Case Study 1
A multinational company took the requirement to comply with s404 of the Sarbanes–Oxley Act as an opportunity to assess the effectiveness of its internal control generally, not just internal controls over financial reporting.
First, the accounting processes that could lead to financial misstatements were identified. Second, mission critical operational processes were identified where there were significant risks of not achieving business objectives and/or risks of misstatement. These accounting and operational processes were documented in process maps (flowcharts), using distinctive symbols to denote what were considered to be key s404 controls, other key financial controls and key operational controls. These controls were described in a spreadsheet-based control register, supplemented where necessary by further process narrative. From this understanding of each process, deficiencies in control procedures were identified and corrected. Using predetermined, documented test scripts, each key control within a process was then tested for compliance prior to drawing a conclusion about internal control effectiveness of the process.
Initially this work was done by the internal audit function, before being transferred to become an ongoing responsibility of management, working to an annual cycle.
Case Study 2
To be useful, process narrative on internal control must be sufficiently specific to indicate whether control is effective. In the three examples below, only the third is adequate. The reader of the first and second examples will be unclear as to whether it is merely the narrative that is inadequate, or that internal control is inadequate.
Control Documentation Poor
A report on duplicate invoices is produced before payments are made. It is looked at and approved by someone who plays no other part in the order processing and invoicing procedures.
Control Documentation Average
Each day, before the payments processing run, the senior creditors clerk (SCC) investigates a report on possible duplicate invoices. The SCC signs and dates this report when the check has been completed, and sends the report to James Smith for second review and final approval. James signs and dates the report to indicate completion of his review and approval of the SCC’s investigation.
Neither James nor the SCC has access to the purchase order or invoice processing SAP modules or the manual parts of those subsystems.
Control Documentation Good
Daily, before the IT-based processing of payments, the SCC personally prints out a possible duplicate payments report from the payables module in SAP (SAP report code 9VDFZ3). This report may indicate five possible types of duplicate (refer to details in the process narrative).
The SCC investigates the possible duplicate invoices as indicated in the report by checking the accuracy of invoice data captured in the SAP accounts payable module against original invoices, making sure that each invoice is valid by reference to source documentation such as purchase orders as necessary.
The SCC has no responsibility for other elements of this system, not having any involvement in, or other access to, the processing of purchase orders or invoices—these access rights are blocked to the SCC by the accounts payable module.
When the SCC has completed the investigation, he signs and dates the possible duplicate payments report to indicate that the investigation has been completed. His manager then reviews the possible duplicate payments report, together with the relevant, supporting evidence and comments from SCC’s investigation. If the manager is satisfied by the investigation and supporting evidence, he signs and dates the possible duplicate payments report to indicate approval of the SCC’s investigation.