KnowledgeLeader provides best practice articles, tools, guides and other resources on compliance. This page contains an alphabetized list of all of the resources and tools on compliance that are available for download on KnowledgeLeader. The tools are provided in downloadable versions, so they can be customized for use in your organization.
A
Documenting Processes and Controls for Sarbanes-Oxley Guide
This guide is designed to help establish consistent Sarbanes-Oxley documentation standards throughout an organization. It discusses documentation types to use, how to document risks and controls, and follow-up procedures to take after the documentation process is complete.
Accounts Payable Policy
This policy is for invoices paid by accounts payable. It primarily focuses on operating invoices, employee advances, expense reports and casual labor/subcontractors. It also contains a comprehensive analysis on the two ways of processing operating invoices—with accounting system-generated purchase orders for inventory items and without accounting system-generated purchase orders for non-inventory items.
Accounts Receivable Policy
This policy establishes guidelines for receivables management, focusing on receivable reserves, write-offs and recovery.
Accounts Receivable/Credit & Collections Audit Work Program
This work program explains the audit steps that should be followed while evaluating a company’s compliance with corporate policies, procedures and known best practices in relation to accounts receivable and credit and collections.
Achieving Sustainability by Integrating the Section 404 and Section 302 Compliance Process
In this issue of The Bulletin, we focus on strategies for integrating compliance activities around Sections 302 and 404 of SOX with the objective of achieving sustainability of the internal control structure.
Advertising and Promotion Audit Work Program
This sample audit program includes an overview for understanding and engaging in a review of controls around advertising and promotions.
Anti-Bribery Compliance Program Policy
This sample outlines a set of policies and procedures to prevent violation of any and all national and international anti-bribery and anti-corruption laws and treaties. All employees, agents of the Company, joint-venture partners, or anyone else doing business in Company X’s name, are required to comply strictly with the FCPA, all other applicable anti-bribery and anti-corruption treaties, and all national laws.
AP Invoice Process: Material Goods Process Flow
The accounts payable (AP) function essentially handles all payments outside of payroll, and is therefore enormously important to an organization. An ineffective accounts payable process can hinder a company’s ability to process invoices on time and properly manage late, incorrect or duplicate payments. This process flow sample focuses on the accounts payable process for material goods invoices at a refinery.
Assessing Risks and Internal Controls Guide
This presentation was developed to help with training process owners to assess risks and take responsibility for managing internal controls.
Asset and Liability Management Policy Review Audit Work Program
This audit work program reviews the policies governing the asset and liability management process. While performing this review, an auditor can determine if these policies are reviewed on a regular basis and assess the board of director’s and asset and liability management committee’s oversight of this function within the organization.
Audit Committee Annual Planning Schedule
This sample schedule provides an annual planner for audit committee activities and demonstrates how to schedule and track audit committee activities throughout the year.
Audit Committee Charter: Sample 1
This sample charter outlines the purpose, composition, meeting procedures, responsibilities and duties, and annual performance evaluation requirements of the audit committee.
Audit Committee Charter: Sample 2
This sample charter outlines the purpose, authorities and responsibilities of the audit committee.
Audit Committee Charter: Sample 3
This sample charter outlines the purpose, structure and operations, responsibilities and duties, and meeting procedures of the audit committee.
Audit Committee Charter: Sample 4
Audit committees assist the board in monitoring the integrity of the financial statements, external auditor qualifications, performance of the internal audit function and external auditors, and company’s compliance with regulatory requirements. This charter provides one example.
Audit Committee Charter: Sample 5
Audit committees assist the board in monitoring the integrity of the financial statements, external auditor qualifications, performance of the internal audit function and external auditors, and company’s compliance with regulatory requirements. This charter provides one example.
Audit Committee Charter: Sample 6
This sample charter outlines the role, membership procedures, operations, communications/reporting, education requirements, authorities and responsibilities of the audit committee.
Audit Committee Charter: Sample 7
This sample charter outlines the purpose and authority, membership and meeting procedures, and duties and responsibilities of the audit committee.
Audit Committee Charter: Sample 8
This sample charter outlines the purpose, procedures, and oversight responsibilities of the Audit Committee of the Board of Directors.
Audit Committee Report: Annual Audit Plan
This sample audit report outlines the procedures for preparing and reporting an audit plan to the audit committee.
Audit Committee Self-Assessment Checklist
This is a sample self-assessment checklist for audit committees to use when evaluating their current involvement in a company’s control environment.
Audit Plan Presentation
This example presentation shows some of the documents that can be included in the presentation of the audit plan to management and the audit committee.
Audit Planning Memo
The purposes of the audit plan are, first, to contribute to the effectiveness of the audit and, second, to contribute to the audit efficiency. This memorandum should be completed and approved as part of the initial audit planning process.
Authorization to Use or Disclose PHI HIPAA Policy
This policy outlines a set of procedures regarding covered entities obtaining authorization to use or disclose protected health information (PHI).
B
Board of Directors Authorization Charter
This sample charter determines the objective, authority, communications/reporting and responsibilities of the board of directors.
Building Upon Section 404 Compliance: Moving Beyond Year One
In this issue of The Bulletin, we outline imperative steps for certifying officers to take to demonstrate care in reinforcing the responsibility and accountability of process owners, and in supporting these owners in their respective roles. Certifying officers should waste no time in giving these steps their strongest consideration and in discussing their conclusions with the audit committee and board of directors.
Business Continuity Management Methodology
Business continuity management (BCM) is best addressed by using a proven methodology. The methodology should be based upon the risks related to an organization’s key business processes which, if they were to be interrupted, might otherwise bring about a seriously damaging or potentially fatal loss to the enterprise. This seven-phased BCM methodology adheres to industry best practices and can be tailored to companies of all sizes.
Business Continuity Process Ownership Policy
This sample establishes policies and procedures for business continuity process ownership.
Business Control Deficiency Decision Process Questionnaire
This questionnaire serves as a guide in determining the severity of deficiencies cited during the internal control testing process. The results of this process are used to determine potential significant deficiencies and material weaknesses.
Business Ethics Questionnaire
This questionnaire is designed to help risk management professionals determine how well their companies are addressing risks in this area and to bring awareness to ethics programs. It also provides guidelines on how to measure the performance of business ethics processes.
Business Self-Assessment Methodology
Business Self-Assessment is Protiviti's dynamic self-assessment approach that leverages organizational knowledge to improve business performance at the entity or process level. Utilizing risk as its foundation, BSA uniquely integrates the assessment of strategic objectives, risks, controls and process-improvement opportunities.
C
Capability Maturity Model (CMM)
The Capability Maturity Model (CMM) is a framework that describes an improvement path from an ad-hoc, immature process to a mature, disciplined process focused on continuous improvement. The CMM defines the state of a process using a common language which is based on the Carnegie Mellon Software Engineering Institute Capability Maturity Model. The CMM consists of a continuum of five process maturity levels, enabling process owners to rate the state, or maturity, of a given process as Initial, Repeatable, Defined, Managed or Optimizing.
Capitalizing on Sarbanes-Oxley Compliance to Build Supply Chain Advantage
Executives rely on internal controls to provide a reasonable level of assurance that supply chain processes and financial transactions function as designed. As a result, executives should adopt a back-to-basics approach to understanding and prioritizing supply chain risks, capabilities, measures and controls, beginning with but expanding beyond their material impact on the company's financial statements. This booklet, co-produced by Protiviti and APICS, details how the Sarbanes-Oxley Act (SOX) has a complementary impact on supply chain risks in infrastructure design, transaction integrity and reporting measures. It also focuses on corporate governance requirements such as executive certification and internal controls over financial reporting. The scenarios we highlight, demonstrate how the failure of supply chain “operational controls” can strain an organization’s ability to produce reliable and fairly presented financial statements.
Charge Description Master Policy
This sample policy ensures that the charge description master for all departments within a company is complete and accurate in regard to charge-code maintenance.
Chief Credit Officer Job Description
This job description outlines responsibilities and qualifications for a chief credit officer.
Chief Risk Officer Job Description
This job description provides an overview, job duties and specifications for the chief risk officer role.
Chief Risk Officer Job Description: Sample 2
This job description outlines responsibilities and requirements for the chief risk officer position.
Code of Business Conduct Policy
This sample provides a wide range of business practices and basic principles to guide all employees and officers of a company.
Compensation Committee Charter
This charter outlines the purpose, membership procedures, and authorities and responsibilities of the compensation committee, which establishes policies for the compensation of a company’s officers.
Compensation Committee Charter: Sample 2
This charter outlines the purpose, authority and responsibilities of a compensation committee, which establishes policies related to the compensation of a company’s officers.
Compliance Issue Resolution: Responsible Business Conduct in Financial Services
This article discusses four expectations for “responsible business conduct” in a 2013 bulletin published by the Consumer Financial Protection Bureau (CFPB).
Compliance Risk Key Performance Indicators
This document focuses on business and regulatory compliance risks and includes questions for compliance risk evaluation.
