company describing the period after which a debt should be recognized as bad
3. Any amount not recoverable as per such policy is transferred to bad debts which is authorized by Head Accounts"
b. CO: Bad debts are analyzed, minimized and approved.
RS: Bad debts are not formally approved and analyzed.
CN:
1. The request for Bad Debts is prepared by the Sales Team which is signed by the concerned Sales Manager on review
2. The reason/ justification for Bad debts is recorded and documented on the request.
3. The request for Bad Debts should be approved as per the Delegation of Authority Matrix.
4. The copy of approved request is sent to Accounts Department to ensure adjustments in the Books of Accounts.
c. CO: Bad debts are analyzed, minimized and approved.
RS: Account write-offs may be unauthorized or improper
CN: "The controller’s approval is required for all write-offs of uncollectible receivables, and the write-off for uncollectibility is against the reserve for bad debt.
Accounts written off are periodically reviewed for subsequent collectibility."
d. CO: Bad Debts provision are adequate
RS: The provision for uncollectible accounts receivable may be inappropriate.
CN:
1. Specific criteria are used in determining the appropriate level of bad debt reserve (historical trends, specific problems, industry experience, etc.).
2. Accounts receivable are aged and reviewed by Accounting personnel on a regular basis (i.e., Independent of Credit). Overdue accounts are promptly investigated.
3. The adequacy of the bad debt reserve is analyzed at least quarterly and reviewed by management
e. CO: Account write offs are approved by appropriate management
RS: Accounts may be inappropriately written off
CN:
1. Accounts and notes receivable, disputed items& bad debts written off and recoveries of bad debts are reviewed by appropriate management
2. Reports of all provisions and write-offs are reviewed by an appropriate independent employee
3. Access to effect write offs of customer accounts is appropriately restricted to authorized personnel
10. Revenue recognition
a. CO: Corporate Accounting Policies & Procedures for revenue recognition are adhered to.
RS: Revenue may not be recognized in accordance with Corporate Accounting
Policies/Procedures
CN: Detailed policies and procedures exist governing the recognition of revenue and include reference to Indian GAAP and are updated on a timely basis and distributed.
b. CO: New product introduction - Incentives are appropriately considered for revenue recognition implications
RS: Incentives provided for new product introductions are not appropriately considered for revenue recognition implications
Unusual transactions and/or new contracts may not be reviewed for revenue recognition implications
CN: "Procedures exist to ensure review and approval of new or modified sales terms and contracts by commercial, accounting, and legal personnel
New contracts and/or unusual transactions are reviewed by Finance for appropriate accounting treatment. A process to generate exceptional report relating to unusual transactions should be existing."
c. CO: Sales returns provision is recorded in accordance with provisions of Indian GAAP
RS: A provision for sales returns may not be appropriately calculated and recorded.
CN: "A reserve for sales returns is recorded in accordance with Corp. Policy.
Reserve calculations are reviewed and approved by appropriate individuals on a periodic basis using up-to-date information."
c. CO: Promotional/sales incentive programs are approved by Management and reviewed by Finance for revenue recognition implications.
RS: Incentives provided for new product introductions are not appropriately considered for revenue recognition implications
CN: Promotional programs are reviewed and approved by appropriate senior financial, marketing and general management based on designated authority levels prior to implementation (the amount approved is based on total financial impact of discounts, extension offers etc.)
d. CO: Promotional/sales incentive programs are approved by Management and reviewed by Finance for revenue recognition implications.
RS: Incentives provided for new product introductions are not appropriately considered for revenue recognition implications
CN: Promotional programs are reviewed and approved by appropriate senior financial, marketing and general management based on designated authority levels prior to implementation (the amount approved is based on total financial impact of discounts, extension offers etc.)
e. CO: Revenue is only recognized once title and risk of loss have been transferred to the customer.
RS: Revenue may be recognized before title and risk of loss have transferred to the customer
CN: "Shipping terms are clearly defined. (Typically these are FOB Destination or FOB Shipping)
Management has reviewed sales contracts (terms & conditions) to determine when title and risk-of-loss have transferred and revenue is not recognized until the risk & rewards are transferred."
f. CO: Other income is properly recorded and classified
RS: Gains on sales of assets or up front payments received from distributors may be incorrectly recognized and classified
CN: "Procedures exist to record gains on sales of assets net of the asset book value in ""Other Income""
Procedures exist to record up-front payments received as part of distributor agreements as ""Other Income"" over the life of the contract."
g. CO: Revenue is only recognized for sales on credit when collectibility is reasonably assured
RS: Revenue may be recognized when collectibility is not reasonable assured.
CN: Procedures exist for credit & collections personnel to identify customers in bankruptcy and inform finance. The recognition of revenue is deferred until the goods are paid for or collections is otherwise reasonable assured.
h.CO: Sales are periodically evaluated to determine whether they should be accounted for as consignment sales.
RS: Sales which represent consignment sales may be improperly recognized as revenue.
CN: An analysis is periodically performed by the Appropriate Authority to determine whether sales should be accounted for under the consignment method. (Circumstances which should be evaluated include when shipments were a result of incentives, shipments would cause excess inventory levels relative to the wholesaler's ordinary course of business inventory level, where the Company would extend incentives based on levels of excess inventory in connection with future purchases and where incentives would cover substantially all, and vary directly with, the wholesaler's cost of carrying inventory in excess of wholesaler's ordinary course of business inventory level).
Best Practices & Controls-Accounts Recievables
For All..
In this topic I will try to list the basic Control Objectives (CO) , Risks (RS) and Controls (CN) under an Accounts Receivables Function/Process...
Do share your views also.
1. Customer Master Database Maintenance
a. CO: User access to the database should be appropriately restricted.
RS: Unauthorized access or changes to financial and operational data.
CN: Access to the database is administered by the Database administration group. Forms are required with approvals from the individual's manager and the owner of the data.
b. CO: Changes in the database are approved and input completely and accurately.
RS: Unauthorized changes to the financial and operational data
CN: "An appropriate official approves changes made to data, prior to input. Each change must be supported by sufficient documentation.
A one-to-one check for changes to the data via A comparison between post input/update reports to the change source documents for completeness and accuracy. Discrepancies are resolved and the re entered data is subject to the same control.
