* Audit manual transactional input of transactions and support operations reviews and individual transaction processing.
* Integrate with other systems (such as the inventory management system) and cross-check the system counts against individual transactional processing product accumulations.
* Support internal and external audits by providing detailed logs of each transaction and the results of the business-model audit. The system will check every transactions, every resource and will be able to provide statistical sampling when needed for operations and personnel reviews.
* Log each activity that takes place as a record of accounting events and transactions.
* Provide alerts or warnings for appropriate internal management of activities not meeting the business model or new regulations coupled with instantaneous reporting and documentation of these alerts/warnings.
Monitoring
Monitoring consists of the process that assesses the quality of internal control performance over time. A control system needs to be monitored to ensure that it continues to operate effectively and as intended. Without continual and effective monitoring, a control process may fall into a state of disrepair or not be executed altogether.
Consequently, a SOX tool set must run in real time on a 24x7 basis and unattended. You must be able to systematically monitor all activities and transactions corporate wide, with exception reporting used to identify control lapses and gaps. These transactions must be audited both operationally and financially against the business model. This implies a SOX tool set must have the flexibility to incorporate the rules of your business. To facilitate the recording and editing of these rules and to avoid hard coding or programming changes, you should consider a knowledge-based methodology, external to the tool set. As a result, approved rules can be entered without major effort from an organization's technical staff.
Business activity monitoring within a corporate information environment is evolving quickly. SOX, in many cases, requires that a tool set provide continuous activity monitoring, thereby allowing instant insight into corporate performance. As previously noted in the Information and Communication section, the sooner red flags are raised, the more time management has to evaluate and correct financial shortcomings.
Let's look at a simple example of operational/financial interaction when dealing with the purchase of an item to illustrate the monitoring component. The first rule is that the item purchase be from a known, legitimate, supply resource with which the corporation has a relationship. The same rule applies to the reason for the purchase. The internal resource to which the item will go may be product inventory, cost center inventory, or equipment or services. Depending on GAAP rules, the nature of the purchase and the business policies of how to allocate the cost of different purchases, the tool set must be able to compute auditable financial entries into the appropriate accounts. It must also update the supplier relationship with an accrued payable to verify the transaction when an invoice is received and posted into accounts payable.
The rules vary for different types of internal resources but all are available in resource-centric control files. On the other hand, when rules are changed by an authorized person, the resource-centric file will contain the new rules. It will also document who authorized the change, when, and the commencement date.
The same facility can be used for sales transactions with similar rules applied consistently from estimation, order entry, shipment and invoicing as to pricing, discounting, cost of sales and the reduction of product inventory, the computation of sales taxes to be collected and paid to the government and where applicable accrual of sales commissions. Manual adjustments and other infrequent transactions must undergo similar verification.
The resource-centric control files give everyone a cohesive picture of all the rules that apply to each type of resource. For example, product/inventory control files will contain the rules for sales, purchases, and all price, cost, and volume adjustments.
The timeliness of information distribution is critical and can take several forms such as alerts and warnings on "dashboards," e-mails, and text pages on a phone or PDA. E-mailing of control exceptions to the appropriate user and next-level supervisor must receive consideration, so problems can receive prompt attention and resolution. Additionally, a query language capability is a useful and necessary facility to satisfy ad hoc reporting requirements for analysis and on-demand information needs to allow those accountable and responsible to monitor, validate, and use the information collected.
Some words of caution regarding internal controls are warranted. The type of continuous monitoring process needed for SOX will put an additional strain on your control processes. You will need to have consistent, verifiable, and monitored internal processes regarding problem resolution when dealing with business activity defects. After error detection, the reconciliation process begins with understanding who's responsible and accountable for correcting the problem and when must it be corrected. Of course, someone, most likely in an audit function, will need to "mind the store" in this regard. The tool set must also provide the necessary support in this area.
SOURCE:
http://www.technologyevaluation.com/research/articles/attributes-of-sarbanes-oxley-tool-sets-part-two-information-and-communication-monitoring-and-startup-tips-17127/
* Integrate with other systems (such as the inventory management system) and cross-check the system counts against individual transactional processing product accumulations.