Conducting Enterprise Risk Assessments That Make a Difference
An enterprise risk assessment (ERA) identifies and prioritizes the organization’s risks and provides quality inputs for purposes of formulating effective risk responses, including information about the current state of capabilities around managing the priority risks. Boards of directors and management need an effective ERA process to effectively discharge their responsibilities, especially in today’s rapidly changing environment. The strategy-setting process which is fueled by an annual risk assessment will mitigate the potential disconnects in the operating environment and is “best practice” in today’s world. In this issue of The Bulletin, we focus on the vital steps in executing an effective ERA and why integrating these assessments with strategy setting is important. We also explain what ERA is, outline how it is conducted and suggest how it must be integrated with the strategic choices affecting enterprise value.
Confidentiality and Privacy Policy
This policy outlines the steps a company and its employees should take to maintain a level of confidentiality over all appropriate business information and personnel information. This document also contains an appendix: “10 Principles for the Protection of Personal Information.”
Conflict of Interest (Trust Company) Audit Work Program
This audit work program focuses on the conflict of interest between a trust company and its affiliates. It addresses factors such as employees' access to the company's code of ethics, authorization from the governing trust instrument, disclosure of terms, fees charges, fiduciary accounts, securities transaction agreement, monitoring of the soft dollar arrangement, compliance with the safe harbor provision, service agreement, and investments.
Consumer Lending Department Audit Work Program
The consumer lending audit work program focuses on physical safeguards, adequate documentation, substantiation of loan balances and substantiation of collateral.
Contract Review Audit Work Program
The objectives of this work program are to assess whether contracts are executed in accordance with agreed upon terms and to ensure that all contracts are valid and properly authorized and mitigate risk of loss.
Control Design Effectiveness Review Checklist
This excel-based template provides an example of how to review control design effectiveness to ensure the control mitigates the associated risk. You would use this review process sheet to document the reviewer’s comments and associated response. The excel form also provides guidance in designing controls to address financial reporting assertions.
Control Environment Audit Work Program
This audit work program focuses on the control environment component of the COSO Framework.
Control Self-Assessment Questionnaire
In complying with the Sarbanes-Oxley Act, it is management’s responsibility to design, adhere to and monitor the significant operating and financial controls of the organization. This short self-assessment questionnaire has been designed to obtain management’s input in order to establish a common understanding of the level of control of an organization or department.
Control Transition Policy
This policy establishes procedures to ensure the continued integrity of a company’s internal controls system. It focuses on timely transition of internal control responsibilities when needed; continued and ongoing execution of key controls; and swift maintenance to internal control documentation that reflects actual controls in place and responsible individuals.
Controls Monitoring Quarterly Assessment Report
This is an example report of internal audit’s quarterly assessment of the ongoing controls monitoring processes. This report provides an overview of the work performed and corresponding audit findings.
Controls Monitoring Work Program
This sample work program provides steps to perform a quarterly assessment of management’s monitoring of company-level controls.
Corporate Audit Department Charter
This sample charter outlines the mission statement, objectives, responsibilities and services of the corporate audit department of a company.
Corporate Governance Compliance Questionnaire
The objective of this questionnaire is to assist the board and management in assessing the organization’s current corporate governance environment.
Corporate Governance Policy: Board Committees
This sample policy sets standards for board committee structures and protocols.
Corporate Governance Policy: Relationship With Internal Auditors
This sample policy establishes reporting relationships for the internal auditors of a company.
Corporate Governance: Shareholders Meetings
The purpose of this policy is to simplify and clarify the essential elements of shareholders meetings. The policy applies to shareholders, the Board of Directors and all staff working on shareholder relations.
Corporate Image and Communication Standards Policy
This sample policy helps to ensure that all internal and external communication reflects a corporate image that is consistent and preserves and builds the value of the corporate brand.
Corporate Responsibility Audit Work Program
The objectives of this audit program are to assess the effectiveness of a corporate responsibility program (CRP) and to ensure that the company is continuing to put into practice the seven elements of an effective compliance program. This audit program explains the scope of the audit and covers topics on integration of compliance into policies and/or procedures, education, environmental assessment, hotline/investigative reporting, and corporate integrity agreement/settlement agreement.
Corporate Website Policy
The purpose of this policy is to ensure that the company website reflects a consistent corporate image that preserves and builds the value of the corporate brand.
COSO ERM: What It Means to the Board
This issue of Board Perspectives summarizes five significant takeaways from the new COSO ERM framework.
Creating or Revising Financial Policies
The following sample outlines a set of policies and procedures for creating or revising corporate financial policy statements in a consistent manner throughout the organization.
Creating Transparency Into Your Largest Risk Exposures
This issue of The Bulletin offers approaches for improving transparency into an entity’s most significant risk exposures, with the objective of minimizing the risk of unwanted surprises.
Credit Rating Analysis of Enterprise Risk Management at Nonfinancial Companies: Are You Ready?
Enterprise risk management (ERM) initiatives have gained strong support from a new source: credit rating analysts. In November 2007, Standard & Poor’s (S&P) issued its Request for Comment: Enterprise Risk Management Analysis for Credit Ratings of Nonfinancial Companies (RFC), reflecting the rating service’s intention to assign scores of ERM quality to all companies it reviews and incorporate an ERM segment into its ratings reports. Standard & Poor (S&P) continues its initiative to assess ERM quality of all companies it reviews. S&P plans to eventually score companies to benchmark its opinions on ERM quality as one proxy for its assessment of management. This issue of The Bulletin explores how consideration of ERM quality can impact the ratings process and what nonfinancial companies can do to prepare for this added dimension to the process.
Credit Risk Policy
This sample outlines a set of policies and procedures formalizing the credit risk management process, the goal of which is to: protect against any unwarranted customer or counterparty credit exposures; maintain credit risk at a manageable level; and identify and avoid a material credit failure (of a significant value, which would impact earnings).
D
Data Breach Notification Memo
This memo's purpose is to notify an individual regarding the possibility of a personal information breach and explain the steps taken by a company to protect against identity theft or abuse of information.
Detailed Medical Record Review Questionnaire
This is an example medical record review questionnaire that can be utilized when performing a healthcare audit. It is intended to help an internal audit department understand the existing process related to medical records management and assess the compliance of this process.
Developing an Effective Code of Conduct
Executing a successful code of conduct depends on three key elements: proper definition, effective communication and appropriate warning signals as monitoring tools. This guide describes the elements of a successful code and lists ethics warning signs to watch for.
Director of Internal Audit Job Description: Sample 2
This job description provides an overview of the director of internal audit position responsibilities, which include preparing and implementing a risk-based audit plan in order to assess, report on, and recommend improvements to the company’s key operational and finance activities and internal controls.
Disaster Recovery Risk Assessment Audit Work Program
This disaster recovery risk assessment audit program addresses environmental, man-made, business and IT threats. It focuses on defining the risk assessment scope, gathering base data, performing interviews, analyzing and validating results, creating reports, and presenting findings to the management.
Disaster Recovery Work Program
The purpose of this work program is to act as a guide for the controls needed to minimize the business recovery time in case of a disaster. The steps covered in this work program include: business impact analysis; plan development, documentation, and maintenance; and recovery testing.
Disclosing PHI as Required by Law HIPAA Policy
This sample outlines a set of policies and procedures to give guidance and ensure compliance with laws and regulations (including HIPAA) when using or disclosing protected health information (PHI).
Disclosure Committee Charter
The disclosure committee assures that information required to be disclosed by a company is properly recorded, processed, summarized and reported to senior management.
Disclosure Committee Questionnaire
The purpose of this questionnaire is to ensure that all necessary quarterly financial reporting disclosures are addressed, and any changes to these disclosures are explained by management.
Dismissing an Individual with System Privileges: Actions Checklist
This checklist lists the steps to be taken to ensure the security of critical systems and data after an individual with system privileges has been dismissed.
Diversify Workforce Audit Work Program
This audit work program evaluates a company's diversity and inclusion compliance processes.
Diversify Workforce RCM
This document outlines risks and controls common to the diversify workforce process.
Do Not Call Registry Policy
This sample policy ensures that all rules and regulations related to telemarketing are complied with and nothing is done to impair the brand and image of the organization.
Documentation - 404 Readiness Checklist
This checklist can be used to evaluate the adequacy of Section 404 process documentation prior to submitting it to the external auditor for review and prior to creating testing plans.
Driving Value Out of the Section 404 Compliance Process
In this issue of The Bulletin, we incorporate insights and lessons learned regarding finance processes and show how value can be derived from improving these processes while still meeting compliance standards.
Drug-Free Workplace and Workforce Audit Work Program
The purpose of this work program is to provide the general steps used to perform a drug-free workplace and workforce audit.
E
E-Commerce Website Audit Work Program
This sample work program provides a framework and checklist for testing to be performed by the internal audit or quality assurance team in reviewing a web site. It can be downloaded and reviewed for ideas and comparison with your own work programs.
Education Grant Compliance Review Report
This sample audit report focuses on identifying key regulations related to receiving grant funds from the Department of Labor. It provides recommendations on activities that identify and mitigate compliance risks.
