audit checklists & continuous auditing

Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures

December 2006

This document provides a consolidated set of audit checklists typical of those used by internal and external auditors to evaluate the financial close process and test compliance with Sarbanes-Oxley (SOX).

These checklists identify all of the typical controls that comprise a typical audit and highlight ways that you can automate many of the tasks by using an independent controls monitoring and audit (CMA) solution.

Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures 2

Table of Contents Section 1 – Financial Close Process ......................................................................................... 3 Section 2 – Entity Level Controls - Control Environment ........................................................... 5 Section 3 – Entity Level Controls - Information & Communication............................................. 8 Section 4 – Entity Level Controls – Monitoring ........................................................................ 10 Section 5 – Entity Level Controls – Risk Assessment ............................................................. 12 Section 6 – Expenditure Process Controls .............................................................................. 12 Section 7 – Fixed Assets Process Controls ............................................................................. 17 Section 8 – Inventory Management Process Controls............................................................. 19 Section 9 – Payroll Process Controls ...................................................................................... 22 Section 10 – Revenue Process Controls ................................................................................. 24 Section 11 – Treasury Process Controls ................................................................................. 27 Section 12 – SOX Checklist..................................................................................................... 30 ABOUT APPROVA.................................................................................................................. 34


Section 1 – Financial Close Process The financial close process is the single largest source of internal controls weaknesses disclosed in SEC filings. Some of the most common challenges include revenue recognition, accruals, capitalization, and inter-company eliminations. For this reason it is typically a major focus of most audits. The following checklist highlights the key controls that auditors test and indicate where there are opportunities to automate processes as part of a continuous audit process.

Checklist #1: Financial Close Process Business

Activity Point of Focus/ Control Objective Ability to Automate Description of Automation

1 Financial Close

Accounting policies exist, are kept current, and are communicated to the appropriate personnel.

2 Financial Close

Procedures are in place to ensure that all transactions are recorded in accordance with GAAP.

3 Financial Close

Close procedures, including due dates, responsibilities, disclosure updates, and account classifications are defined, communicated, and implemented.

Continuous controls monitoring and audit of the financial close process is an integral part of the financial close procedure.

4 Financial Close The standard corporate reporting format is utilized.

CMA solutions can report test results in existing corporate reports or as part of third party reporting packages (e.g. Crystal Reports).

5 Financial Close

Access to accounting and reporting applications is limited to the appropriate individuals.

CMA solutions provide detailed remediation and monitoring of user access for accounting and reporting applications.

6 Financial Close Journal entry input is restricted to authorized personnel.

CMA solutions monitor unauthorized or irregular journal entries.

7 Financial Close

There is a checklist of the standard closing journal entries made at month-end, quarter-end, and year-end.

CMA solutions identify non-standard journal entries.

8 Financial Close

Pre-numbered vouchers are used to ensure that all non-recurring entries are processed only once in the system.

CMA solutions identify duplicate journal entries.

9 Financial Close

Manual journal entries have adequate supporting documentation and are approved by the appropriate level of management.

CMA solutions identify manual journal entries that do not have proper approvals.

10 Financial Close Standardized journal entries are used for recurring journal entries.

11 Financial Close Journal entries are supported and authorized before being posted.

CMA solutions identify unauthorized journal entries.

12 Financial Close

System logic prevents journal entries for which debits do not equal credits.

CMA solutions identify journal entries for which debits do not equal credits.

13 Financial Close

The system will not allow journal entries to be recorded to a closed accounting period.

CMA solutions identify journal entries that have been recorded after a closed accounting period.

14 Financial Close System logic will not allow duplicate journal entry numbers.

CMA solutions identify duplicate journal entries.

15 Financial Close

A procedure detailing the calculation of specific accruals and recording rules exists and is consistently applied.


16 Financial Close

Write-offs and reserves are clearly defined, consistently applied, and monitored in accordance with company policy.

17 Financial Close

All account balances are reconciled prior to closing the books, including confirming that balances agree with related parties.

18 Financial Close

Significant variances in reconciliations are investigated and resolved timely.

19 Financial Close

Fluctuation analysis of actual to budget or prior periods is performed.

20 Financial Close

The financial reporting package is reviewed by management before submission to Corporate.

21 Financial Close Duties are appropriately segregated in the closing process.

CMA solutions identify and remediate segregation of duties violations.

22 Financial Close

Access/authorization controls are in place to maintain the integrity of the chart of accounts.

CMA solutions monitor all changes to the chart of accounts.

23 Financial Close

Procedure is in place to identify any changes to master data that have significant financial accounting and/or reporting implications to the accounting department

CMA solutions monitor all changes to master data.

24 Financial Close

A procedure is in place to identify and communicate transactions/events that have significant financial accounting and/or reporting implications to the accounting department.

For the operations that CMA solutions monitor, appropriate alerting and reporting is performed to communicate any anomalies in financial close procedures.

= Significant opportunities to implement a controls monitoring and audit (CMA) solution

= Some opportunity to implement a controls monitoring and audit (CMA) solution

= Little or no opportunity to implement a controls monitoring and audit (CMA) solution


Section 2 – Entity Level Controls - Control Environment The control environment helps define the atmosphere in which people conduct their activities and carry out their control responsibilities. It sets the tone of an organization by influencing the control consciousness of its people. It is the foundation for all other components of internal controls and provides discipline and structure. Control environment factors include the integrity, ethical values, and competence of the organization’s people; management's philosophy and operating style; the way management assigns authority and responsibility; the way management organizes and develops its people; and the attention and direction provided by the audit committee and board of directors. The objective of the control environment is to establish and promote a collective attitude toward achieving effective internal control over the entity's business. The following checklist highlights the key areas of focus, which auditors test and indicates where there are opportunities to automate processes as part of a continuous audit process.