Changes in certain type of critical data and or changes outside certain parameters the system produces a report of these changes and is forwarded to management for their review. Acceptance of these changes by the system is dependent upon management review of supporting documentation and approval. "
c. CO: Adequate segregation of duties is maintained
RS: Unauthorized changes to the financial and operational data
CN: Segregation of duties to be maintained between the updation of data and the maintenance of data. Exceptions noted are to be investigated and resolved.
d. CO: Data is kept current and updated.
RS: Incorrect processing of the transactions
CN: System generated report detailing records not accessed over a period to be reviewed periodically by the Database Administrator in consultation with the Process Owner
2. Credit Policy & Credit Control...
a. CO: Credit Policy is in place for all the Customers based on various financial and non financial factors
RS: Credit Policy not defined for various customers
CN: Credit Policy is in place for all the customers. The policy defines the credit period and payment terms for all the domestic and International customers.
b. CO: Credit Policy is Approved
RS: Credit Policy is not approved as per the Delegation of Power
CN: Credit Policy is approved as per Delegation of Power
c. CO: Credit limit revision and extension are approved
RS: Unapproved credit limit resulting in bad debts or delays in collection
CN: "Credit Limit shall be unfreezed as per Delegation of Authority Matrix. Any extension of Credit period is approved as per Delegation of Authority Matrix."
3. Sales Order Generation
a. CO: Customer orders received are duly acknowledged
RS: Non acknowledgment of the receipt of customer order may result in unsatisfied customer
CN: Acknowledgment of receipt of customer order to be sent immediately by Sales Manager on receiving the Customer Order
b. CO: Delivery schedule is finalized and communicated to the customer on a timely basis
RS: Non confirmation of the delivery schedule (dispatches) to the customer may result in cancellation of sales order
CN: Delivery schedule to be confirmed by the Sales Manager within XX days of receipt of Customer Order by the Sales Team.
c. CO: "Customer Order is entered completely and accurately
Sales terms and prices are approved."
RS: The products, quantity, selling price, payment terms or shipping address included in the Customer order are incorrectly entered in the system.
CN: "Sales Order generated from system are reviewed for price, quantity, billing/ delivery address by the Sales Team and Sales Head with Customer Order and Approved Price List.
Further, the Sales orders over a set threshold require approval by management as per SOA before acceptance by the system. In absence of an approval a suspense file is created that is reviewed by management for clearance on a regular basis. (Additional control ensure that the Sales Order input above specific value in correct and accurate)"
d. CO: "Customer Order is entered completely and accurately
Sales terms and prices are approved."
RS: Single customer order may be entered in the system multiple times
CN: "Edit checks exist within the system that reject the input of a customer order number that was already entered.
Rejects are placed into a suspense file where they are researched, reviewed and re-entered (if necessary) on a timely basis."
CO: Customer Order with cash terms are accurately processed
RS: Customer Order may be processed without the receipt of cash
CN: "Sales Team review the cash receipt before approving the processing the Customer Order.
a) In case of manual system Cash payment orders are reconciled with payments received on a regular basis. Management reviews and investigates unrecognized differences that exceed acceptable cash payment cycle deviation.
b) In automated system, no invoice and dispatch document should be issued from the system without generation of Cash Receipt, any deviation is escalated for approval as per SOA"
e. CO: Customers' credit limits are controlled.
RS: Sales Order is processed for customers not entitled to credit limit or who have exceeded their limits
CN: "Credit limits are established as part of accepting new customers.
a) In case of manual system the Sale orders and outstanding receivables are compared to established credit limit before a new order is processed. Orders in excess of credit limit are stored in a suspense file to be resolved on a timely basis.
b) In case of automated system, invoice and dispatch documents shouldn't be generated in the case the sale value exceeds the credit limit. Any deviation to be approved as per SOA. "
f. CO: Sales to fictitious customers (on credit) are prevented and detected.
RS: Order is processed for a Customers outside the Database
CN: "System does not accept Sales Order entry relating to a Customer who does not appear in the Database.
Rejects are placed into a suspense file where they are researched, reviewed and re-entered (if necessary) on a timely basis.
g. CO: Only appropriate users can enter Sales Order.
RS: Inappropriate access to Sales Order systems.
CN: "Access levels are pre-defined based on clear job responsibility.
Independent periodic review by management of ""Access Levels Rights"""
i. CO: All valid orders are processed and recorded.
RS: Back orders are not fulfilled.
CN: Policy and procedures are in place to log, track and monitor back orders.
Sales orders are pre-numbered and sequential order monitored by Sales Team
i. CO:Cancellations of orders are processed and recorded.
RS: Cancellations of orders are input inaccurately.
CN: Cancellation data is matched to the Original Order and approved by the Sales Head
3. Invoice Generation and Dispatch
a. CO: Deliveries are recorded in the proper period.
RS: Backlog orders are not properly monitored.
CN: Unfulfilled orders are monitored on a regular basis by the Sales Executive
b. CO: Deliveries are recorded accurately and completely.
RS: Inventory is incorrectly recorded.
CN: "The shipping system automatically generates work orders or inventory “pick” documents based on feeds from the sales order system. Edit checks against the sales order system ensure that these documents are complete and accurate.
The work orders or inventory “pick” documents are sequentially numbered and accounted for. A manual or system check is performed to ensure that the numerical sequence of these documents is maintained. All rejected, suspense, or missing items are researched, corrected and re-entered on a timely basis.
c. CO: Sales are recorded in the proper period.
RS: Deliveries are recorded prematurely or in the incorrect period.
CN: "Upon transfer of the shipment to the carrier, the shipping document is noted as “released/shipped” in the shipping system.
The systems should also not allow the predating of the shipping documents. (Note all shipments are FOB shipping point.) This notation includes the date and time of release.
Further, periodic physical verification must be undertaken by a team independent of sales, dispatch and shipping to reconcile physical stock as per system stock."
d. CO: Sales are recorded in the proper period.
RS: Delivery is made in an improper reporting period.
CN: Delivery during the period are reconciled to sales on a regular and frequent basis by a team independent of sales, dispatch and shipping to ensure that sales revenue is recognized in the proper period.
e. CO: All work orders or shipments of goods are input for processing.
RS: Work orders are incomplete or missing.
CN: On a daily basis, a system report of all open work orders or inventory “pick” documents is provided to the shipping department manager. All items are investigated and resolved as appropriate.
f. CO: Postings made to cost of sales and/or inventory in the general ledger are correct.
RS: Incorrect posting of COGS and Inventory
CN: Based on the date and time of shipping, the shipping system then appropriately updates inventory/COGS accounting records based on quantities shipped (partial shipment of orders is permitted). If a partial order is shipped, the remaining items are held in the shipping system as an open work orders or inventory “pick” documents.
g. CO: Only appropriate users can enter delivery of goods.