Electronic Signature (E-Sign) Audit Work Program
The objective of this work program is to assess documented policies and procedures, including business requirements documentation, to determine if the provisions of the Electronic Signatures Act (E-Sign Act) and Department of Education are adequately addressed. Based upon the documentation, review the implementation of electronic signatures in each of the in-scope applications and determine if the implementation meets the provisions outlined in Company ABC’s documentation.
Employee Termination Policy
The following policy outlines steps related to the employment termination process.
Energy Conservation Policy
This sample policy ensures, encourages and enables the reduction of energy use by a company and its customers.
Enhanced Prudential Regulations for Foreign Banks (Regulation YY)
In December 2012, the Federal Reserve Board (FRB) published a proposed rule under the Dodd-Frank Act (DFA) aimed at addressing enhanced prudential standards for foreign banking organizations (FBOs) with U.S. operations. Following a prolonged rule-making process during which formal and informal comments were offered by the foreign banking community and foreign supervisors, the FRB published a final enhanced prudential supervision rule, Regulation YY, on February 18, 2014. Why did the DFA require the FRB to implement enhanced prudential regulations? Which FBOs are affected by the FRB’s regulation? In this booklet, we will answer these and other frequently asked questions to help head office and U.S. management of foreign banking organizations understand Regulation YY.
Enterprise Assessment and Monitoring Procedures
The purpose of this document is to develop a consistent process for scheduling and managing IT security assessment processes. The general steps outlined provide a process for conducting various types of assessments, as well as guidelines for monitoring security compliance within the computer system and network environments.
Enterprise Risk Assessment Methodology for Internal Audit Plan Development Guide
This guide presents a detailed approach to enterprise risk assessment methodology for internal audit plan development.
Enterprise Risk Management in Practice
Enterprise Risk Management (ERM) establishes the oversight, control and discipline to drive continuous improvement of an entity’s risk management capabilities in a changing operating environment. ERM continues to mature as a process, and organizations are finding many ways to implement practical ideas to continuously improve their risk management capabilities. In this booklet, we profile 11 companies that are operating in different industries and countries to provide ERM ideas in that can be customized to your own organization. In producing the various profiles for this publication, several common themes emerged that demonstrate why and how companies across multiple industries are improving their risk management capabilities.
Enterprise Risk Management Project Plan Guide
This document is a sample project plan for use during the planning phase of implementing ERM across an organization. It supports a phased implementation approach, detailing tasks, deliverables, and a project timeline.
Enterprise Risk Management: Practical Implementation Advice
Many executives do not know the value proposition of Enterprise Risk Management (ERM). Some may even consider ERM a fad or “flavor of the month,” and are just humoring the dialogue, wishing it would go away. What leaves many cold on the subject of ERM is the inability to quickly grasp what it is. This issue of The Bulletin addresses this and other relevant questions.
Entity-Level Controls Environment Questionnaire
This questionnaire template provides a number of COSO elements and the related control objectives for entity-level controls. Within the questionnaire, you can document whether the control exists, whether it was designed properly, related test procedures, and management's action plan for deficiencies.
Entity-Level Controls Monitoring Questionnaire
Monitoring is a process that assesses the quality of the entity's internal control performance over time. This excel-based template provides a number of COSO elements and the related control objectives for entity level controls. Within the questionnaire you can document items such as whether the control exists; whether it was designed properly; related test procedures; and management action plan for deficiencies.
Entity-Level Controls Risk Assessment Questionnaire
Risk assessment is the component of the entity’s internal control that involves identifying and analyzing risks internally and externally. Risk assessment is relevant to achieving business objectives as well as objectives related to the preparation of reliable financial statements. This excel-based template provides a number of COSO elements and the related control objectives for entity level controls. Within the questionnaire you can document items such as whether the control exists; whether it was designed properly; related test procedures; and management’s action plan for deficiencies. The Entity-Wide Objectives and Manage Change sections have been updated in this questionnaire.
Entity-Level Controls Fraud Questionnaire
Fraud prevention is essential to set the right tone for an effective internal control framework. This excel-based template links the COSO components to a number of control objectives for entity-level fraud controls. Within the questionnaire you can document items such as whether the control exists; whether it was designed properly; related test procedures; and the management action plan for deficiencies.
Entity-Level Controls Audit Work Program
This sample audit work program evaluates the entity-level controls in an organization, specifically focusing on the control environment, risk assessment, information and communication, control activities, and monitoring.
Entity-Level Documentation Request Checklist
The COSO Internal Control - Integrated Framework requires that risks and controls be assessed at both the entity level and the process level. Entity-level controls address the “tone at the top” and include items such as ethics programs, investigation protocols and IT infrastructure controls. Adequate evidence of the entity-level controls should be accumulated to support management’s assertions. One of the ways to gather such evidence is to review the corporate documentation that supports that these entity-level controls are in place. This checklist provides a template in which to track the availability and status of such entity-level control documentation.
Entity-Level Fraud Risk Assessment Process Report
This sample report provides an overview of the process one company undertook to satisfy the requirements of evaluating fraud risks that pertain to internal control over financial reporting.
Environmental Protection Policy
This sample policy ensures that all controlled and identified materials used in operations are properly managed to comply with laws and regulations and to minimize harmful effects on the environment.
Ethical Business Conduct Guidelines Audit Work Program
The purpose of this work program is to provide the general steps used to perform an audit of ethical business conduct guidelines. This document provides guidance on obtaining a list of all executives and directors, determining who is required to sign an ethical business conduct form, obtaining access to employees’ human resource files, and other steps needed to complete this audit.
Ethics Program Guide
An effective ethics program serves as a basis for policy-making as well as providing guidance in daily decision-making. This guide describes steps that companies should consider when developing or strengthening their ethics programs.
Ethics Program Review Audit Work Program
An organization’s ethics program is increasingly important in the current regulatory environment and critical to minimizing reputation risk. Internal audit is responsible for evaluating the effectiveness of ethics programs that can significantly reduce reputation risk exposure; however, evaluating a relatively intangible area such as ethical behavior can be challenging. This work program can assist with developing a comprehensive review.
Exceptions and Non-Conformance Policy
This sample outlines a set of policies and procedures governing action to be taken when special circumstances prevent compliance with an established policy, procedure, standard, or guideline, or a federal or state regulation. This policy addresses how exceptions and non-conformance to existing Information Security Services policies, procedures, standards, and guidelines are handled.
Executive Certifications: Same Responsibilities, Higher Stakes
Although there are several aspects to the executive certification, management is certifying the effectiveness of the internal management processes that underlie the required disclosures. Certifying officers should design the certification process so that their activities are coordinated with business unit managers, process owners, internal auditors, the external auditor, legal counsel and other key parties. In this issue of The Bulletin, we answer several important questions regarding these new requirements.
Expenditure Process Control Questionnaire
Expenditure process controls are important to financial reporting as this process focuses on costs companies incur while delivering goods, rendering services, or other activities that are central to the company’s operations. This excel-based template provides a number of business activities and related control objectives for each activity. Within the questionnaire you can document items such as whether the control exists; whether it was designed properly; related test procedures; and management action plan for deficiencies.
External Auditor Interview Questionnaire
This questionnaire can be used to conduct interviews with the External Auditor to solicit their views and feedback on a company's Internal Audit function.
F
Facilitating SOA Compliance Using Committees
Following the release of Sarbanes-Oxley and new SEC regulations, many organizations have created a "Disclosure Committee" and a “Section 404 Committee.” This guide discusses the duties, composition, structure and interrelationships of these committees and suggests some general rules to follow.
Financial Close Process Controls Questionnaire
This tool provides insights on financial close process controls, including the control objectives for financial close activity.
Financial Elements and Business Process Prioritization Memo
This memo summarizes the customized models used to prioritize financial statement elements (FSE) and processes for Sarbanes-Oxley (SOX) Section 404 compliance. The prioritization of these items helps define the extent of a company’s process-level documentation efforts.
Financial Instrument Risk Key Performance Indicators (KPIs)
This benchmarking tool sample describes financial instrument risk and outlines business risks related to financial instruments, leading practices and questions to consider.
Financial Spreadsheet Controls Policy
This policy outlines the roles and responsibilities of the IT department as well as the users and developers of spreadsheets and financially significant desktop tools (including Access, Crystal Reports, and Queries) to meet SOX requirements for control over financial reporting.
Fine-Tuning Your Corruption Risk Management
Last year, a former Morgan Stanley managing director pleaded guilty for his role in a conspiracy to evade the company’s internal accounting controls and violate the U.S. Foreign Corrupt Practices Act and the U.S. Department of Justice (DoJ) declined to bring enforcement action against the executive’s employer. Issue 42 discusses 10 lessons learned from the DoJ favorable opinion release for Morgan Stanley.
Fixed Assets Process Controls Questionnaire
Fixed assets are important to a company because of their relative permanence in the company’s operations and their use in operating activities. This excel-based template provides a number of business activities and related control objectives for each activity. This questionnaire has been updated with the following: involvement of the purchasing department, presence of a corporate depreciation policy, and monthly financial close procedures.
Foreign Corrupt Practices Act (FCPA) Audit Work Program
This audit program sample assists audit teams when reviewing compliance with the Foreign Corrupt Practices Act of 1977.