Checklist #2: Entity Level Controls - Control Environment

COSO Attribute Point of Focus/ Control Objective Ability to

Automate Description of Automation

1 Integrity & Ethical Values

A code of conduct and other policies exist regarding acceptable business practices, conflicts of interest, or expected standards of ethical and moral behavior.


There is an established "tone at the top" including explicit guidance about what is right and wrong. This tone is communicated and practiced by executives and management throughout the organization. Employees are aware of what to do when they encounter improper behavior.


Management follows ethical guidelines in dealing with employees, suppliers, customers, investors, creditors, insurers, competitors, regulators, and auditors.


The importance of high ethics and controls is discussed with newly hired employees through orientations or interviews.


Management removes or reduces incentives or temptations that might cause personnel to engage in dishonest or unethical acts.


Management takes appropriate disciplinary action in response to departures from approved policies and procedures or violations of the code of conduct.


Situations involving pressure to meet unrealistic targets do not exist or are properly controlled - particularly for short-term results.


Individual compensation awards are in line with the ethical values of the company, and foster an appropriate ethical tone (e.g., bonuses are not given to those that meet objective, but in the process circumvent established policies, procedures, or controls).

9 Commitment to Competence

Company personnel have the competence and training necessary for their assigned duties.


Personnel are cross-trained to understand other functions and the impact of their specific duties on other areas of the company.


Management possesses broad functional experience (i.e., management comes from several functional areas rather than just a few, such as production and sales).



Management provides personnel with access to training programs on relevant topics.


Formal job descriptions or other means of defining tasks that comprise particular jobs exist and are effectively used.


Adequate staffing levels are maintained to effectively perform required tasks.

15 Management's Philosophy & Operating Style

Management analyzes the risks and potential benefits of ventures.


Turnover in management or supervisory personnel is monitored and the reasons for significant turnover are evaluated.


Senior management maintains contact with and consistently emphasizes appropriate behavior to operating personnel.


Management exemplifies attitudes and actions reflecting a sound control environment and commitment to ethical values.


Management adopts accounting policies that best reflect the economic realities of the business.

20 Organizational Structure

Executives clearly understand their responsibility and authority for business activities and how they relate to the entity as a whole.


The entity establishes appropriate lines of reporting, giving consideration to its size and the nature of its activities.


The structure of the entity facilitates the flow of information to appropriate people in a timely manner.

For the operations that CMA solutions monitor, appropriate alerting and reporting is performed to communicate any anomalies in the control environment


Incompatible duties are segregated (e.g., separation of accounting for and access to assets).

CMA solutions identify and remediate segregation of duties (SoD) violations.

24 Assignment of Authority & Responsibility

Employees throughout the entity are assigned authority and responsibility related to their specific job functions.


Job descriptions contain specific references to control-related responsibilities.


Employees are empowered, when appropriate, to correct problems or implement improvements.

CMA solutions are designed so that the business process owner can design, implement and monitor controls and perform remediation of control violations without having to enlist IT resources.


There is a structure for assigning ownership of information including who is authorized to initiate or change transactions.

CMA solutions include remediation workflow to remediate SOD violations.


There are policies and procedures for authorization and approval of transactions.

29 Human Resources Policies & Procedures

Management establishes and enforces standards for hiring the most qualified individuals, with emphasis on educational background, prior work experience, past accomplishments, and evidence of integrity and ethical behavior.


Screening procedures, including background checks, are employed for job applicants, particularly for employees with access to assets susceptible to misappropriation.



Recruiting practices include formal, in-depth employment interviews and informative, insightful presentations on the entity's history, culture, and operating style.


Training policies communicate prospective roles and responsibilities and illustrate expected levels of performance and behavior.


Job performance is periodically evaluated and reviewed with each employee.


Disciplinary actions send a message that violations of expected behavior will not be tolerated.


An ongoing education process enables people to deal effectively with evolving business environments.

1 = Significant opportunities to implement a controls monitoring and audit (CMA) solution




Section 3 – Entity Level Controls - Information & Communication Information and communication is the component of internal controls that ensures that pertinent information is identified, captured, and communicated in a form and timeframe that enables people to carry out their responsibilities. Information systems produce reports containing operational, financial, and compliance-related information that make it possible to run and control the business. They deal with internally-generated data, as well as with information about external events, activities, and conditions necessary to make informed business decisions and generate reliable external reports. Effective communication must also occur in a broader sense, throughout the organization. The “tone at the top” must clearly demonstrate to all employees that control responsibilities are to be taken seriously. Individuals must understand their own role in the internal control system, as well as how individual activities relate to the work of others. Individuals must have a means of communicating significant information upwards within the organization. The objective of information and communication audits is to ensure that information relevant to operating the business and the maintenance of internal controls and records is identified, captured, and communicated to the appropriate individuals on a timely basis. The following checklist highlights the key areas of focus, which auditors test and indicates where there are opportunities to automate processes as part of a continuous audit process.

Checklist #3: Entity Level Controls - Information & Communication COSO

Attribute Point of Focus/ Control Objective Ability to Automate Description of Automation

1 Information Availability

Management monitors relevant external information and considers the impact on the entity.


Internal information regarding financial results is generated by the entity's financial information systems and that information is reported regularly.

CMA solutions greatly reduce the time and effort of monitoring information system controls that affect the accuracy of financial statements.


Entity-wide operating results are reviewed and compared against budgets at regular intervals.


The adequacy of the information technology structure is considered by senior management.


Managers and other personnel have the required information in sufficient detail to carry out their responsibilities and there are mechanisms in place to ensure changing needs are met.

6 Reliability of IT Systems

Management has a strategic plan for IT systems that are linked to the entity's overall strategies.

Independent CMA solutions can easily integrate with other governance, risk, compliance, and security-related applications such as Identity Management, GRC applications and portals.