RS: Inappropriate access to delivery systems.
CN:"Access levels are pre-defined based on clear job responsibility.
Independent review by management should also be done."
i. CO: Sales invoice is generated for every approved shipment and recorded in the proper period.
RS: Shipments may not be billed, or may not be billed timely.
CN: Upon approved release of a shipment from the warehouse the system automatically produced invoices with the same date. Shipping dates cannot be modified with out approval by the appropriate levels of management.
"Invoices are sequentially pre-numbered and accounted for. Check is performed to ensure documents are not missing or duplicated or fall outside of a specified range of numbers.
All rejected, suspense, or missing items are researched, corrected and re-entered on a timely basis."
j. CO: Invoices generated represent the actual goods shipped.
RS: Billings may be inaccurate or incomplete.
CN: "A team independent of sales, dispatch and shipping reconcile the invoices generated for the day with the total shipments per the shipping system. A check is performed to ensure data is not duplicated or falls outside a specified range of numbers.
All rejected, suspense or missing items are researched, corrected and re-entered on a timely basis. "
k. CO: Price, amount, and other information on the invoice are correct.
RS: Billings may be inaccurate or incomplete.
CN: "System validate invoice data input (for example, customer name and number, pricing, amounts and other information) against approved data and the sales order input in the system.
Invalid data is rejected for re-entry or stored in a suspense file where it is researched, corrected and re-entered on a timely basis to ensure completeness."
"Management's approval is required for discounts and allowances in excess of predefined limits. Invoicing personnel examine the sales order for evidence of appropriate approval before input.
The lack of approval creates a suspense file that is reviewed by management for clearance on a regular basis. "
l. CO: Duplicate recording of invoices is prevented.
RS: Duplicate sales Invoice are generated and billed
CN: "A system check is performed to ensure invoice numbers are not duplicated or fall outside a specified range of numbers.
All rejected, suspense or missing items are researched, corrected and re-entered on a timely basis."
m. CO: Correct postings, are made to sales and receivables and are recorded in the proper period.
RS: Inaccurate, incomplete and untimely recording of Sales
CN: Upon approved release of a shipment from the warehouse the invoice are approved by Logistic Team in the system. The invoicing system then appropriately updates Sale/receivable accounting records.
o. CO: The calculation and application of tax amounts on invoices is accurate.
RS: Taxes and duties may be incorrectly computed and recorded
CN: The Excise Duty, sales tax, goods and services tax, and / or value added tax tables are updated accurately in the system. The system automatically calculates the tax amounts. Management reviews tax calculations for accuracy.
p. CO: Correct goods are shipped and accurately recorded.
RS: "Incorrect quantities may be shipped
Shipments made may not be properly (accurately & completely) recorded"
CN: "Shipments are subjected to dual counts (picking & packing) and these counts are evidenced in writing
Physical safeguards are in place at the loading dock and at the gate exit points.
Shipments recorded in the system and recorded by a person independent of the picking & packing.
Shipment documents (bills of lading) are signed by carriers indicating acceptance of quantities shipped.
Access to alter shipping information or initiate shipments is restricted to personnel outside of the shipping function"
4. Contract Management
a. CO: Distributor arrangements have to be adequately monitored
RS: Inadequate review of new and modified contracts (including distributor arrangements) resulting in improper revenue recognition
CN: Distributor arrangement should be adequately reviewed by the Finance Manager & monitored regularly for appropriate revenue recognition
q. CO: New sales contracts as well as contract modifications are properly reviewed for appropriate accounting treatment, prior to execution.
RS: Inadequate review of new and modified contracts (including distributor arrangements) resulting in improper revenue recognition
CN: "Standard contracts developed and reviewed by the Finance & Legal function to ensure that they are in accordance with GAAP
Exceptions from standards must be approved by Finance for revenue accounting implications, prior to execution. Factors to consider include: existence of multiple elements, incentives, pricing and discounts, installations, price protection provision, customer acceptance and guarantees.
Establish materiality threshold over which revenue contracts must be reviewed and approved by designated levels of Sr. Management prior to committing the Company
Non-standard contracts terms should be reviewed for administrative feasibility by Operations/Finance and communicated to those responsible for implementation and follow up (e.g. pricing, credit line, terms and conditions etc).
c. CO: Sales Contracts are standardized and must be clear and legally enforceable.
RS: Sales contracts may be unenforceable, resulting in loss to the Company
CN: "Legal counsel should review contracts where appropriate to assure that the contract is correct and appropriate and the Company is not exposed to unnecessary liabilities.
Standardized or clearly defined contract terms and conditions
Approval and communication process for non-standard terms and conditions
Contractual remedies are specified"
d. CO: Only written sales contracts signed between the company and customer is recognized as official.
RS: Side arrangements may result in the original contracts being rendered unenforceable, and may also impact the company's ability to recognize revenue
CN: "Final contract reflects the main points of negotiated customer proposal, including all negotiated terms
Final contracts agreed between customer and the Company should be signed.
Procedures should exist which restrict side arrangements (whether oral or written) from be entered into or recognized by the company
Communicate with sales personnel (i.e.. through training and formal policy) to avoid issuing unauthorized side agreements and similar instruments that undermine the intent of the original contract. e.g. promise of future product, price protection arrangement.
Procedures for disciplinary action taken when side agreement is identified.
f. CO: All new contracts and changes to contracts are reviewed and approved before being executed and input into the contract system.
RS: "Amendments from standard contracts have not been approved.
Sales contracts and pricing may not be adequately evaluated and authorized prior to execution"
CN: "Procedures are in place requiring various levels of approval prior to contract execution and input into the contract system
Formal procedures exist which specify the levels of management that may commit the company to the performance of a contract."
"Access to effect changes to contracts in the contracting system is limited to appropriate personnel (who have no responsibility for order entry or maintenance of customer accounts receivable).
All changes/additions made within the contracting system are subject to independent review through use of numerically or date controlled edit reports.
All contracts with any amendments are forwarded to Legal.
Legal consults with management, external counsel, and external auditors as needed for feasibility of terms."
5. Recievable monitoring
a. CO: The receivables from the customer are managed within the Company’s norms
RS: Collection targets are not determined.
CN: Collection target are prepared by the Sales Team every month by 7th (ideally) based on the previous month close balance and first week sales
The credit period has been kept at XX days for all Customers.