Foreign Corrupt Practices Act Policy
This policy outlines procedures for compliance with the Foreign Corrupt Practices Act.
Framework for Facilitated Self-Assessment Meetings
This tool provides a detailed framework for internal auditors and others who are planning to conduct a facilitated self-assessment session. This framework is intended to introduce and describe a common facilitation framework to help deliver the highest-quality results. Each phase described includes a checklist of key issues to address throughout the self-assessment process.
Fraud Policy
This sample policy details the actions constituting fraud and non-fraud irregularities, investigation responsibilities, confidentiality statements, authorization for investigating suspected fraud, reporting procedures, and termination and administration procedures.
Fraud Prevention and Detection Audit Work Program
This audit program sample focuses on understanding current fraud prevention and detection program activities.
Frequently Asked Questions Regarding the Sarbanes-Oxley Act Executive Certification Requirements
There are many questions on the minds of directors, certifying executives and auditors as they work together to comply with the Sarbanes-Oxley Act and new requirements from the SEC and NYSE. Listed in this booklet are common queries from companies who are dealing with these requirements. We have provided responses based on our experience that will assist executives as they evaluate their company's disclosure controls infrastructure and processes supporting executive certifications.
Frequently Asked Questions Regarding Compliance with OMB Circular A-123
The Sarbanes-Oxley Act of 2002 (SOX) served as an impetus for the federal government to re-evaluate its policies relating to internal control over financial reporting. The result was the revised Office of Management and Budget (OMB) Circular A-123 in December 2004. This revised OMB Circular A-123 adopts much of what is contained in SOX Section 404. The revised OMB Circular A-123 requires U.S. government agencies to meet internal control over financial reporting standards similar to those mandated by SOX Section 404. In this booklet, we answer questions about complying with OMB Circular A-123, including an overview of the revised requirements, applicability to various federal agencies, the role of management, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Controls - Integrated Framework (New Framework), risks and control objectives, and key dates.
Fund Accounting Process Review – Audit Report
This fund accounting process review internal audit report focuses on comprehensive record keeping and reporting requirements for registered investment companies and their affiliates. The objective is to review the controls over the oversight and reporting of financial data for each fund.
G
General IT Controls Questionnaire
This questionnaire assists with the collection of information regarding the control environment of all aspects of an IT department.
General Threat Questionnaire
This risk assessment questionnaire can be used to identify the failure scenarios, likelihood, and severity of over 100 environmental, man-made, business, and IT risks.
Global Compliance Questionnaire
This questionnaire can serve as the starting point for assessing an organization's compliance in a variety of areas, including corporate governance, quality systems, anti-fraud programs, business ethics, and business continuity compliance.
Governance in Not-For-Profit Organizations Policy
This sample policy provides guidance for not-for-profit organizations in the areas of mandate, roles of volunteer boards and executive directors, special board committees and their roles, and volunteer principles.
Guide to Business Continuity Management FAQ: Table of Contents
This table of contents and FAQ list is a reference for the Guide to Business Continuity Management FAQ.
Guide to Business Continuity Management
Business Continuity Management (BCM) is a management process that provides protection or alternative modes of operation for those activities or business processes which might bring about a significant loss to the enterprise if they were interrupted. Many companies never fully consider potential threats to their business until the damage has been done - during such times, business can come to a standstill. Many of the aforementioned risks are evolving and present growing business continuity and disaster recovery challenges for businesses, particularly with regard to maintaining critical IT systems and processes. In this booklet, our intention is to help companies evaluate and manage these risks through a comprehensive set of recovery and operational plans.
Guide to Enterprise Risk Management
In today’s challenging global economy, business opportunities and risks are constantly changing. There is a need for identifying, assessing, managing and monitoring an organization’s business opportunities and risks. The concept of enterprise risk management (ERM) helps to redefine the value proposition of risk management by elevating its focus from the tactical to strategic level. ERM is about designing and implementing capabilities for managing the risks that matter. Many are asking questions about the value proposition of ERM and practical steps on how to implement it. This booklet addresses over 160 questions relating to some of the most commonly asked questions with respect to ERM. It offers ideas, suggestions and insights to executives responsible for ERM implementation.
Guide to Internal Audit
The internal audit (IA) profession has undergone significant changes since the New York Stock Exchange (NYSE) issued its new listing standard requiring an IA function. Companies are far more likely to have in place highly developed IA functions that address not only the NYSE standards, but also the SEC’s interpretive guidance on Section 404 of the Sarbanes-Oxley (SOX) Act and PCAOB Auditing Standard No. 5 (AS5). These regulatory developments have had a significant impact on internal audit functions. This booklet is designed to be a resource for IA professionals can refer to regularly in their jobs. The publication offers detailed insights into everything from building an IA function to managing and improving the function as the organization evolves.
Guide to Mergers and Acquisitions
As global competition continues to intensify, investors and boards of directors are demanding more top-line growth as a way to increase shareholder value. Many are pursuing this growth in revenues and earnings through mergers and acquisitions (M&A), which are some of the more challenging endeavors a company can undertake. M&A transactions are like assembling a complex puzzle with thousands of unique pieces. In this booklet, we provide a starting point for answering the core questions identified in M&A deals – from due diligence to the integration of people, processes and technology, supported by key project and change management enablers. It’s designed to serve as a resource that executives and managers can consult to utilize the lessons learned and improve the odds of achieving the targeted values of proposed transactions.
Guide to the Sarbanes-Oxley Act
As organizations complete their second year of Sarbanes-Oxley Act (SOX) compliance, executives and audit committees are expecting more value with lower costs. Fulfilling these expectations will require a shift from simply repeating the same SOX project each year to a sustainable, cost-effective compliance process that is embedded into business as usual. For many companies, significant opportunities to improve the efficiency and effectiveness of their SOX compliance efforts reside at the application level. The questions answered in this booklet have risen in our discussions with clients and others in the marketplace who frequently deal with SOX compliance matters and are focused on improving internal control over their critical business applications.
Guide to the Sarbanes-Oxley Act: Internal Control Requirements - Frequently Asked Questions Regarding Section 404
Since the third edition of Frequently Asked Questions Regarding Section 404 of Protiviti’s Guide to the Sarbanes-Oxley Act (SOX) series was released in August of 2004, much has happened. For example: The U.S. SEC has created a “large accelerated filer” category and has adopted different deadlines for initial Section 404 compliance for accelerated foreign private issuer filers and non-accelerated U.S. domestic issuer and foreign private issuer filers. This booklet is designed to help answer questions about the sections of SOX pertaining to public reporting; this information will assist Section 404 project sponsors, leaders and team members. We have provided responses and points of view based on our experience that we hope will assist companies as they document, evaluate and improve their internal control over financial reporting, and as they continue to enhance their executive certification process. We have also held discussions from time-to-time with both the SEC and PCAOB staff to understand their views on key points and confirm our interpretations in certain areas.
Guide to the Sarbanes-Oxley Act: IT Risks and Controls (Second Edition)
The Sarbanes-Oxley Act (SOX) Section 404 mandates that all publicly-traded companies establish internal controls for financial reporting and must maintain those controls to ensure they are effective, with the purpose reducing corporate fraud. The priority goals of Section 404 align with management’s existing responsibilities when undertaking an IT conversion or implementation project. In this booklet, we provide guidance to Section 404 compliance project teams on the consideration of information technology (IT) risks and controls at both the entity and activity levels within an organization. We also explore how application-control assessments are integrated with the assessment of business-process controls, and addresses documentation, testing and remediation matters.
H
Hazard Assessment Checklist and Corrective Action Report
This checklist is to be used when conducting periodic hazard assessments. If any deficiencies are found, the corrections should be recorded using the Corrective Action Report following the checklist.
Healthcare Management Planning Risk Assessment Questionnaire
This questionnaire is intended to be sent to managers throughout an organization in order to gather opinions on a number of predetermined potential audit areas. Although this example is healthcare-specific, it can be customized and modified for other industries.
HIPAA Policy and Procedures: Disclosing PHI to Avert Serious Threats to Health and Safety
This sample policy provides guidance to ensure full compliance with all laws when using or disclosing protected health information (PHI) to prevent or lessen a threat to the health or safety of a person or the public.
HIPAA Policy and Procedures: Disclosure of PHI in Facility Directories
This sample policy outlines procedures for the usage and disclosure of protected health information (PHI) maintained in inpatient facility directories.
Hospital Compliance Department Work Program
This work program is intended to provide an internal audit team with steps and questions for reviewing a hospital's compliance program.
Hotel Accounts Receivable and Credit Review Audit Work Program
This audit work program focuses on the accounts receivable and credit areas of a hotel or hospitality property.
Hotel Expenditure Cycle Audit Work Program
This robust work program will assist in a comprehensive review of the expenditure cycle. Although the program is tailored to a hotel it includes review of the purchasing, receiving, inventory and supervisory operational and financial expenditure areas. Related Computer Assisted Audit Techniques (CAATS) or ACL type tests are included to leverage IT audit team members.
Human Resources Review Audit Work Program
This sample work program evaluates the effectiveness and efficiency of a company’s human resources (HR) process.