Procedures are in place to provide assurance that relevant information is identified, captured, processed and reported by IT systems in an appropriate and timely fashion.

CMA solutions can continuously monitor SOD, Financial Close, Order to Cash, Procure to Pay, System Configuration, Sensitive Transactions, and custom transactions in financial systems to ensure compliance is met and enforced.


Management adequately staffs and designs the IT department to support the entity's overall business objectives.

CMA solutions significantly reduce the effort of monitoring financial system controls by effectively utilizing existing staff.


There are defined responsibilities for individuals responsible for implementing, documenting, testing, and approving changes to computer programs and systems.

CMA solutions can assist in change control by monitoring financial application system settings.

10 Reliability of IT Systems There is a regular back-up of application programs and data files.


The entity has a disaster recovery plan in place that allows for the timely recovery of information. The disaster recovery plan is tested regularly and is updated as the business changes.


There is a high level of user satisfaction with the IT systems, including reliability and timeliness of reports.

CMA solutions are used by a broad scope of Fortune 1000 organizations.

13 Communication Employee duties and control responsibilities are timely and effectively communicated.

14 Communication Communication across the organization is adequate, complete and timely to enable people to perform their responsibilities effectively.

For the operations that CMA solutions monitor, appropriate alerting and reporting is performed to communicate any anomalies in the control environment.

15 Communication

There is an established channel of communication for people to report, anonymously when appropriate, suspected improprieties and management encourages employees to utilize such channels when necessary.

16 Communication Reported problems are investigated in a timely manner and disciplinary actions are taken when necessary.

17 Communication There are realistic mechanisms in place for employees to provide recommendations.





Section 4 – Entity Level Controls – Monitoring Monitoring is a process that assesses the quality of the entity's internal control performance over time. Effective monitoring is accomplished through ongoing monitoring activities, separate evaluations, or a combination of the two. Ongoing monitoring occurs in the course of operations and includes regular management and supervisory activities, and other actions personnel take in the performance of their duties. The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures. Internal control deficiencies should be reported throughout the organization with serious matters reported to top management and the board. The objective of monitoring is to detect and remediate control deficiencies throughout the entire system of internal control. The following checklist highlights the key areas of focus, which auditors test and indicates where there are opportunities to automate processes as part of a continuous audit process.

Checklist #4: Entity Level Controls – Monitoring



1 Ongoing Monitoring

Management monitors relevant external and internal information and considers the impact on the control structure.



Procedures are in place to monitor when controls are overridden and to determine if the override was appropriate.



Management takes appropriate action on exceptions to policies and procedures.

CMA solutions include remediation workflow to remediate SOD violations. This remediation includes applying compensating controls for exceptions.


Management responds timely to comments identified in management letters from the external auditor.


Internal audit has the authority to review any aspect of the entity's operations.

CMA solutions enable audit to monitor 100% of financial system controls on a daily or weekly basis rather than a 5% sample performed on a quarterly basis.


Controls are reviewed to ensure that they are being applied as expected.

For the systems that CMA solutions support, control design, deployment and monitoring is designed to be operated by the business process owner (without IT intervention) which facilitates better controls as the same person who is responsible for the control owns the controls.

7 Ongoing Monitoring Internal audit is independent of the activities they audit.

Independent CMA solutions that are not sold by financial applications vendors provide independent verification of controls effectiveness.


Internal auditors are prohibited from having an operating role in the activities they monitor.



Management is required to respond in a timely manner to the internal audit department's findings and recommendations.

10 Reporting Deficiencies

Internal and/or external audit comments and management responses are provided to the audit committee or board of directors.


Complaints of improper financial matters by external parties such as suppliers or regulators are fully investigated and documented.


Discrepancies that have been identified by customers are investigated and resolved.

CMA solutions can not only identify discrepancies in financial applications but they can also identify the root cause of the discrepancy to enable a faster remediation of the issue.


Controls that should have prevented or detected problems are reassessed when problems occur.

14 Separate Evaluations

Personnel with the requisite skills conduct evaluations of appropriate portions of the internal control system.

CMA solutions can automate the control testing for financial applications reducing the need for highly skilled personnel to manually conduct control testing.


The frequency and scope of supervision and monitoring activities are appropriate to the size and nature of the entity.



Supervisory personnel perform various random and structured reviews over the functioning of control procedures.






Section 5 – Entity Level Controls – Risk Assessment Risk assessment is the component of the entity’s internal controls that involve identifying and analyzing risks (both internal and external) relevant to achieving business objectives and objectives related to the preparation of reliable financial statements. The objective of the entity's risk assessment process is to establish and maintain an effective process to identify, analyze, and manage risks relevant to achieving business objectives and/or the preparation of reliable financial statements. The following checklist highlights the key areas of focus, which auditors test and indicates where there are opportunities to automate processes as part of a continuous audit process.

Checklist #5: Entity Level Controls – Risk Assessment


Automate Description of

Automation

1 Entity-Wide Objectives

Management has a business planning process in place that examines existing objectives and establishes new objectives when necessary.


Management establishes business plans and budgets with realistic goals, and incentives for achievement of plans are balanced.


Objectives are communicated at the appropriate levels and are understood and adopted by the responsible parties.


Management has established a process to periodically review and update entity-wide strategic plans and objectives.

5 Activity-Level Objectives

Activity-level objectives are linked with entity-wide objectives and strategic plans.

6 Activity-Level Objectives

Activity-level objectives are consistent with each other (e.g., objectives for the sales organization are consistent with the manufacturing organization).

7 Risk Identification & Management

Management identifies risks related to each of the established objectives.


Management has mechanisms in place to identify business risks resulting from entering new markets or lines of business or from offering new products and services.


Management identifies financial reporting risks that result from operations or compliance with laws and regulations.