Security Deposit are obtained from all Distributor for minimizing the impact of any default by the distributor. Extent of security deposit to be received is spelt out in the Sales policy document, exceptions are escalated for approval as per SOA.
The Security Deposit is revised every year based on the revised allocation.
b. CO: The receivables from the customer are managed within the Company’s norms
RS: Customers are not encouraged to pay earlier than credit period
CN: The Company provides Early Payment Incentive to its Customers to encourage payment prior to due date. A process to identify and accrue early payment discounts if not adjusted with payment exists.
Delayed payment charges (DPC) is charged to distributor for any delay in receipt of payment. DPC terms are clearly mentioned in the Customer Contract and in the printed copy of Invoices.
In this topic I will try to list the basic Control Objectives (CO) , Risks (RS) and Controls (CN) under an Accounts Receivables Function/Process...
Do share your views also.
1. Customer Master Database Maintenance
a. CO: User access to the database should be appropriately restricted.
RS: Unauthorized access or changes to financial and operational data.
CN: Access to the database is administered by the Database administration group. Forms are required with approvals from the individual's manager and the owner of the data.
b. CO: Changes in the database are approved and input completely and accurately.
RS: Unauthorized changes to the financial and operational data
CN: "An appropriate official approves changes made to data, prior to input. Each change must be supported by sufficient documentation.
A one-to-one check for changes to the data via A comparison between post input/update reports to the change source documents for completeness and accuracy. Discrepancies are resolved and the re entered data is subject to the same control.
Changes in certain type of critical data and or changes outside certain parameters the system produces a report of these changes and is forwarded to management for their review. Acceptance of these changes by the system is dependent upon management review of supporting documentation and approval. "
c. CO: Adequate segregation of duties is maintained
RS: Unauthorized changes to the financial and operational data
CN: Segregation of duties to be maintained between the updation of data and the maintenance of data. Exceptions noted are to be investigated and resolved.
d. CO: Data is kept current and updated.
RS: Incorrect processing of the transactions
CN: System generated report detailing records not accessed over a period to be reviewed periodically by the Database Administrator in consultation with the Process Owner
2. Credit Policy & Credit Control...
a. CO: Credit Policy is in place for all the Customers based on various financial and non financial factors
RS: Credit Policy not defined for various customers
CN: Credit Policy is in place for all the customers. The policy defines the credit period and payment terms for all the domestic and International customers.
b. CO: Credit Policy is Approved
RS: Credit Policy is not approved as per the Delegation of Power
CN: Credit Policy is approved as per Delegation of Power
c. CO: Credit limit revision and extension are approved
RS: Unapproved credit limit resulting in bad debts or delays in collection
CN: "Credit Limit shall be unfreezed as per Delegation of Authority Matrix. Any extension of Credit period is approved as per Delegation of Authority Matrix."
3. Sales Order Generation
a. CO: Customer orders received are duly acknowledged
RS: Non acknowledgment of the receipt of customer order may result in unsatisfied customer
CN: Acknowledgment of receipt of customer order to be sent immediately by Sales Manager on receiving the Customer Order
b. CO: Delivery schedule is finalized and communicated to the customer on a timely basis
RS: Non confirmation of the delivery schedule (dispatches) to the customer may result in cancellation of sales order
CN: Delivery schedule to be confirmed by the Sales Manager within XX days of receipt of Customer Order by the Sales Team.
c. CO: "Customer Order is entered completely and accurately
Sales terms and prices are approved."
RS: The products, quantity, selling price, payment terms or shipping address included in the Customer order are incorrectly entered in the system.
CN: "Sales Order generated from system are reviewed for price, quantity, billing/ delivery address by the Sales Team and Sales Head with Customer Order and Approved Price List.
Further, the Sales orders over a set threshold require approval by management as per SOA before acceptance by the system. In absence of an approval a suspense file is created that is reviewed by management for clearance on a regular basis. (Additional control ensure that the Sales Order input above specific value in correct and accurate)"
d. CO: "Customer Order is entered completely and accurately
Sales terms and prices are approved."
RS: Single customer order may be entered in the system multiple times
CN: "Edit checks exist within the system that reject the input of a customer order number that was already entered.
Rejects are placed into a suspense file where they are researched, reviewed and re-entered (if necessary) on a timely basis."
CO: Customer Order with cash terms are accurately processed
RS: Customer Order may be processed without the receipt of cash
CN: "Sales Team review the cash receipt before approving the processing the Customer Order.
a) In case of manual system Cash payment orders are reconciled with payments received on a regular basis. Management reviews and investigates unrecognized differences that exceed acceptable cash payment cycle deviation.
b) In automated system, no invoice and dispatch document should be issued from the system without generation of Cash Receipt, any deviation is escalated for approval as per SOA"
e. CO: Customers' credit limits are controlled.
RS: Sales Order is processed for customers not entitled to credit limit or who have exceeded their limits
CN: "Credit limits are established as part of accepting new customers.
a) In case of manual system the Sale orders and outstanding receivables are compared to established credit limit before a new order is processed. Orders in excess of credit limit are stored in a suspense file to be resolved on a timely basis.
b) In case of automated system, invoice and dispatch documents shouldn't be generated in the case the sale value exceeds the credit limit. Any deviation to be approved as per SOA. "
f. CO: Sales to fictitious customers (on credit) are prevented and detected.
RS: Order is processed for a Customers outside the Database
CN: "System does not accept Sales Order entry relating to a Customer who does not appear in the Database.
Rejects are placed into a suspense file where they are researched, reviewed and re-entered (if necessary) on a timely basis.
g. CO: Only appropriate users can enter Sales Order.
RS: Inappropriate access to Sales Order systems.
CN: "Access levels are pre-defined based on clear job responsibility.
Independent periodic review by management of ""Access Levels Rights"""
i. CO: All valid orders are processed and recorded.
RS: Back orders are not fulfilled.
CN: Policy and procedures are in place to log, track and monitor back orders.
Sales orders are pre-numbered and sequential order monitored by Sales Team
i. CO:Cancellations of orders are processed and recorded.
RS: Cancellations of orders are input inaccurately.
CN: Cancellation data is matched to the Original Order and approved by the Sales Head
3. Invoice Generation and Dispatch
a. CO: Deliveries are recorded in the proper period.
RS: Backlog orders are not properly monitored.
CN: Unfulfilled orders are monitored on a regular basis by the Sales Executive
b. CO: Deliveries are recorded accurately and completely.