* Support internal and external audits by providing detailed logs of each transaction and the results of the business-model audit. The system will check every transactions, every resource and will be able to provide statistical sampling when needed for operations and personnel reviews.
* Log each activity that takes place as a record of accounting events and transactions.
* Provide alerts or warnings for appropriate internal management of activities not meeting the business model or new regulations coupled with instantaneous reporting and documentation of these alerts/warnings.
Monitoring
Monitoring consists of the process that assesses the quality of internal control performance over time. A control system needs to be monitored to ensure that it continues to operate effectively and as intended. Without continual and effective monitoring, a control process may fall into a state of disrepair or not be executed altogether.
Consequently, a SOX tool set must run in real time on a 24x7 basis and unattended. You must be able to systematically monitor all activities and transactions corporate wide, with exception reporting used to identify control lapses and gaps. These transactions must be audited both operationally and financially against the business model. This implies a SOX tool set must have the flexibility to incorporate the rules of your business. To facilitate the recording and editing of these rules and to avoid hard coding or programming changes, you should consider a knowledge-based methodology, external to the tool set. As a result, approved rules can be entered without major effort from an organization's technical staff.
Business activity monitoring within a corporate information environment is evolving quickly. SOX, in many cases, requires that a tool set provide continuous activity monitoring, thereby allowing instant insight into corporate performance. As previously noted in the Information and Communication section, the sooner red flags are raised, the more time management has to evaluate and correct financial shortcomings.
Let's look at a simple example of operational/financial interaction when dealing with the purchase of an item to illustrate the monitoring component. The first rule is that the item purchase be from a known, legitimate, supply resource with which the corporation has a relationship. The same rule applies to the reason for the purchase. The internal resource to which the item will go may be product inventory, cost center inventory, or equipment or services. Depending on GAAP rules, the nature of the purchase and the business policies of how to allocate the cost of different purchases, the tool set must be able to compute auditable financial entries into the appropriate accounts. It must also update the supplier relationship with an accrued payable to verify the transaction when an invoice is received and posted into accounts payable.
The rules vary for different types of internal resources but all are available in resource-centric control files. On the other hand, when rules are changed by an authorized person, the resource-centric file will contain the new rules. It will also document who authorized the change, when, and the commencement date.
The same facility can be used for sales transactions with similar rules applied consistently from estimation, order entry, shipment and invoicing as to pricing, discounting, cost of sales and the reduction of product inventory, the computation of sales taxes to be collected and paid to the government and where applicable accrual of sales commissions. Manual adjustments and other infrequent transactions must undergo similar verification.
The resource-centric control files give everyone a cohesive picture of all the rules that apply to each type of resource. For example, product/inventory control files will contain the rules for sales, purchases, and all price, cost, and volume adjustments.
The timeliness of information distribution is critical and can take several forms such as alerts and warnings on "dashboards," e-mails, and text pages on a phone or PDA. E-mailing of control exceptions to the appropriate user and next-level supervisor must receive consideration, so problems can receive prompt attention and resolution. Additionally, a query language capability is a useful and necessary facility to satisfy ad hoc reporting requirements for analysis and on-demand information needs to allow those accountable and responsible to monitor, validate, and use the information collected.
Some words of caution regarding internal controls are warranted. The type of continuous monitoring process needed for SOX will put an additional strain on your control processes. You will need to have consistent, verifiable, and monitored internal processes regarding problem resolution when dealing with business activity defects. After error detection, the reconciliation process begins with understanding who's responsible and accountable for correcting the problem and when must it be corrected. Of course, someone, most likely in an audit function, will need to "mind the store" in this regard. The tool set must also provide the necessary support in this area.
SOURCE:
http://www.technologyevaluation.com/research/articles/attributes-of-sarbanes-oxley-tool-sets-part-two-information-and-communication-monitoring-and-startup-tips-17127/
0 comments:
Post a Comment