Management identifies fraud risk factors, including management override of controls.


Identifying risks includes estimating the significance of the risks identified, assessing the likelihood of the risks occurring, and determining the need for action.


Risks are evaluated as part of the business planning process.


Senior management develops plans to mitigate significant identified risks.



The responsibilities and expectations for the entity's business activities and the entity's philosophy about identification and acceptance of business risk are clearly communicated to the executives in charge of separate functions.


Risks are reviewed periodically with the appropriate corporate governance functions (e.g., executive management, disclosure committee, audit committee, and legal).

16 Manage Change

The business planning process includes a broad spectrum of personnel with collective knowledge of all areas of the entity.

17 Manage Change

The business planning process includes consideration of changes in the business environment, including the industry, competitors, the regulatory environment, and customers.

18 Manage Change Changes in risks are identified in a timely manner.

19 Manage Change

Changes are appropriately communicated to the proper level of management (depending on the significance).

20 Manage Change

Management has identified the resources needed to achieve the objectives and has plans to acquire the necessary resources.

21 Manage Change

Budgets and forecasts are updated throughout the year to reflect changing conditions.





Section 6 – Expenditure Process Controls For most large organizations the procurement process generates thousands of transactions a day. Controllers and purchasing managers carry a serious responsibility to oversee these transactions and ensure that only legitimate payments are made. Sarbanes-Oxley has only increased the scrutiny with which auditors look at procurement related controls. Auditors demand evidence of strong controls when they test an organization’s expenditure process controls. The following checklist highlights the key areas of focus, which auditors test and indicates where there are opportunities to automate processes as part of a continuous audit process.

Checklist #6: Expenditure Process Controls Business


1 Purchasing Purchase orders are placed only for approved requisitions. CMA solutions can monitor purchase orders for appropriate approvals.

2 Purchasing Purchase orders are entered accurately.

CMA solutions can monitor master data and other key fields in purchase orders.

3 Purchasing All purchase orders issued are input and processed.

4 Purchasing Purchasing has established and follows policies and procedures to qualify and evaluate vendors prior to becoming approved vendors.

CMA solutions can ensure that vendor policies such as credit limits are not violated.

5 Purchasing There is an approved/preferred vendor list that is maintained by the purchasing department.

6 Purchasing A threshold has been established for obtaining competitive bids and quotations for expenditures.

7 Purchasing After-the-fact PO’s are identified, tracked, and followed-up on regularly.

CMA solutions can identify purchase orders that are issued after goods are received.

8 Purchasing Vendor performance (price, product quality, delivery, etc.) is monitored periodically.

9 Purchasing Purchase price variances are monitored to evaluate the effectiveness of the purchasing department.

10 Purchasing Justification for using sole source vendors is documented and approved by management.

11 Purchasing There is a contingency plan for alternative sources of supply with respect to sole source vendors.

12 Purchasing Unused/open purchase orders are reviewed periodically and investigated by individuals independent of the purchasing and receiving functions.

CMA solutions can identify open purchase orders independent of purchasing and receiving departments.

13 Receiving Contents of incoming shipments, as listed on the packing slip or bill of lading, are compared to the physical product(s) received.

14 Receiving Approved purchase orders are required for all receipts. CMA solutions can identify goods received without purchase order.


15 Receiving A sequentially numbered receiving report is generated for all items received.

16 Receiving All receipts are physically processed and recorded timely in the relevant systems.

17 Receiving The receiving department maintains a permanent record of original receiving documents (packing slips, bills of lading, and receiving reports).

18 Receiving Written procedures exist identifying which inbound goods require inspection before being released to production.

19 Receiving Rejected goods are clearly marked and segregated to prevent use.

20 Receiving Rejected goods are promptly returned to the vendor for credit. CMA solutions can identify goods returned pending credit.

21 Receiving There are procedures in place to ensure adequate cut-off of receipts at period end.

22 Processing Accounts Payable

Amounts posted to accounts payable represent goods or services received.

CMA solutions can identify anomalies in accounts payable vs. goods received.


Only original invoices are processed for payment.

CMA solutions can monitor changes to master data and identify duplicate payment of invoices.


Prices and extensions on invoices are checked for accuracy.


Vendor discounts are taken in accordance with current cash management guidelines.

CMA solutions can monitor master data information including vendor discounts.


Invoices processed for payment are marked/perforated to prevent duplicate processing/payment.


System logic prevents duplicate invoices from being processed.

CMA solutions can identify duplicate payments.


Accounts payable amounts are accurately calculated and recorded.

CMA solutions can identify anomalies in accounts payable vs. goods received.


All amounts for goods or services received are input and processed to accounts payable in the appropriate period.


Credit notes and other adjustments are accurately calculated and recorded.


All valid credit notes and other adjustments related to accounts payable are input and processed in the appropriate period.


Vendor invoices are matched to purchase order receiving information prior to payment.

CMA solutions can perform 3-way matching to ensure that payments are not disbursed to invoices without matching purchase orders.


Disbursements are only made for goods and services received.

CMA solutions can identify disbursements made without goods or services received.


Disbursements are distributed to the appropriate suppliers.

CMA solutions monitor master data so that appropriate supplier information is correct.


Disbursements are accurately calculated and recorded.


All disbursements are recorded in the period in which they are issued.

CMA solutions can identify disbursements made outside of the period they were issued.



Accounts payable sub-ledger is reconciled to the general ledger at least monthly.


Debit balances in the accounts payable subsidiary ledger are promptly investigated and, if necessary, refunds are obtained from vendors.


All necessary accruals (received not vouchered) are computed and recorded at period end.

40 Maintaining Vendor Master File

Only valid changes are made to the supplier master file.



All valid changes to the supplier master file are input and processed.



Changes to the supplier master file are accurate and are processed in a timely manner.