Human Resources Risk Management Presentation
This short guide helps define human resources risk, and identify the major HR processes and sub-processes where risks occur.
I
Immigration Policy (United States)
This sample outlines a set of policies and procedures to comply with the requirements of applicable immigration laws.
Implementation of a Change Management Policy Presentation
Identifying changes in internal controls is important in streamlining the SOX compliance process, specifically 302 and 404 certifications. When identifying changes in internal controls, it is important to have a change management policy for process owners to follow. This presentation serves as a guide in implementing an internal control change management policy. It addresses the types of changes to manage in this process, documentation requirements, and key tools and reports.
Individuals with Disabilities Policy
This sample outlines a set of policies and procedures for employing individuals with disabilities in accordance with the provisions of the Rehabilitation Act of 1973 and the Americans with Disabilities Act of 1990.
Information and Communication Audit Work Program
The purpose of this audit work program is to assess, at a high level, and validate key controls in place for the information and communication component of the COSO Framework. Inadequate or ineffective controls in this area may give rise to financial and operational risks.
Information Security Risk Assessment Questionnaire, based on ISO/IEC 27002:2005
This checklist is designed to assist in reviewing and documenting the risk profile of your organization’s information processing activities. The checklist contains ten sections, in accordance with ISO/IEC 27002:2005.
Internal Audit and Risk Management: The Basics
This page contains a list of links to KnowledgeLeader publications and tools that will assist a new professional in understanding and getting started in a career in internal audit and risk management.
Internal Audit Charter Guidelines
This sample provides guidelines for creating an internal audit charter.
Internal Audit Customer Interview Questionnaire
This questionnaire can be used to solicit feedback from Internal Audit customers (senior management and others) during a quality assurance review process.
Internal Auditing Around the World: Volume 1
Corporate governance, ethics, fraud, risks, controls, regulations, communication and adding value are all issues at the core of the internal audit profession as we stand on the threshold of the next generation of change. This booklet details the internal audit best practices, processes and strategies being employed at 13 leading multinational organizations. Each of the 13 profiles describes successes, challenges and lessons learned by audit teams from a variety of industries and countries as they work to address financial reporting, regulatory compliance and numerous other processes while adhering to internal auditing standards. As we update this publication in the coming years, we will reach out to more organizations to learn and share their stories of growth.
Internal Auditing Around the World: Volume 3
Given the value added by having strong internal audit (IA) teams, it is not surprising that people play the most essential role in every IA function represented in this book. Demand for highly qualified, talented internal auditors continues to grow throughout the world, as the number of professionals meeting this description shrinks. What drives top-performing IA functions today? In this booklet, we profile 16 successful IA functions from companies across the globe and examine common denominators that separate these leaders from their peers. While there certainly are differences among the companies profiled, they share a number of important similarities in terms of philosophies, approaches, performance measurements and lessons learned – and perhaps most notably, the core concept driving IA activities within these organizations is adding value.
Internal Auditing Around the World: Volume 4
Today’s internal audit (IA) functions are achieving their objectives and improving operations by being resourceful and flexible, engaging in dialogue with management about IA activities and their alignment with company goals, stressing the importance of internal controls throughout the organization, and relying on technology to help manage routine auditing tasks and focus on risk assessment. This booklet examines the challenges and successes of 19 top-performing IA teams. One of the key takeaways from the IA functions profiled in this publication is that today’s internal auditors are actively striving to be highly visible to the entire operation. To achieve this, many auditors must travel to far-flung destinations to learn firsthand about their company’s activities and industry and build strong relationships with personnel throughout the organization, and with external auditors and other outside resources.
Internal Control Over Financial Reporting -- An Update on Section 404 of Sarbanes-Oxley
The SEC released its final rules in June 2003 regarding Section 404, making time an asset rather than a liability. This issue of The Bulletin addresses these final rules and what they mean.
Internal Controls and Shareholder Value
An effective system of internal controls forms one of the keystones necessary to building, maintaining and improving shareholder value. This presentation can be used as a training piece describing what internal controls are, why they are important, and how they relate to shareholder or stakeholder value.
Internal Controls Over Financial Reporting: Understanding Section 404 of Sarbanes-Oxley
In this issue of The Bulletin, we address in detail Section 404, a provision of SOX that is certain to garner the attention of public company executives.
Internal Controls Sustainability Training Guide
This training presentation focuses on building a sustainable internal control process. This type of process focuses on developing and executing a communication plan, monitoring the business and rule changes, and analyzing for continuous improvement opportunities.
Internal Disclosure Certification Process Policy: Sample 2
This policy outlines procedures to ensure the fair presentation and disclosure of financial results, and is designed to ensure comfort to executives responsible for signing the external disclosure certification submitted to the SEC in accordance with SEC rules and regulations required by the Sarbanes-Oxley Act of 2002. For each section within Management’s Discussion and Analysis, the notes, and all parts preceding and following these sections, the preparer should prepare a checklist of procedures designed to ensure the accuracy of the disclosure. The preparer should sign the checklist stating that to the best of his/her knowledge the disclosure is materially complete and accurate, nothing has been knowingly omitted, and all controversial matters have been discussed and resolved with management.
International Human Resources Audit Checklist
The checklist outlines key consideration for an international human resources audit.
Inventory Management Control Questionnaire
Inventory is an important asset for many companies as it is often a large asset on the company’s financial statements and represents a source of revenue in the near future through sales of the goods. This excel-based template provides a number of business activities and related control objectives for each activity. Within the questionnaire you can document items such as whether the control exists; whether it was designed properly; related test procedures; and management action plan for deficiencies.
Is Your Compliance Management Making a Difference? Board Perspectives: Risk Oversight, Issue 35
Compliance management consists of an organization’s processes for adhering to laws, regulations and internal policies. To be effective, it requires metrics, measures and monitoring that provide assurance to management and the board of directors that established policies and procedures for fostering compliance are performing as intended. Without effective management of the compliance risks that really matter, the organization is reactive at best and noncompliant at worst. Companies should ensure that established policies and procedures provide reasonable assurance that the organization is adhering to the requirements of applicable laws and regulations and internal policies. This issue of Board Perspectives: Risk Oversight describes several key elements of an effective compliance program for boards to consider.
Is Your Compliance Management Making a Difference? The Bulletin, Volume 4, Issue 10
Compliance management consists of the organization’s policies and processes for adhering to applicable laws and regulations. It requires metrics, measures and monitoring that provide assurance to management and the board that established policies and procedures for fostering compliance and responsible business behavior are performing as intended. Without effective management of the compliance risks that really matter, the organization is reactive, at best, and non-compliant, at worst. Companies should ensure that they are implementing a holistic, top-down and proactive approach to managing compliance. This issue of The Bulletin focuses on the issues that surround compliance, its current state, true cost and value proposition, as well as its organizational structure and offers suggestions on ways it can be improved.
ISO 9000 Certification Policy
The following sample provides an outline of the policies and procedures that an organization must undertake in order to achieve ISO 9000 certification.
IT Change Management Audit Work Program
This audit program focuses on assessing controls that mitigate the risks inherent within IT change management processes.
IT Platform Management Work Program
This document outlines steps to audit an organization’s IT platform management process.
IT Risk Assessment Questionnaire
This tool includes risk assessment questions for both IT management and executive IT management.
M
Making Your Risk Assessments Count: An Operational and a Compliance Perspective
Traditional assessment approaches often do not address the unique characteristics of the risks a company faces. While using a common analytical framework to evaluate risks with different characteristics may make the assessment process easier to execute, it also may not be as effective as approaches that could provide more insight into how to respond to assessed risks. An enterprise risk management process does not envision that all risks be subject to the same assessment methodology. In this issue of The Bulletin, we suggest that robust approaches applied to different risk categories according to the underlying characteristics of risks are needed to identify the top risks of those categories. We also suggest four reasons why companies find it challenging to move beyond a risk assessment to actionable steps that could be incorporated into a business plan.
Manage Government Relations Key Performance Indicators (KPIs)
This benchmarking tool focuses on the key performance indicators for effectively managing government relations.
Manage Labor-Management Relationships RCM
This document outlines risks and controls common to the "manage labor-management relationships" process in an RCM format.
Manage Legal and Ethical Issues Key Performance Indicators (KPIs): Sample 2
This benchmarking tool outlines key performance indicators for managing legal and ethical issues within organizations.
Management Development and Compensation Committee Charter
The purpose of the management development and compensation committee is to carry out the board of directors’ overall responsibility relating to executive compensation. This charter provides an example of its structure, authority and responsibilities.
Management Response to Internal Audit Reports Memo
This memo outlines specifics to consider when drafting management responses to audit observations.
Managing Corruption Risk Involving Foreign Officials and Avoiding Its Impact on Reputation
Civil and criminal fines stemming from anti-corruption non-compliance can be costly. Firms that paid bribes to foreign officials have been subjected to criminal and civil enforcement actions, resulting in large fines, as well as suspension and debarment from federal procurement contracting. In addition, reputation damage due to negative media attention can devastate the bottom line and impair shareholder value. To avoid these consequences, many firms have implemented detailed compliance programs intended to prevent, deter and detect improper payments by employees and agents. It is critical for management to ensure that a robust anti-corruption compliance program, including anti-corruption controls, is in place. This issue of The Bulletin briefs on how to manage corruption risk and uses the FCPA as a framework for this discussion.
