In the final part of this series, we will look at IT General Controls, the Financial Reporting Cycle and the General Control Environment. If you missed parts 1 and 2 then they can be found in the following links:
IT General Controls
Security. Are passwords and encryption used? Are passwords sufficiently strong and changed regularly?
WHY? Maintaining proper passwords reduces the risk of inappropriate access to the system by employees or external parties.
System access. Are new users approved and is access for leavers removed promptly? Is a review performed to ensure that users can only access parts of the system appropriate for their role?
WHY? Properly controlling access to systems reduces the risk that invalid transactions will occur.
Back-up and recovery. Is regular back-up performed and is this tested to ensure it will work in the event it needs to be relied on? Does the back-up method ensure the back-up is physically separate and secure?
WHY? If back-up is not performed regularly (and tested) the organisation may have problems continuing to operate if unforeseen problems occur (for example a fire)
System changes. Where applicable, are any modifications to the systems made by management properly approved and tested before they are made?
WHY? Modifications to the system may affect the way the organisation operates, so proper approval and testing helps ensure these are done correctly.
Physical security. Are key IT assets physically secure, for example through being kept in a locked room?
WHY? Ensuring assets are physically secure reduces the risk they may be stolen or tampered with.
Financial Reporting Cycle
Balance sheet reconciliations. Are balance sheet accounts reconciled to detailed listings or other support on a regular basis?
WHY? Regular reconciliation of key balance sheet accounts helps to identify any errors on a timely basis, so that they can be resolved before they escalate.
Journals. Are manual journals reviewed by someone independent of the poster where possible? If this is not practical, does management perform a regular review of financial results?
WHY? Posting of manual journals can significantly affect an organisation's financial statements. Therefore, journals should be approved individually or through review of financial results in total.
General Control Environment
Financial reporting. Is a budget and cashflow forecast prepared? Is financial performance against budget reviewed regularly?
WHY? Robust financial reporting allows performance to be monitored and problems to be identified early so that management can respond as quickly as possible.
Delegated authority. Is there clear documentation of the level of transaction which members of management are able to approve?
WHY? Clear delegation of authority reduces the risk of fraud and helps to ensure that the organisation only enters transactions it should.
Code of conduct. Does the organisation have written policies to set out how employees should behave?
WHY? A written code of conduct establishes a strong "tone at the top" and helps to increase staff accountability.
Written procedures. Where necessary, are written procedures in place to document how complex parts of key roles are performed?
WHY? Written procedures help to train new employees, identify gaps in control, increase staff accountability and reduce the risk of problems if key staff leave.
Risk management. Is there a risk register in place? Does management have a disaster recovery plan and is this kept up to date?
WHY? Planning for how to respond to risks reduces the chance that decisions are made poorly or too slowly when those risks arise.
Succession planning. Have the roles which are most key to operation of the business been identified? If key staff members leave or are absent long-term, does management have a response planned?
WHY? Small organisations in particular can be significantly impacted if key team members leave or are absent. Planning for this reduces the risk of significant impact.
Compliance. Is there a method to ensure the organisation monitors all of its compliance obligations (eg filings, new laws and regulations)?
WHY? Capturing and monitoring compliance obligations helps to reduce the risk of non-compliance, late filing and fines or other penalties.
Contract approval. Is there an established method for approving contracts the organisation enters into, and are these signed by an appropriate individual?
WHY? Ensuring that contracts are properly reviewed reduces the risk that the organisation will enter into commitments it should not.
Service providers. Does the organisation monitor the performance of its service providers?
WHY? Procedures to monitor whether service providers are performing their work accurately and efficiently will help to ensure no errors occur and the organisation gets value for money.
Key performance indicators. Has management identified the key performance indicators for the business and is performance against these monitored?
WHY? Key performance indicators help the organisation focus on what is important and increase staff accountability.
Related parties. Is a list of related parties maintained?
WHY? Organisations are required to disclose related party transactions in their financial statements. Maintaining a list of related parties will facilitate this and help ensure the organisation does not enter into inappropriate transactions.
I hope that this series of articles has been useful in helping you check the health of the controls in your own organisation.
If you would like us to help you review your controls and procedures then please get in touch.
Find out more about Gary Pready