RS: Inventory is incorrectly recorded.
CN: "The shipping system automatically generates work orders or inventory “pick” documents based on feeds from the sales order system. Edit checks against the sales order system ensure that these documents are complete and accurate.
The work orders or inventory “pick” documents are sequentially numbered and accounted for. A manual or system check is performed to ensure that the numerical sequence of these documents is maintained. All rejected, suspense, or missing items are researched, corrected and re-entered on a timely basis.
c. CO: Sales are recorded in the proper period.
RS: Deliveries are recorded prematurely or in the incorrect period.
CN: "Upon transfer of the shipment to the carrier, the shipping document is noted as “released/shipped” in the shipping system.
The systems should also not allow the predating of the shipping documents. (Note all shipments are FOB shipping point.) This notation includes the date and time of release.
Further, periodic physical verification must be undertaken by a team independent of sales, dispatch and shipping to reconcile physical stock as per system stock."
d. CO: Sales are recorded in the proper period.
RS: Delivery is made in an improper reporting period.
CN: Delivery during the period are reconciled to sales on a regular and frequent basis by a team independent of sales, dispatch and shipping to ensure that sales revenue is recognized in the proper period.
e. CO: All work orders or shipments of goods are input for processing.
RS: Work orders are incomplete or missing.
CN: On a daily basis, a system report of all open work orders or inventory “pick” documents is provided to the shipping department manager. All items are investigated and resolved as appropriate.
f. CO: Postings made to cost of sales and/or inventory in the general ledger are correct.
RS: Incorrect posting of COGS and Inventory
CN: Based on the date and time of shipping, the shipping system then appropriately updates inventory/COGS accounting records based on quantities shipped (partial shipment of orders is permitted). If a partial order is shipped, the remaining items are held in the shipping system as an open work orders or inventory “pick” documents.
g. CO: Only appropriate users can enter delivery of goods.
RS: Inappropriate access to delivery systems.
CN:"Access levels are pre-defined based on clear job responsibility.
Independent review by management should also be done."
i. CO: Sales invoice is generated for every approved shipment and recorded in the proper period.
RS: Shipments may not be billed, or may not be billed timely.
CN: Upon approved release of a shipment from the warehouse the system automatically produced invoices with the same date. Shipping dates cannot be modified with out approval by the appropriate levels of management.
"Invoices are sequentially pre-numbered and accounted for. Check is performed to ensure documents are not missing or duplicated or fall outside of a specified range of numbers.
All rejected, suspense, or missing items are researched, corrected and re-entered on a timely basis."
j. CO: Invoices generated represent the actual goods shipped.
RS: Billings may be inaccurate or incomplete.
CN: "A team independent of sales, dispatch and shipping reconcile the invoices generated for the day with the total shipments per the shipping system. A check is performed to ensure data is not duplicated or falls outside a specified range of numbers.
All rejected, suspense or missing items are researched, corrected and re-entered on a timely basis. "
k. CO: Price, amount, and other information on the invoice are correct.
RS: Billings may be inaccurate or incomplete.
CN: "System validate invoice data input (for example, customer name and number, pricing, amounts and other information) against approved data and the sales order input in the system.
Invalid data is rejected for re-entry or stored in a suspense file where it is researched, corrected and re-entered on a timely basis to ensure completeness."
"Management's approval is required for discounts and allowances in excess of predefined limits. Invoicing personnel examine the sales order for evidence of appropriate approval before input.
The lack of approval creates a suspense file that is reviewed by management for clearance on a regular basis. "
l. CO: Duplicate recording of invoices is prevented.
RS: Duplicate sales Invoice are generated and billed
CN: "A system check is performed to ensure invoice numbers are not duplicated or fall outside a specified range of numbers.
All rejected, suspense or missing items are researched, corrected and re-entered on a timely basis."
m. CO: Correct postings, are made to sales and receivables and are recorded in the proper period.
RS: Inaccurate, incomplete and untimely recording of Sales
CN: Upon approved release of a shipment from the warehouse the invoice are approved by Logistic Team in the system. The invoicing system then appropriately updates Sale/receivable accounting records.
o. CO: The calculation and application of tax amounts on invoices is accurate.
RS: Taxes and duties may be incorrectly computed and recorded
CN: The Excise Duty, sales tax, goods and services tax, and / or value added tax tables are updated accurately in the system. The system automatically calculates the tax amounts. Management reviews tax calculations for accuracy.
p. CO: Correct goods are shipped and accurately recorded.
RS: "Incorrect quantities may be shipped
Shipments made may not be properly (accurately & completely) recorded"
CN: "Shipments are subjected to dual counts (picking & packing) and these counts are evidenced in writing
Physical safeguards are in place at the loading dock and at the gate exit points.
Shipments recorded in the system and recorded by a person independent of the picking & packing.
Shipment documents (bills of lading) are signed by carriers indicating acceptance of quantities shipped.
Access to alter shipping information or initiate shipments is restricted to personnel outside of the shipping function"
4. Contract Management
a. CO: Distributor arrangements have to be adequately monitored
RS: Inadequate review of new and modified contracts (including distributor arrangements) resulting in improper revenue recognition
CN: Distributor arrangement should be adequately reviewed by the Finance Manager & monitored regularly for appropriate revenue recognition
q. CO: New sales contracts as well as contract modifications are properly reviewed for appropriate accounting treatment, prior to execution.
RS: Inadequate review of new and modified contracts (including distributor arrangements) resulting in improper revenue recognition
CN: "Standard contracts developed and reviewed by the Finance & Legal function to ensure that they are in accordance with GAAP
Exceptions from standards must be approved by Finance for revenue accounting implications, prior to execution. Factors to consider include: existence of multiple elements, incentives, pricing and discounts, installations, price protection provision, customer acceptance and guarantees.
Establish materiality threshold over which revenue contracts must be reviewed and approved by designated levels of Sr. Management prior to committing the Company
Non-standard contracts terms should be reviewed for administrative feasibility by Operations/Finance and communicated to those responsible for implementation and follow up (e.g. pricing, credit line, terms and conditions etc).
c. CO: Sales Contracts are standardized and must be clear and legally enforceable.
RS: Sales contracts may be unenforceable, resulting in loss to the Company
CN: "Legal counsel should review contracts where appropriate to assure that the contract is correct and appropriate and the Company is not exposed to unnecessary liabilities.