Managing Corruption Risk
Consequences of corruption violations include criminal and civil enforcement actions, profit disgorgements, mega fines, and suspensions from government contracting, jail terms for employees and reputation-damaging headlines. To avoid these consequences, firms should consider an anti-corruption program intended to prevent, deter and detect improper payments by employees and agents. Companies should establish risk-based policies and procedures that provide reasonable assurance the organization and its agents are adhering to the provisions of applicable anti-corruption laws, and implementing adequate systems of internal controls. This issue of Board Perspectives: Risk Oversight shares how a robust anti-corruption program can save companies from the expensive consequences of corruption violations.
Managing Outsourcing and Offshoring Risk
Outsourcing is subcontracting a process to a third-party company. The decision to outsource is often made in the interest of reducing firm costs, redirecting focus on the competencies of a particular business, or making more efficient use of HR, IT and other resources. As companies focus on managing their operations in a difficult economic environment, they seek to become leaner and more focused, efficient and effective. Outsourcing and offshoring initiatives can help an organization fine-tune its business model to become more resilient and profitable. However when outsourced functions and processes have financial reporting implications, public reporting risks may arise. This issue of The Bulletin explores the advantages, disadvantages and risks associated with outsourcing and offshoring, and how the risks can be managed when decisions are made to outsource and/or offshore business activities.
Markets in Financial Instruments Directive
The impending implementation of the Markets in Financial Instruments Directive (MiFID), a directive that governs the provision of investment services in financial instruments by banks and investment firms and the operation of traditional stock exchanges and alternative trading venues, will not escape the attention of many in the financial services industry. Under MiFID, the monopoly of the regulated market will be broken through. Up until now, most publications on this topic have been about the high-level demands of the framework guidelines, the execution guidelines, and the execution regulations. In this issue of The Bulletin, we offer our interpretation of MiFID and broach the most important changes impacting the investment entrepreneur, as a result of MiFID.
Medical Clinic Operational Processes Questionnaire
This sample questionnaire can be used when performing an audit of a medical clinic’s operational processes. It is intended to help an internal audit department complete a baseline compliance review of these activities. Questions focus on topics such as maintenance of patient medical records, patient relations, physician consultation practices, and storage of medical equipment.
Medical Records, Coding, and Billing Processes Compliance Questionnaire
This sample questionnaire can be utilized when performing an audit of medical records, coding, and billing compliance processes. It is intended to help an internal audit department understand the existing process related to medical records, coding and billing and assess the compliance of these processes. Questions focus on topics such as policies and procedures, records management, and training in billing techniques.
Monitoring Controls (Entity-Level) Audit Work Program
The purpose of this audit work program is to evaluate the operating effectiveness of the monitoring component of COSO, as it relates to the attributes of ongoing monitoring, separate evaluations and reporting deficiencies. Each section of this work program focuses on a specific attribute and the documentation that evidences the operating effectiveness of entity-level controls. After each attribute, the work program details the steps for evaluating each entity-level control.
N
Nominating and Governance Committee Charter
This charter outlines the purpose, membership procedures, meeting procedures, and roles and responsibilities of the nominating and governance committee.
Nominating and Corporate Governance Committee Charter: Sample 2
The nominating and governance committee assists the board in identifying qualified individuals to become board members, determining the composition of the board of directors and its committees, monitoring a process to assess board effectiveness, and developing and implementing the company’s corporate governance guidelines. This charter provides an example of the language and structure of a nominating and governance committee charter.
Nominating and Governance Committee Charter: Sample 3
This sample charter outlines the purpose, membership procedures, authorities and responsibilities of the nominating and governance committee.
Nominating and Governance Committee Charter: Sample 4
The purpose of the nominating and governance committee is to assist the board in identifying qualified individuals to become board members, determining the composition of the board of directors and its committees, monitoring a process to assess board effectiveness, and developing and implementing the company’s corporate governance guidelines. This charter serves as an example document outlining this committee’s various responsibilities.
O
P
Patient Admission Policy
This policy outlines a set of procedures for providing a consistent, standardized and proficient method for the admission of healthcare patients.
Payroll Process Controls Questionnaire
This sample questionnaire helps with evaluating the controls in an organization’s payroll process.
P-Card Design Process Flow
Purchasing or procurement cards (p-cards) offer benefits to organizations; reducing checks and purchase orders, streamlining the procurement process, and enabling organizations to set spending limits for each p-card. Because many companies have made the shift to using p-cards in attempt to improve controls over spending, it is important to have standardized processes and controls with regard to p-cards in place. This process flow focuses on the procedures associated with the use, maintenance and changes related to p-cards.
Physician Credentialing Audit Work Program
The audit objective of this review is to analyze and evaluate the current hospital credentialing process and identify the key controls governing the process. Key steps include: review the department’s policies and procedures as they relate to the physician credentialing process; interview key departmental personnel responsible for performing the process; identify risks that may occur during the process and identify and evaluate the design effectiveness of existing controls designed to mitigate these risks; and identify process gaps or weaknesses and provide recommendations for improvement.
Positioning Compliance for Effectiveness
We often receive questions regarding the proper positioning of compliance in an organization. The debate frequently centers on addressing to whom compliance reports. Unfortunately, this line of inquiry does not focus on the fundamental issue of roles and responsibilities. An understanding of these roles provides a powerful context for evaluating how to position the compliance function within the organization. Positioning the compliance function for effectiveness is a matter of first defining the roles executive management and the board of directors want the function to play. In this issue of Board Perspectives: Risk Oversight, we explore the different views regarding the responsibilities expected of the compliance function and their implications to positioning compliance.
Pricing and Discounts Audit Work Program
This sample audit program can be used to conduct a thorough review of product pricing and to help assure that controls over pricing and discounts are effective.
Prioritizing Using the Nominal Group Technique
This guide describes the nominal group technique, which can be used during a group meeting or brainstorming session. It allows a group to rank a list of options or ideas in order of importance.
Privacy and Data Sensitivity Audit Report
This audit report focuses on the process to ensure effective controls are in place for handling sensitive data.
Privacy Compliance Program Review Audit Report
This sample report focuses on the state of privacy compliance at a financial institution. The review addresses compliance with the Gramm-Leach-Bliley Act (GLB), and uses a capability maturity continuum and gap analysis to illustrate the status of compliance.
Process Classification Scheme (PCS)
The Process Classification Scheme (PCS) is a framework used by Protiviti that can be utilized to organize information about a company according to relevant business and/or industry processes.
Process Integration Checklist
The purpose of this checklist is to facilitate the merging of company subsidiary divisions and their duplicate processes. Included are guidelines for this facilitation process and topics to address during scheduled meetings.
Process-Level Documentation Requirements Memo
This memo describes the documentation requirements for each in-scope process related to Sarbanes-Oxley Section 404 compliance.
Product Safety Audit Report
This audit report provides a detailed description of a review of a company's product safety processes, including significant observations and recommendations.
Project Management Office Guide
A project management office (PMO) can help organizations create effective control and oversight of projects and integrate them into overall business outcomes. This guide provides detailed information on the key elements, benefits, best practices, and steps for building an efficient PMO.
Protecting Enterprise Value Through Your Anti-Fraud Program
Simply stated, an anti-fraud program is a group of policies and procedures, backed by senior management, which fosters ethical and responsible business behavior. A company’s anti-fraud program is an integral part of its corporate governance process and is fundamental to protecting enterprise value and preserving the reliability of public reporting. With the audit committee providing oversight, management is tasked with establishing, validating and monitoring effective internal controls to quickly prevent, deter and detect fraud. What is an anti-fraud program? Why is it important? How should companies evaluate their anti-fraud program? In this issue of The Bulletin, we will answer these and other questions. We will also provide observations and recommendations for management and audit committees to consider when evaluating their anti-fraud program.
Protiviti Risk Model
The Protiviti Risk Model is a comprehensive organizing framework for defining and understanding potential business risks and creating and managing the organization’s dynamic risk universe.
Protiviti's Sarbanes-Oxley Section 404 Compliance Initiatives Methodology
Protiviti has developed a phased approach to the execution of Sarbanes-Oxley Section 404 compliance. The approach is facilitated by project management, knowledge sharing, communication and continuous improvement. It applies the COSO Internal Control – Integrated Framework by taking both an entity-level and a process-level view of the business. This document provides a high level overview of Protiviti’s approach.
Purchasing Rebate Review Audit Work Program
The objective of this audit program is to review the controls in place for the following areas of the purchasing rebate process: supplier rebate set-up, maintenance and forecasting, rebate processing, and rebate accounting and financial reporting. When reviewing this process, include in the documentation: the individuals performing each duty, whether the responsibilities are properly segregated (within this cycle or other cycles), and whether the process is efficient and effective.