Supplier master file data remains pertinent.


Access to the vendor master file is limited to appropriate individuals.

CMA solutions monitor access to vendor master file.


The functions to create vendor master file, prepare an invoice for payment, create the check run, sign and distribute checks are segregated.

CMA solutions monitor segregation of duty access controls to ensure changes to vendor master file, prepare invoice for payment, and distribution of checks are segregated.





Section 7 – Fixed Assets Process Controls For organizations in most industries the fixed assets represent one of the largest items on the balance sheet. Auditors require that companies have well controlled processes for recording, managing and retiring fixed assets. The following checklist highlights the key areas of focus, which auditors test and indicates where there are opportunities to automate processes as part of a continuous audit process.

Checklist #7: Fixed Assets Process Controls Business


1 Acquiring Fixed Assets

Recorded fixed asset acquisitions represent fixed assets acquired by the organization.

CMA solutions monitor the proper security within the ERP to reduce unauthorized changes.


Prior to the acquisition of any fixed asset, a capital authorization is obtained.


Fixed asset acquisitions are accurately recorded in the appropriate period.

4 Acquiring Fixed Assets All fixed asset acquisitions are recorded.


Capital expenditure overruns are anticipated and properly approved.

6 Depreciating Fixed Assets Depreciation charges are valid.


7 Depreciating Fixed Assets

Depreciation charges are accurately calculated and recorded.

8 Depreciating Fixed Assets

All depreciation charges are recorded in the appropriate period.

9 Disposing of Fixed Assets

Recorded fixed asset disposals represent actual disposals.


10 Disposing of Fixed Assets All fixed asset disposals are recorded.



Fixed asset disposals (and related gain/loss) are accurately calculated and recorded.


Fixed asset disposals (and related gain/loss) are recorded in the appropriate period.

13 Managing Fixed Assets

Records of fixed asset maintenance activity are accurately maintained.

14 Managing Fixed Assets Fixed assets are adequately safeguarded.

15 Managing Fixed Assets Fixed asset maintenance records are updated timely.



The Fixed asset register is reconciled to the General Ledger on a regular basis.


Management performs regular reviews for impairment of fixed assets.


A physical inventory of fixed assets is taken periodically and reconciled to the fixed asset register and general ledger.

19 Maintaining Fixed Asset Register and/or Master File

Only valid changes are made to the fixed asset register and/or master file.

CMA solutions monitor master data files and General Ledger to ensure only valid changes are made.


All valid changes to the fixed asset register and/or master file are input and processed accurately.

CMA solutions monitor master data files and general ledger to ensure only valid changes are made.


Changes to the fixed asset register and/or master file are processed in a timely manner.


Access to transactions such as depreciation, purging fixed assets, changing the fixed asset register and master data should be reviewed on a regular basis

CMA solutions monitor sensitive transaction access control to ensure that the appropriate people have access to such transactions.





Section 8 – Inventory Management Process Controls Inventory – both raw materials and work-in-progress – represents a significant asset for most companies. Auditors demand evidence that inventory on the books is salable and that well controlled processes exist for accounting for inventory as it moves through the supply chain. The following checklist highlights the key areas of focus, which auditors test and indicates where there are opportunities to automate processes as part of a continuous audit process.

Checklist #8: Inventory Management Process Controls

Business Activity Point of Focus/ Control Objective Ability to Automate Description of Automation

1 Managing Inventory Inventory is salable or usable.

2 Managing Inventory Inventory is adequately safeguarded.

3 Managing Inventory Adjustments to inventory prices or quantities relate to valid price changes and physical inventory differences.

CMA solutions monitor access to change prices ensuring only authorized users can change prices.

4 Managing Inventory All adjustments to inventory prices or quantities are recorded accurately.

CMA solutions monitor access to change prices or quantities ensuring only authorized users can change prices.

5 Managing Inventory Adjustments to inventory prices or quantities are recorded in a timely manner and in the appropriate period.

6 Receiving and Storing Raw Materials

Raw materials are received and accepted only if they have valid purchase orders.

CMA solutions can identify materials without valid purchase orders.


Raw materials received are recorded accurately.

CMA solutions monitor access to receive and record materials ensuring only authorized users can perform transactions.


All raw materials received are recorded.


Receipts of raw materials are recorded timely and in the appropriate period.


Defective raw materials are returned timely to suppliers.

11 Requisitioning Materials

All transfers of raw materials to production are recorded accurately and in the appropriate period.

12 Producing/Costing Inventory

All recorded production costs are consistent with actual direct and indirect expenses associated with production.

CMA solutions monitor access to record production costs ensuring only authorized users can perform transactions.


All direct and indirect expenses associated with production are recorded as production costs.


All direct and indirect expenses associated with production are recorded accurately and in the appropriate period.



All transfers of completed units of production to finished goods inventory are recorded completely and accurately in the appropriate period.

CMA solutions monitor access to record transfers of completed units ensuring only authorized users can perform transactions.


All defective products and scrap resulting from the production process are valid and recorded completely and accurately in the appropriate period.


17 Handling Finished Products

Finished goods returned by customers are recorded completely and accurately in the appropriate period.


Finished goods received from production are recorded completely and accurately in the appropriate period.



Goods received from production or returned by customers are only accepted in accordance with the organization’s policies.

CMA solutions monitor access to goods received ensuring only authorized users can perform transactions.

20 Shipping Finished Products All shipments are recorded accurately.

CMA solutions monitor access to shipping ensuring only authorized users can perform transactions.

21 Shipping Finished Products

Shipments are recorded timely and in the appropriate period.


Inventory is relieved only when goods are shipped with approved customer orders.

CMA solutions can identify shipments without valid customer orders.


Costs of shipped inventory are transferred from inventory to cost of sales.