Standardized or clearly defined contract terms and conditions
Approval and communication process for non-standard terms and conditions
Contractual remedies are specified"
d. CO: Only written sales contracts signed between the company and customer is recognized as official.
RS: Side arrangements may result in the original contracts being rendered unenforceable, and may also impact the company's ability to recognize revenue
CN: "Final contract reflects the main points of negotiated customer proposal, including all negotiated terms
Final contracts agreed between customer and the Company should be signed.
Procedures should exist which restrict side arrangements (whether oral or written) from be entered into or recognized by the company
Communicate with sales personnel (i.e.. through training and formal policy) to avoid issuing unauthorized side agreements and similar instruments that undermine the intent of the original contract. e.g. promise of future product, price protection arrangement.
Procedures for disciplinary action taken when side agreement is identified.
f. CO: All new contracts and changes to contracts are reviewed and approved before being executed and input into the contract system.
RS: "Amendments from standard contracts have not been approved.
Sales contracts and pricing may not be adequately evaluated and authorized prior to execution"
CN: "Procedures are in place requiring various levels of approval prior to contract execution and input into the contract system
Formal procedures exist which specify the levels of management that may commit the company to the performance of a contract."
"Access to effect changes to contracts in the contracting system is limited to appropriate personnel (who have no responsibility for order entry or maintenance of customer accounts receivable).
All changes/additions made within the contracting system are subject to independent review through use of numerically or date controlled edit reports.
All contracts with any amendments are forwarded to Legal.
Legal consults with management, external counsel, and external auditors as needed for feasibility of terms."
5. Recievable monitoring
a. CO: The receivables from the customer are managed within the Company’s norms
RS: Collection targets are not determined.
CN: Collection target are prepared by the Sales Team every month by 7th (ideally) based on the previous month close balance and first week sales
The credit period has been kept at XX days for all Customers.
Security Deposit are obtained from all Distributor for minimizing the impact of any default by the distributor. Extent of security deposit to be received is spelt out in the Sales policy document, exceptions are escalated for approval as per SOA.
The Security Deposit is revised every year based on the revised allocation.
b. CO: The receivables from the customer are managed within the Company’s norms
RS: Customers are not encouraged to pay earlier than credit period
CN: The Company provides Early Payment Incentive to its Customers to encourage payment prior to due date. A process to identify and accrue early payment discounts if not adjusted with payment exists.
Delayed payment charges (DPC) is charged to distributor for any delay in receipt of payment. DPC terms are clearly mentioned in the Customer Contract and in the printed copy of Invoices.
Brief information about components of COSO
Control Environment- sets the tone of an organization, influencing the control consciousness of its people. It is the foundation of all other components of internal control, providing discipline and structure.
Risk Assessment- is the entity’s identification and analysis of effective risks to the achievement of its objectives, forming a basis for determining how the risks should be managed.
Control Activities- are the policies and procedures that help ensure that management’s directives are carried out.
Information and Communication system- support the identification capture and exchange of information in a form and time frame that enable people to carry out their responsibilities.
Monitoring- is the process that assesses the quality of internal control performance over time.
Risk Assessment- is the entity’s identification and analysis of effective risks to the achievement of its objectives, forming a basis for determining how the risks should be managed.
Control Activities- are the policies and procedures that help ensure that management’s directives are carried out.
Information and Communication system- support the identification capture and exchange of information in a form and time frame that enable people to carry out their responsibilities.
Monitoring- is the process that assesses the quality of internal control performance over time.
An Overview of the COSO
Why an internal control framework?
Section 404 of Sarbanes-Oxleyt Act requires management to file an annual internal control report which should include:
A statement identifying the framework used by management as criteria for evaluating the effectiveness of internal control
If you fail to select a control framework, it will be almost impossible for an external auditor to attest to management’s assertion on the effectiveness of the internal controls and procedures for financial reporting.
If the company doesn’t adopt an internal control framework, there is no criteria against which the company or the independent auditor can measure effectiveness.
“You have to pick the set of rules that you want to play by or the independent auditor can’t referee the
game”
Control Frameworks
COSO – Internal control-integrated framework developed by the Committee of Sponsoring Organizations of the Treadway Commission and sponsored by the AICPA, FEI, IIA and others. This is the most dominant control model in the US.
CoCo – The control model developed by the Criteria of Control Committee of the Canadian Institute of Chartered Accountants. CoCo focuses on behavioral values rather than control structure procedures as the fundamental basis for internal control in a company.
Turnbull Report – Internal Control: Guidance for Directors on the Combined Code developed by the Committee on Corporate Governance of the Institute Chartered Accountants in England & Wales, in connection with the London Stock Exchange. The Turnbull Report required companies to identify, evaluate and manage their significant risks and to assess the effectiveness of the related internal control system.
ACC – Australian Criteria of Control developed by the Institute of Internal Auditors – Australia, emphasizes the competency of management and employees to develop and operate the internal control framework.
The King Report – Released by the King Committee on Corporate Governance, promotes high standards of corporate governance in South Africa. The King Report goes beyond the usual financial and regulatory aspects of corporate governance by addressing social, ethical and environmental concerns.
Components of COSO
COSO identifies five components of internal control that need to be in place and integrated to ensure the achievement of each of the objectives. Such components are:
1. Control Environment
2. Risk Assessment
3. Control Activities
4. Information and Communication
5. Monitoring
Components of COSO..Control Environment
Control Environment sets the tone of an organization influencing the control consciousness of its people. It is the foundation for the other COSO Components, providing discipline and structure.
Its main fundamentals and requirments are:
1. Integrity and Ethical Values: Objectives are achieved based on preferences, value judgments and management style. These preferences and judgments, which are translated into standards of behavior, reflect management’s integrity and commitment to ethical values.
2. Commitment to Competence: Knowledge and skills needed to accomplish tasks are critical in defining individual job responsibilities.
3. Board of Directors or Audit Committee: An active and involved Board / Audit Committee is critical to effective internal control.
4. Management Philosophy and Operating Style: Affects the way the enterprise is managed, including the kind and degree of business risks accepted.
5. Organizational Structure: Provides the framework within which its activities for achieving an entity’s objectives are planned, executed, controlled and monitored.
6. Assignment of Authority and Responsibility: The degree to which employees and teams are encouraged to use initiative in addressing issues and solving problems.
7. Human Resource Policies and Practices: Activities and mechanisms for communicating to employees regarding expected levels of integrity, ethical behavior and competence.
Components of COSO..Risk assessment
Risk Assessment involves identification and analysis of relevant risks – internal and external -- for achievement of objectives, forming a basis for how risks should be managed.