Q
Quality Assurance Function Charter
The quality assurance function helps the organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, internal control and corporate governance processes in the organization. Example responsibilities include: risks are appropriately identified and managed; interaction with the various governance groups occurs as needed; and significant financial, managerial and operating information is accurate, reliable and timely. This charter describes the purpose, responsibilities and authority of a distinct quality assurance function that reports directly to the audit committee.
Quarterly Control Assessment Questionnaire
The purpose of this assessment questionnaire is to monitor the company's internal control structure and processes on a quarterly basis.
Quarterly Disclosure Controls Assessment Questionnaire
The purpose of this questionnaire is to facilitate the quarterly assessment of controls surrounding the financial reporting process. This questionnaire can be provided to managers or process owners to support efforts to identify any changes in controls, and to help meet the requirements set out by the SEC.
Quarterly Compliance Assessment – Audit Report
The purpose of this report is to document internal audit’s quarterly assessment of compliance policies and procedures and the validation of the operational effectiveness of key activities and controls within those policies and procedures.
R
Real-World Risk Rigors Require Effective Challenge
This article explains guidance recently published by the Federal Reserve and the OCC outlining the characteristics of an effective challenge.
Record Disposal and Retention Policy
This policy outlines procedures for document disposal and storage periods. It defines the requirements for document disposal, including recycling and shredding of paper, records, documents, forms, notes, and labels that may convey confidential information and ensuring that business-sensitive, client-related information is properly processed. It also records the minimum time required to maintain documents for all corporate functions and personnel. This policy applies to all pertinent and reasonable business-related documents included in an established chain of custody for such materials that ensures a secure method for containing, collecting, transporting, storing and transferring waste. In the event that a lawsuit, government or regulatory agency investigation is threatened, the legal department and executive management will notify the facilities manager or vendor to cease and desist activity of document disposal, such as daily shredding, until further notice.
Record Disposal and Retention Policy: Sample 2
This policy outlines procedures for the disposal and retention of records. This policy is predicated upon three principles: complete, accurate and high-quality records are to be maintained; important data is to be backed up; and records are to be retained only for their period of immediate use, unless longer retention is specifically authorized. Along with the procedures and guidelines, the document also contains the record retention schedule. In this example, most corporate records may be vital to current goals and useful for analysis of current operations, but are of little or no value to the company by the time they are over one year old. Longer retention periods are based upon legal, audit or management requirements.
Record Retention Process Review Audit Report
The objective of a record retention process is to effectively retain the appropriate electronic and paper records for certain time periods, as deemed necessary by an organization's policies and applicable laws and regulations. This sample audit report reviews a company's record retention process and identifies associated risks.
Record Retention Questionnaire
Either premature destruction or loss of records or failure to destroy obsolete records can cause serious problems. This questionnaire helps to assure that records are retained in compliance with any regulatory requirements, and with company policy.
Records Management Policy
This sample outlines a set of policies and procedures for managing company records in an appropriate, systematic and timely manner.
Records Storage and Retrieval Policy
The purpose of this document is to outline the process departments are required to follow in order to store and retrieve their respective records, and to document how the records will be maintained.
Relationship with External Auditors Policy
This policy outlines the relationship between a company and its external auditors. This document also discusses the importance of providing external auditors adequate information and other related company responsibilities.
Request for Proposal: External Quality Assessment Review
This sample request for proposal (RFP) document focuses on finding a service provider to perform an external quality assessment review of an internal audit department. It details the process and timeline for responding to the RFP.
Request for Proposal: Internal Audit and Sarbanes-Oxley Compliance
This RFP for co-sourcing internal audit and Sarbanes-Oxley compliance services provides a variety of sample questions to ask a potential outsource or co-source partner.
Revenue Capture Policy: Patient Accounting
This sample policy ensures that appropriate charges for a company’s supplies and/or services administered are recorded and posted in the patient accounting system 1) completely, accurately and timely, and 2) consistently across all facilities.
Rigorous Business Impact Analysis Using Facilitated Methods
This presentation describes a particular methodology for conduction a Business Impact Analysis (BIA). The BIA is the careful study of individual business processes and support functions, as well as the system of business processes in its entirety, to better understand objectives regarding continuity of operations.
Risk Assessment Audit Work Program
This sample audit work program assesses and validates key controls in place for the risk assessment component of the COSO framework.
Risk Assessment Map and Guide
This risk assessment sample helps to identify and document critical business processes.
Risk Assessment Process - Facilitation Tips
This guide provides tips and tricks to be used when facilitating a risk assessment workshop. These tips are organized to guide you through the high-level phases of a risk assessment discussion and provide insight into the facilitator’s role for this process.
Risk Assessment Workshop Guide
This presentation sample can be used to facilitate a risk assessment workshop. It covers workshop objectives and ground rules, how to identify key risks, and how to plot significance and likelihood on a risk map.
Risk Management Framework Policy
The following sample outlines a set of policies and procedures for structuring risk management activities to ensure that risks are identified, assessed, managed, monitored and reported in a uniform manner. The aim of risk management is to provide reasonable assurance that companies understand the risks associated with achieving business objectives, and that they are responding appropriately to these risks at all levels within the organization.
Risk Management Oversight Committee Charter
The purpose of the risk management oversight committee is to monitor the organization’s risk environment and provide direction for the activities to mitigate, to an acceptable level, the risks that may adversely affect the company’s ability to achieve its goals. This charter serves as an example document outlining this committee’s various responsibilities, including: identifying and prioritizing business risks, evaluating the effectiveness of risk mitigation activities, ensuring that gaps in effectiveness are addressed for high-priority risks, and improving ERM infrastructure.
Risk Management Policy
This sample outlines a set of policies and procedures for a common and systematic approach for managing risk across a company.
Risk Management, Compliance, and Regulation for Accountants (Sample Syllabus)
This course is presented from the perspective of senior managers or professional service providers. Emphasis is on what and how effective governance systems are implemented within all forms of organizations: public, private, and not-for-profit. Professionals in the field will provide their insights into current best practices on how these systems are developed to create the linkages identified above. In addition, governmental legislation will be followed closely because of the new Administration’s stated commitment to strengthening compliance and regulation of the financial markets. Thus, the major objective of the course is to enable students to understand both the theoretical and practical aspects of risk management, compliance, and regulation.
S
Sarbanes-Oxley Act Project Approach Memo
The purpose of this memo is to document management’s approach for the current financial year's Sarbanes-Oxley compliance project processes.
Sarbanes-Oxley Auditor Walkthrough Guide
This training presentation was created to help prepare company personnel for the walkthrough process related to Sarbanes-Oxley Section 404 compliance. It includes questions to expect from the external auditor and example responses to these questions by different company departments.
Sarbanes-Oxley Roles and Responsibilities Guide
The purpose of this guide is to describe example roles and responsibilities the various team members involved in Sarbanes-Oxley (SOX) compliance can take on during the project. Roles and responsibilities are described for: process/control owners, risk control specialists, the Project Management Office (PMO), and the Internal Controls Steering Committee (ICSC).
Sarbanes-Oxley Section 404 Process Prioritization Report
This document outlines the steps used by management in assessing the criticality of business processes, which is important in setting the scope for the internal control over financial reporting assessments. This includes prioritizing financial reporting elements, defining processes, linking processes to financial elements, and prioritizing processes.
Sarbanes-Oxley Section 404 Program Executive Scorecard - Sample
This document serves as an executive report template focused on the progress of the Sarbanes-Oxley Section 404 program.
Sarbanes-Oxley Section 404 Project Conclusion Memo
This memo documents an organization’s approach to Sarbanes-Oxley Section 404 compliance and concluding results from the annual assessment.
Sarbanes-Oxley Section 404: Report Testing Methodology Guide
An important part of complying with Sarbanes-Oxley (SOX) Section 404 is ensuring the completeness and accuracy of system reports. This presentation serves as a guide to train SOX project teams in testing reports that are used during the financial reporting process. Note: Testing individual reports is a relatively inefficient manual process and should only be used if General Computer Controls and/or End User Computing Controls do not provide adequate assurance over reports.
Sarbanes-Oxley Section 404: Compliance Guide
This sample document establishes a framework and standard policy for compliance with Section 404 of the Sarbanes-Oxley Act.
Sarbanes-Oxley Spreadsheet Controls Memo
This is a sample email sent by the process owner to finance staff regarding the documentation of controls over spreadsheets as part of Section 404 SOX compliance.
Sarbanes-Oxley Testing Strategy Memo
This memo documents a company's high-level testing strategy for Sarbanes-Oxley compliance.
Sarbanes-Oxley Walkthrough Checklist
The purpose of this checklist is to provide guidance to help a process owner prepare for a process walkthrough. It also includes post-walkthrough questions to help the process owner document any questions or issues raised.
Sarbanes-Oxley Walkthrough Guidance for General IT Controls
Process walkthroughs are an important part of Sarbanes-Oxley compliance projects. They provide the opportunity to validate the steps necessary to complete a process and view the control environment of a process. This presentation describes the goal of performing a process walkthrough and steps to take during the walkthrough process.