Costs of shipped inventory are recorded accurately.



Amounts posted to cost of sales represent those associated with shipped inventory.



Costs of shipped inventory are transferred from inventory to cost of sales timely and in the appropriate period.

27 Maintaining Inventory Master File

Only valid changes are made to the inventory management master file.

CMA solutions can monitor the master file and identify unauthorized changes.


All valid changes to the inventory management master file are input and processed.

CMA solutions can monitor the master file and identify unauthorized changes.


Changes to the inventory management master file are accurate.

CMA solutions monitor access to inventory management master data ensuring only authorized users can perform transactions.


Changes to the inventory management master file are processed timely.


Inventory management master file remains pertinent.

32 Inventory Accounting

Periodic inventory counts are performed to confirm inventory records. Selection of items for count is segregated from performing the count, which is in turn segregated from recording the count. System count is reflected on cycle count worksheets (e.g. “Blind” counts are performed).


33 Inventory Accounting Physical counts verify quantities on hand.


Written instructions are used by physical count personnel that provide guidance on timing of the count, number and composition of the count teams, areas of responsibility, how to perform and record the physical counts and count sheet control.


Discrepancies between physical counts and perpetual inventory records are researched prior to posting any adjustments to the perpetual and/or accounting records.


Inventory count crews are supervised.


Receiving/shipping during physical counts is controlled.


Perpetual records are reconciled to physical counts.


Perpetual/physical is reconciled to the general ledger.


Procedures are in place to adjust slow moving, obsolete, or damaged items to their expected realizable value.


Access to transactions such as inventory received, recording defective goods, shipping inventory and master data should be reviewed on a regular basis

CMA solutions monitor segregation of duties access controls to ensure changes to inventory received, recording defective goods, shipping inventory and master data are segregated.





Section 9 – Payroll Process Controls Payroll is the largest monthly expenditure for most companies, yet few have effective ways to ensure proper business controls are in place and are monitored. Discrepancies resulting from poorly-controlled processes – whether mistakes or fraud – can have a serious impact on a company’s financial statements. The following checklist highlights the key areas of focus, which auditors test and indicates where there are opportunities to automate processes as part of a continuous audit process.

Checklist #9: Payroll Process Controls

Business Activity Point of Focus/ Control Objective Ability to


1 Hiring Personnel

Additions to the payroll master files represent valid employees.

CMA solutions monitor changes to employee master data.

2 Hiring Personnel All new employees are added to the payroll master files.

3 Terminating Personnel

Terminated employees are removed in a timely manner from the payroll master files.

CMA solutions can check for expired employee status.


Employees are only terminated within statutory and/or union requirements.


Deletions from the payroll master files represent valid terminations.

CMA solutions can monitor access to the master data file and ensure only authorized access which reduces master file data errors.

6 Recording Time

Time and attendance data recorded reflects actual time worked and is authorized.

7 Recording Time Time worked is accurately input and processed.

8 Recording Time Time worked is processed in a timely manner.

9 Calculating Payroll Payroll is recorded in the appropriate period.

CMA solutions can monitor out postings made out of period.

10 Calculating Payroll

Payroll (including compensation and withholdings) is accurately calculated and recorded.

11 Disbursing Payroll

Payroll disbursements and recorded payroll expenses relate to actual time worked.

12 Disbursing Payroll Payroll is disbursed to appropriate employees.

CMA solutions can check for expired employee status to ensure terminated employees are not receiving payroll.

13 Disbursing Payroll

Payroll registers are reviewed and approved before payroll is generated.

14 Maintaining Payroll Master Files

Only valid changes are made to the payroll master files.




All valid changes to the payroll master files are input and processed.


Changes to the payroll master files are accurate.


Changes to the payroll master files are processed timely.


Access to the payroll master files is appropriately limited.


19 Managing Payroll Accounting

Payroll related accruals/provisions reflect the existing business circumstances and economic conditions in accordance with the accounting policies being used.

20 Managing Payroll Accounting

All payroll sub-ledgers and payroll-related bank accounts are reconciled to the general ledger at least monthly.





Section 10 – Revenue Process Controls Managing sales orders, ensuring that orders are taken and delivered on time, payment is collected quickly and revenue recognition conditions are met directly impacts the integrity of a company’s financial reports. For large companies this can involve thousands of transactions a day. Last-minute orders, incorrect changes to master data and inappropriate returns can result in thousands of discrepancies. Small mistakes, such as over-extended credit and incorrectly recorded receivables can add up and cause serious concern when it comes time to close the books. In fact, revenue recognition issues are one of the most common reasons for deficiencies in internal controls. The following checklist highlights the key areas of focus, which auditors test and indicates where there are opportunities to automate processes as part of a continuous audit process.

Checklist #10: Revenue Process Controls Business


1 Managing and Processing Orders

Credit reviews are required prior to entering into customer contracts.


In determining the appropriate credit line, the following factors have been considered: the customer’s purchasing requirements, historical information about the company, credit rating-indications, quantitative (financial) evaluation, and qualitative (non-financial) factors.


Credit ratings and line of credits are established utilizing a consistent methodology.


Orders are only processed within approved customer credit limits.

CMA solutions can check if credit limits for existing customers have been exceeded.


Orders are approved by management as to prices and terms of sale.

CMA solutions can check if appropriate approvals have been attained.


There is a policy for handling non-standard terms and conditions including appropriate management approval.


Orders and cancellations of orders are input accurately.

CMA solutions can monitor access control to managing and processing orders so that only authorized transactions can be performed which reduces errors.


System logic prevents orders from being processed for invalid customers, customers that are on credit hold, or if the sales order puts the customer's credit balance in excess of their established credit limit.

CMA solutions can monitor orders that may be processed for invalid customers, on credit hold or exceeding their credit limit.