1. Objectives: Objective setting is a precondition to assessing risk and provides the measurable targets toward which the entity moves in conducting its activities. Objectives can be explicitly stated or implicitly known, and are established at all levels of an entity.
2. Risks: Identifying and analyzing risk is an ongoing iterative process. Focus on effective risk management should be performed at all levels of an entity.
3. Managing Change: Mechanisms are in place to anticipate, identify and react to changes that may have a dramatic and pervasive effect on the entity, or may affect achievement of entity or process / application-level objectives.
Components of COSO..Control Activities
Control Activities involve policies, procedures and business disciplines that help ensure management directives are carried out, and that necessary actions are taken to address the organization’s risks.
1. Types of Control Activities:
a) Top Level Reviews – Actual vs. budget, tracking of major initiatives, monitoring of new product development, etc.
b) Direct Functional or Activity Management – Management review of performance reports.
c) Information Processing – Checking for accuracy, completeness and authorization of transactions.
d) Physical Controls – Equipment, inventories, securities, cash, etc.
e) Segregation of Duties – Division of duties among different employees to reduce the risk of error or inappropriate activities.
2. Information Systems
a) General Controls – Data center operations, system software, access security, application system development.
b) Application Controls – Application processing, completeness/ accuracy of transaction processing, authorization and validity.
Components of COSO..Information & Comm'n
Information & Communication involves identification, capture and communication of pertinent information in a form and timeframe that enables employees to carry out their duties.
Information: Information is needed at all levels of an organization to support achievement of an entity’s objectives. Quality of Information should be:
a) Appropriate content
b) Timely
c) Current
d) Accurate
e) Accessible
Communication: Communication – internal and external -- takes place in a broader sense than the dissemination of information, and carries with it implicit undertones regarding expectations, importance and responsibilities. Effective Communication should be:
a) Empowered
b) Open and honest
c) Flows up, down and across the entity
Components of COSO..Monitoring
Monitoring assesses the quality of internal control performance over time.
Types of monitoring are:
1) On-going Monitoring: Activities that serve to monitor internal control in the normal course of business. Examples:
Reconciliations and data comparisons
Exception reporting
Communications from internal and external parties
Organizational structure for overseeing normal transaction processing
Components of COSO..Monitoring
Types of monitoring are:
2) Separate Evaluations: Activities that serve to monitor internal control outside the normal course of business.
a) Scope and Frequency – Evaluations of internal control will vary in scope and frequency based on risk significance and importance of the control(s) in managing the risk.
b) Who Evaluates? – The effectiveness of separate evaluations will depend upon “who” is performing the evaluation and what level of support they have.
Components of COSO..Monitoring
Types of monitoring are:
3) Reporting Deficiencies: Conditions within an internal control system worthy of attention. In evaluating an entity’s process for reporting deficiencies, consideration should be given to the sources where information is received, what is being reported and to whom it is being reported.
Section 404 of Sarbanes-Oxleyt Act requires management to file an annual internal control report which should include:
A statement identifying the framework used by management as criteria for evaluating the effectiveness of internal control
If you fail to select a control framework, it will be almost impossible for an external auditor to attest to management’s assertion on the effectiveness of the internal controls and procedures for financial reporting.
If the company doesn’t adopt an internal control framework, there is no criteria against which the company or the independent auditor can measure effectiveness.
“You have to pick the set of rules that you want to play by or the independent auditor can’t referee the
game”
Control Frameworks
COSO – Internal control-integrated framework developed by the Committee of Sponsoring Organizations of the Treadway Commission and sponsored by the AICPA, FEI, IIA and others. This is the most dominant control model in the US.
CoCo – The control model developed by the Criteria of Control Committee of the Canadian Institute of Chartered Accountants. CoCo focuses on behavioral values rather than control structure procedures as the fundamental basis for internal control in a company.
Turnbull Report – Internal Control: Guidance for Directors on the Combined Code developed by the Committee on Corporate Governance of the Institute Chartered Accountants in England & Wales, in connection with the London Stock Exchange. The Turnbull Report required companies to identify, evaluate and manage their significant risks and to assess the effectiveness of the related internal control system.
ACC – Australian Criteria of Control developed by the Institute of Internal Auditors – Australia, emphasizes the competency of management and employees to develop and operate the internal control framework.
The King Report – Released by the King Committee on Corporate Governance, promotes high standards of corporate governance in South Africa. The King Report goes beyond the usual financial and regulatory aspects of corporate governance by addressing social, ethical and environmental concerns.
Components of COSO
COSO identifies five components of internal control that need to be in place and integrated to ensure the achievement of each of the objectives. Such components are:
1. Control Environment
2. Risk Assessment
3. Control Activities
4. Information and Communication
5. Monitoring
Components of COSO..Control Environment
Control Environment sets the tone of an organization influencing the control consciousness of its people. It is the foundation for the other COSO Components, providing discipline and structure.
Its main fundamentals and requirments are:
1. Integrity and Ethical Values: Objectives are achieved based on preferences, value judgments and management style. These preferences and judgments, which are translated into standards of behavior, reflect management’s integrity and commitment to ethical values.
2. Commitment to Competence: Knowledge and skills needed to accomplish tasks are critical in defining individual job responsibilities.
3. Board of Directors or Audit Committee: An active and involved Board / Audit Committee is critical to effective internal control.
4. Management Philosophy and Operating Style: Affects the way the enterprise is managed, including the kind and degree of business risks accepted.
5. Organizational Structure: Provides the framework within which its activities for achieving an entity’s objectives are planned, executed, controlled and monitored.
6. Assignment of Authority and Responsibility: The degree to which employees and teams are encouraged to use initiative in addressing issues and solving problems.
7. Human Resource Policies and Practices: Activities and mechanisms for communicating to employees regarding expected levels of integrity, ethical behavior and competence.
Components of COSO..Risk assessment
Risk Assessment involves identification and analysis of relevant risks – internal and external -- for achievement of objectives, forming a basis for how risks should be managed.
1. Objectives: Objective setting is a precondition to assessing risk and provides the measurable targets toward which the entity moves in conducting its activities. Objectives can be explicitly stated or implicitly known, and are established at all levels of an entity.
2. Risks: Identifying and analyzing risk is an ongoing iterative process. Focus on effective risk management should be performed at all levels of an entity.