Order entry data is transferred completely and accurately to the shipping and invoicing activities.


All, and only, valid orders received from customers are input and processed.

CMA solutions can identify invalid orders.

11 Shipping The shipping function is properly segregated from the invoicing and accounts receivable functions.

CMA solutions can monitor access control to invoicing and accounts receivable functions to ensure segregation of duties.


12 Shipping There are standard policies and procedures and they are followed by personnel.

13 Shipping Sequentially numbered shipping documents (BOL, customs forms, ASN, etc.) are prepared for all items shipped.

14 Shipping The daily shipping register is reconciled against orders shipped.

15 Shipping Shipped orders are transferred for invoicing promptly.

16 Shipping Period-end procedures exist and are followed to ensure proper cutoff of shipping activity.

17 Invoicing, Sales Returns and Adjustments

Invoices are generated using authorized terms and prices.

CMA solutions can identify invoices with terms that fall outside the scope of authorized terms and prices.


Invoices are accurately calculated and recorded.


All goods shipped are invoiced. CMA solutions can identify goods shipped with no invoice.


Invoices relate to valid shipments. CMA solutions can identify invoices with no goods shipped.


All invoices issued are recorded.


Invoices are recorded in the appropriate period. CMA solutions can identify invoices posted out of period.


Credit notes and adjustments to accounts receivable are accurately calculated and recorded.

CMA solutions can monitor access control to credit notes and adjustments to accounts so that only authorized transactions can be performed which reduces errors.


Credit notes for all goods returned and adjustments to accounts receivable are issued in accordance with organization policy.

CMA solutions can identify credit notes and adjustments with terms that fall outside the scope of authorized credit and adjustments.


All credit notes relate to a return of goods or other valid adjustments.

CMA solutions can identify credit notes with no goods returned.


All credit notes issued are recorded.


Credit notes issued are recorded in the appropriate period.


Accounts Receivable reflects the existing business circumstances and economic conditions in accordance with the accounting policies being used.


Sales and Accounts Receivable information is appropriately presented, and all information that is necessary for fair presentation and compliance with professional standards or legal requirements is disclosed.

CMA solutions can identify exceptions to sales and accounts receivable policies as well as ensure proper segregation of duties for access to sales and accounts receivables systems.

30 Processing Cash Receipts

Cash receipts are recorded in the period in which they are received.

CMA solutions can identify cash receipts posted out of period.


Cash receipts data are entered for processing completely and accurately.

CMA solutions can monitor access control to cash receipts so that only authorized transactions can be performed which reduces errors.



Cash receipts data are valid and are entered for processing only once.

CMA solutions can identify duplicate cash receipts.


Checks are manually logged with customer name, date and amount when received.


Checks are restrictively endorsed immediately upon receipt.

35 Processing Cash Receipts Checks are physically secured until deposited.


Cash discounts are accurately calculated and recorded.


Unapplied cash receipts are reviewed and resolved promptly.

38 Managing Accounts Receivable

Timely collection of accounts receivable is monitored.


All A/R accounts and sub-ledgers are reconciled to the general ledger at least monthly.


The A/R aging is reviewed at least monthly for past-due accounts and unusual items and these items are followed up on a timely basis.


Bank reconciliations are prepared and reviewed timely.


The allowance for doubtful accounts is reviewed and adjusted (if necessary) at least quarterly for potential uncollectible accounts.


Write-off policies and procedures have been established and adhered to.

44 Maintaining Customer Master File

Only valid changes are made to the customer master file.

CMA solutions monitor access and transaction changes to the master file to ensure only appropriate people have access to the file and only appropriate changes are made to the file.


All valid changes to the customer master file are input and processed.


Changes to the customer master file are accurate and processed timely.


Customer master file data remains pertinent.

CMA solutions monitor access and transaction changes to the master file to ensure only appropriate people have access to the file and only appropriate changes are made to the file.





Section 11 – Treasury Process Controls Effective controls for managing cash receipts, disbursements and loans is critical to the integrity of a company’s financial reporting. The following checklist highlights the key areas of focus, which auditors test and indicates where there are opportunities to automate processes as part of a continuous audit process.

Checklist #11: Treasury Process Controls Business

Activity Point of Focus/ Control Objective Ability to Automate

Description of Automation

1 Borrowing Recorded debt represents a valid liability of the organization.

2 Borrowing Borrowings are recorded accurately as to amounts and terms.

3 Borrowing All borrowings are recorded in the appropriate period.

4 Borrowing All interest is accurately calculated and recorded in the appropriate period.

5 Borrowing Recorded loan repayments are valid.

6 Borrowing Loan repayments are accurately recorded.

7 Borrowing All loan repayments are recorded in the appropriate period.

8 Borrowing Loans are repaid in accordance with the terms of the loan.

9 Borrowing The organization complies with loan covenants.

10 Managing Cash and Investments

Cash receipts are reconciled to general ledger postings daily.


Recorded investments represent assets of the organization.


Investment purchases, sales, and maturities are accurately recorded.


All investment transactions are recorded in the appropriate period.


All investment income is accurately calculated and recorded in the appropriate period.



Bank reconciliations are prepared and reviewed in a timely manner.

16 Managing Derivative Transactions

Senior management has an understanding of the organization's derivative activities.


Recorded derivative transactions represent assets or liabilities of the organization.


Disclosed off-balance sheet derivative transactions represent valid transactions.


Derivative transactions are accurately recorded.


Disclosed off-balance sheet derivative transactions are properly presented.


All derivative transactions are recorded in the financial statements.


All off-balance sheet derivative transactions are disclosed in the financial statements.


Derivative transactions are recorded in the appropriate period.


Off-balance sheet derivative transactions are recorded in the financial statements in the appropriate period.


All investment income on derivative transactions is accurately calculated and recorded in the appropriate period.


All interest expense on derivative transactions is accurately calculated and recorded in the appropriate period.

27 Cash Accounting

Reconciliations of all cash and investment accounts are performed monthly.

28 Cash Accounting

Appropriate segregation of duties is established for the input, release and reconciliation of wire transfers and daily cash activity.

29 Cash Accounting All bank accounts have been authorized by Corporate treasury.

30 Cash Accounting

Appropriate procedures are established to ensure signers on bank accounts are properly removed from termination.


31 Cash Accounting

Policy has been established which defines appropriate Petty Cash amounts, usage, required approvals and replenishment procedures.

32 Cash Accounting

Petty cash accounts are reconciled to the general ledger at least monthly.

33 Cash Accounting

Only miscellaneous items less than a pre-defined amount are paid through petty cash.

34 Cash Accounting

All payments are supported with appropriate documentation and are reviewed for reasonableness.

35 Cash Accounting

The cash balances in the petty cash funds are reconciled and reviewed by an independent person monthly





Section 12 – SOX Checklist

Checklist #12 - SOX Policy Evaluation Checklist Financial Statement Area of Significance Financial Statement

Element Policy

Cash receipts Bank account reconciliations Banking policy and relationships Cash disbursements/manual checks Check signing requirements Outstanding checks General cash Petty cash

Cash & Cash Equivalents

Deposits Investment responsibility Foreign currency translation Fair value of financial instruments Derivatives policy Investments in associated companies Functional currency Hedging guidelines

Investments/ Foreign Exchange

Investment portfolio composition General accounts receivable Credit memos Allowance for doubtful accounts/credit risk Credit risk Credit balances Customer deposits Records maintenance

Accounts Receivable

Invoice billings AFE's Acquisitions and dispositions Assets of discontinued operations Disposals Asset retirement obligations Reconciliations Physical asset security General property and equipment

Property and Equipment

Inventory Inventory accounting Physical inventory procedures Multi-client library Goodwill and intangible assets Other long-lived assets Other current assets (pre-paid expenses, inventory, spares, deferred costs, advances) Software costs

Balance Sheet

Assets

Other Assets

General other assets


Accounts payable Competitive bids Request for proposal Purchase requisitions Purchase orders Contracts Purchasing procedures Vendor selections Vendor file maintenance

Accounts Payable

Equipment rentals General Accrued expenses (employee benefits, debt restrictions, vessel operations, interest, severance, advances) Deferred revenue Allowance for bad debts Bank overdrafts Income taxes Accrued employee compensation Deferred taxes

Other Liabilities

Warranties General Long-term debt (Approval, debt issuance cost, accounting for current maturities) Subsidiaries with separate debt Operating and capital lease obligations

Debt Short-term debt

Capital stock

Liabilities

Stockholders' Equity Stock transactions

Revenue recognition Revenues

Revenue reporting Cost of sales Third party reimbursable expenses Payroll Operating income (expense) Capitalization Depreciation and amortization Research and development Selling, general and administrative costs Travel and entertainment Impairment of long-lived assets Steaming and mobilization Income (loss) from associated companies Interest expense/income Minority expense Results of discontinued operations Insurance Other expenses

Income Statement

Expenses

Fiscal adjustments


Chart of accounts Consolidation Segment reporting and disclosures Reporting packages Business combinations Period-end financial reporting Month-end closing procedures Reconciliations Inter-company allocations Variable interest entities Commitments and contingencies

Related parties Disclosures Process change control Unusual transactions Budgeting and forecasts Release of financial/ confidential information

Financial Management

Journal entry Employment (hiring, promotion) policies Employee benefits Compensation / Payroll Termination Performance appraisals Executive compensation Incentive compensation Employee handbook Attendance, holidays, vacation, sick leave Relocation payments Internal transfers Family & medical leave Americans with Disabilities Act Share-based compensation plans Fair employment practices Orientation and training Employment verifications / background check Equal opportunity Sexual harassment / other harassment New employee processing Hiring of consultants / contractors

Human Resources

Personnel files and records Information security Systems change policy Software licensing

Information Technology

Electronic information (e-mail) systems Trade shows Workplace rules, safety and health Disaster management / business resumption Corporate credit cards Use of company vehicles

General

Other

Magazine subscriptions


Record retention, storage and disposal Ethics hotline and policy on handling of complaints US Antitrust Law Compliance Delegation of authority Code of Conduct Entertainment and gifts Insider trading Related party transactions Conflict of interest Foreign corrupt practices act

General

Personal loans to directors and executive officers Corporate governance guidelines Audit committee charter

Board of Directors Remuneration committee charter

Internal audit charter

Corporate Governance

Internal Audit Pre-approval of audit and non-audit services


ABOUT APPROVA Approva® Corporation is the industry-leading provider of continuous controls monitoring and audit software. We enable business, finance, IT and audit professionals to automate the on-demand testing, closed-loop remediation and continuous, exception-based monitoring of controls within and across their business systems. Using our solutions, customers are able to significantly increase visibility into their controls, streamline the audit process, cost-effectively sustain their compliance initiatives and reduce exposure to mistakes, fraud and inefficiencies for business processes such as procurement, sales and delivery, payroll and financial close. In addition, our automated solutions act as key preventative and detective controls, further strengthening our customers’ financial and operational control environments. Global companies such as Campbell Soup Company, Colgate-Palmolive, the Commonwealth of Pennsylvania, DirecTV, Discovery Communications, McCormick & Company, P&G, Pratt & Whitney, Siemens and Wyndham Hotels & Resorts rely on Approva BizRights® Platform and Enterprise Controls Suite to reduce compliance risk, increase operational efficiency and flag exceptions to their business controls. For more information:

Website: www.approva.net Information: [email protected] Sales: [email protected]

audit checklists & continuous auditing

Documents