3. Managing Change: Mechanisms are in place to anticipate, identify and react to changes that may have a dramatic and pervasive effect on the entity, or may affect achievement of entity or process / application-level objectives.
Components of COSO..Control Activities
Control Activities involve policies, procedures and business disciplines that help ensure management directives are carried out, and that necessary actions are taken to address the organization’s risks.
1. Types of Control Activities:
a) Top Level Reviews – Actual vs. budget, tracking of major initiatives, monitoring of new product development, etc.
b) Direct Functional or Activity Management – Management review of performance reports.
c) Information Processing – Checking for accuracy, completeness and authorization of transactions.
d) Physical Controls – Equipment, inventories, securities, cash, etc.
e) Segregation of Duties – Division of duties among different employees to reduce the risk of error or inappropriate activities.
2. Information Systems
a) General Controls – Data center operations, system software, access security, application system development.
b) Application Controls – Application processing, completeness/ accuracy of transaction processing, authorization and validity.
Components of COSO..Information & Comm'n
Information & Communication involves identification, capture and communication of pertinent information in a form and timeframe that enables employees to carry out their duties.
Information: Information is needed at all levels of an organization to support achievement of an entity’s objectives. Quality of Information should be:
a) Appropriate content
b) Timely
c) Current
d) Accurate
e) Accessible
Communication: Communication – internal and external -- takes place in a broader sense than the dissemination of information, and carries with it implicit undertones regarding expectations, importance and responsibilities. Effective Communication should be:
a) Empowered
b) Open and honest
c) Flows up, down and across the entity
Components of COSO..Monitoring
Monitoring assesses the quality of internal control performance over time.
Types of monitoring are:
1) On-going Monitoring: Activities that serve to monitor internal control in the normal course of business. Examples:
Reconciliations and data comparisons
Exception reporting
Communications from internal and external parties
Organizational structure for overseeing normal transaction processing
Components of COSO..Monitoring
Types of monitoring are:
2) Separate Evaluations: Activities that serve to monitor internal control outside the normal course of business.
a) Scope and Frequency – Evaluations of internal control will vary in scope and frequency based on risk significance and importance of the control(s) in managing the risk.
b) Who Evaluates? – The effectiveness of separate evaluations will depend upon “who” is performing the evaluation and what level of support they have.
Components of COSO..Monitoring
Types of monitoring are:
3) Reporting Deficiencies: Conditions within an internal control system worthy of attention. In evaluating an entity’s process for reporting deficiencies, consideration should be given to the sources where information is received, what is being reported and to whom it is being reported.
Life sucks as an auditor
Given the volume of people leaving the firms for greener pastures, I started thinking about the reasoning behind why people at different levels within the firm leave. So let's give this a shot...
1) First year associate - You go, WTF is this job? You realize that this is not the career or field, let alone the job, for you. You realize your calling is nursing, teaching in an elementary school, running a store, or something on those lines. This is when you leave, or should leave.
2) Second year-third year associate - You complete two years at the firm. You cannot deal with the hours, and your main priority is a good work-life balance. You'd rather be an accountant at a company, and have your own desk and 9-5 hours. This is when you leave, or should leave.
3) First senior associate year- You now have senior year under your belt. You probably have your CPA by now. The offers are pouring in. You hate the salary you're getting paid. You went through a really difficult year and start to hate some of your managers. You want out. You get an offer paying 8-12k more, with something called bonuses given to you on a periodic basis. You don't mind working from 8:30-6:30 or so. More specialized positions like revenue recognition accountant come into play. This is when you leave.
4) Second senior associate year - You put in your time at the firm. You know you do NOT want to be a manager at the firm. You realize that if you stay one more year, you'll end up staying for two. You don't think you can deal with this kinda life anymore. Friends around you are dropping like flies. You think about leaving once a week. You go through a range of emotions, going back and forth between leaving and staying. You give interviewing a shot. You decide that if you don't like any positions out there, you're staying. A combination of a catalyst event happening at work (work till midnight for a couple days) and an intriguing job offer make you leave.
5) Third year senior associate - You're this close to becoming a manager. You are pushed to the limits at work. Your salary is absolutely ridiculous for the amount of work you do. All your friends in the private sector are making more than you doing way less work. You wonder if waiting out a few months to make manager is worth it. Your mind's telling you to wait it out since it will be worth it in the long term. But you get an offer that might be the same as when you make manager, and you do not want to let this slip by. This is when you leave.
6) Manager year (1st and 2nd) - Holy heck, what just happened. You're over-worked, frustrated, and stressed out. But you have the mgr year under your belt. There is no reason to stay, unless you don't know what to do, or you want to be in audit. Assistant controller and controller positions come pouring in. You jet.
7) Manager year (3rd-4th) - You could become a senior manager. Maybe you can wait it out and get that title. But your personal life comes into play. Marriage and kids come into play. Your significant other wants more time if you're a guy, and if you're a girl, kids make staying not worth it. You jet for a good job with decent hours so you have a life and spend time with your family.
8) Senior manager - You realize your chances of making partner are less than 20%. It'll take you time to check your ego, but it hits you finally. This is when you leave. (Except I don't get why you don't leave. I really don't. Don't you know by now you won't make partner. Maybe it's that 20% chance that makes you hang on).
9) Partner - Retire. CFO/Director position. Forced early retirement. That's it. You've hit the holy grail in the accounting field, and are set for life, so why bother leaving.
Tuesday, August 10, 2010
Reducing risks on big projects
Big projects (> 1 Million) have too many unknowns. The secret in managing Big projects is to be proactive about knowing what your unknowns are and planning enough room for managing the unknowns. This is the biggest challenge.
Passive management on big projects is a guaranteed recipe for failure.
In the internet startup business this philosophy doesn’t have too many followers. The idea there is to let the business grow organically and let the project be managed based on the demands. Twitter is a good example of that where a concept grew organically very fast and the team behind it had to scale the systems based on the demand.
A canadian company http://localads.org is planning to do the same thing by organically growing a unique concept and taking on the classifieds industry.
How far the concept will be accepted is something to be seen.
Passive management on big projects is a guaranteed recipe for failure.
In the internet startup business this philosophy doesn’t have too many followers. The idea there is to let the business grow organically and let the project be managed based on the demands. Twitter is a good example of that where a concept grew organically very fast and the team behind it had to scale the systems based on the demand.
A canadian company http://localads.org is planning to do the same thing by organically growing a unique concept and taking on the classifieds industry.
How far the concept will be accepted is something to be seen.
Subscribe to:
Posts (Atom)