Sarbanes-Oxley Walkthrough Preparation Memo
This Sarbanes-Oxley process memo informs and prepares business process control managers to engage in “walkthrough” discussions with auditors. In this sample, the internal and external auditors have to conduct their validation/fieldwork on internal controls in compliance with Section 404 of the Sarbanes-Oxley Act.
Segregation of Duties Questionnaire: Significant Cash Disbursement Applications
The following document outlines a set of steps to be followed when reviewing segregation of duties in significant cash disbursement applications.
Segregation of Duties in Significant Cash Receipts Applications Questionnaire
This form has been designed to highlight potentially conflicting duties performed by one individual which could impact the effectiveness of controls over a cash receipts application.
Self Assessment Questionnaires: Guide to Development
This guide provides a framework for developing a self assessment questionnaire.
Senior Vice President of Internal Audit Job Description: Sample 2
This job description provides an overview of specific responsibilities and qualifications for the senior vice president of internal audit position.
Senior Vice President, Chief Risk Officer Job Description
This job description outlines the responsibilities and qualifications for the senior vice president, chief risk officer. The role provides oversight and direction for the management of all risks across an organization’s business segments.
Setting the 2006 Audit Committee Agenda
Much has happened since 2003 when the SEC adopted rules mandated by The Sarbanes-Oxley Act of 2002 (SOX) that, among other things, expanded and formalized the responsibilities of audit committees. Rather than focus on history, this issue of The Bulletin provides observations and ideas for boards and their audit committees regarding matters they should consider during the coming year.
Setting the 2008 Audit Committee Agenda
Audit committees have another crowded agenda over the next year. Many aspects of the audit committee charter continue to require ongoing attention, including the myriad of committee activities around the rules issued by the U.S. Securities and Exchange Commission (SEC) and the listing standards promulgated by the exchange to which the company is subject. Obviously, audit committees must continue to address these important requirements, as they provide the minimum standards by which they operate. This issue of The Bulletin provides observations and ideas for boards of directors and their audit committees regarding matters they should consider during the coming year. The agenda items we have listed are significant matters warranting audit committee attention and we believe that the committee can play an important oversight role in addressing these items.
Setting the 2009 Audit Committee Agenda
Since we published Setting the 2008 Audit Committee Agenda a year ago, the world has dramatically changed. 2009 promises to be a challenging year for audit committees. Without a doubt, the financial crisis has increased uncertainty and created changes to strategic plans, operating budgets and organizations. Uncertainty and change increase the need to identify, understand and manage risk effectively. This issue of The Bulletin provides observations and ideas and matters to consider for boards of directors and their audit committee to get through the trying times in the upcoming year. The agenda items we have listed are significant matters warranting audit committee attention, and we believe that the committee can play an important oversight role in addressing them.
Sourcing Root Causes Questionnaire
This questionnaire serves as a starting point for sourcing the root causes of problems or risks.
SOX Policy Evaluation Checklist
Policies are an important part of the internal control over financial reporting evaluation process. This is a sample checklist to use when identifying the availability and status of company policies associated with the financial reporting process. This tool also assists with organizing policies by financial statement, area of significance, and financial statement element.
SOX Self-Assessment and Self-Testing Instructions
This guide provides instructions to companies performing a self-assessment and self-testing for Sarbanes-Oxley compliance. Topics include mapping global risks, reporting results, and managing the project timeline.
SOX Year-End Update Testing Memo
This memo defines the process a company uses to update testing of internal controls for Sarbanes-Oxley compliance purposes near or at the year end.
Special Accounts Staffing Process Assessment Report
This sample report assesses the staffing model created by human resources for special accounts.
Lack of controls over spreadsheets can present a risk to the accuracy of financial statement information and may be identified as a deficiency under Sarbanes-Oxley Section 404. This document contains an example of spreadsheet control procedures. The procedures outline the access and change control steps that could be applied for financial spreadsheets. Also included is a checklist that tracks the spreadsheet control procedures and can be used in SOX spreadsheet testing.
Spreadsheet Risk Management: Frequently Asked Questions - Second Edition
Many companies rely on spreadsheets as key applications that support operational and financial reporting processes. The increased regulation and compliance that now impact spreadsheet control is not surprising given past few years of numerous multimillion-dollar errors and fraud attributed to the use of spreadsheets. We also see companies filing reports of material weaknesses and deficiencies with the Securities and Exchange Commission (SEC) as a result of the lack of controls around their financial reporting spreadsheets. This regulatory pressure and increasing focus from auditors are forcing organizations to address the issue of spreadsheet risk management, though few really understand what the issue is and what they need to do about it. This booklet represents a pragmatic response to spreadsheet risk based on real business needs. Although this publication uses the term “spreadsheet,” much of the guidance applies equally to other end-user-developed applications, such as databases and reports.
Staffing and Professional Services Risk Model
The staffing and professional services risk model focuses on risks that are inherent to the organization from the environment, process and information perspectives. This guide also includes an audit universe of business areas to consider when developing an internal audit plan for a staffing and professional services company.
Staying Focused on Core Business Issues Amid Corporate Governance Compliance
In this issue of The Bulletin, we cover the basics of corporate governance compliance.
Stock Options Process Flow
There are many steps for the Board of Directors, HR, Compensation Analyst and CEO to take when it comes to granting employees with stock options. This document can be used as a general guide to understand and review the stock options processes.
Strengthening Governance Through Risk Management
Boards of directors and management know that the price of surprise is steep and should work together on an effective plan for managing risk. This issue of The Bulletin provides five comprehensive recommendations for strengthening governance through improved risk management.
Sustainability Policy
This sample policy helps to ensure that principles of sustainability are incorporated into actions carried out by the company.
System Implementation Risk Assessment Questionnaire
This questionnaire helps to assess the risks involved in the implementation of any new or updated software application.
T
Tax Compliance Process Internal Control Questionnaire
The purpose of this questionnaire is to assess the internal controls related to a company’s tax compliance process. This document outlines sample tax compliance controls and assists in identifying if the control is in place.
Technology Risks and Controls: What You Need to Know
In this issue of The Bulletin, we focus on the relevance of IT risks and controls to a company’s meeting the internal control objectives over the reliability of financial reporting.
Ten Common Risk Management Failures and How to Avoid Them
In this issue of The Bulletin, we explore 10 common risk management mistakes and how they can be avoided.
Ten Principles for Risk Oversight Revisited
While risk oversight has always been an important part of the board’s agenda, the disruptive financial crisis taught everyone a lesson about just how important it is. The risk oversight playbook has evolved over recent years. This issue of Board Perspectives: Risk Oversight revisits 10 timeless principles that boards can use to evaluate their risk oversight process as it stands today. Directors should use these 10 principles to assess their board’s risk oversight process to ascertain whether the process needs redirection.
Test Documentation Validation Checklist
This checklist provides guidance on how to track documentation related to tests of controls. It focuses on examples of documentation needed to complete tests of controls, a template to record the completeness and accuracy of the documentation received, and areas to track missing required documentation and sampling requests made to the client.
The Challenges of MiFID II
Protiviti hosted a second regulatory breakfast seminar focused on the challenges facing the financial services industry in implementing the amended Markets in Financial Instruments Directive (as well as related regulation and technical standards), collectively referred to as MiFID II.
The Changing Corporate Governance Landscape and Its Implications
This issue of The Bulletin reviews examples of what the board of directors and management should do as they work to improve corporate governance.
The Code of Conduct: Laying a Cornerstone for Effective Governance
In this issue of The Bulletin, we provide important steps for boards of directors and management to consider in designing and implementing an effective code of ethics.
The Expanded Responsibilities of the Audit Committee: A New Mandate
This issue of The Bulletin explores the new requirements of audit committees and their implications, and suggests six keys to an effectively functioning audit committee.
The Importance of Integrating Sections 302 and 404
Post-Year One SOX advice often focuses on integrating compliance activities around Section 302 and 404. This presentation reviews the SOX scope determining process, resources, and timing of testing. In addition, it discusses the important of this integration process and offers concrete ideas for integrating the compliance process.
The Role of Personal Accountability in the New Environment
This issue of The Bulletin outlines seven key principles that provide a framework for establishing and reinforcing the personal accountability of management and the board of directors. Application of these principles will create a healthy tension within the organization and facilitate communication between management and the board.
The Self-Assessment Process: Management’s Tool for Reinforcing Process Owner Accountability
In this issue of The Bulletin, we discuss the self-assessment process and how one can be implemented to reinforce process owner accountability, or if one is already in place, how to improve it.
Top Priorities for Internal Audit in a Changing Environment
In response to new challenges, changes and expectations within the business environment, internal audit (IA) has emerged as an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. Effective IA functions help organizations accomplish their business objectives by bringing a disciplined approach to evaluate and improve the effectiveness of governance, risk management and control processes. Drawing from The Institute of Internal Auditors International Standards for the Professional Practice of Internal Auditing and experience with leading internal audit functions, Protiviti recommends 10 strategic priorities for every public and private organization to employ in its IA function in this booklet.
Trading and Commodity Risk Management Policy
This sample risk policy addresses the components of an effective commodity risk infrastructure. It provides guidance in communicating overall risk governance, the organization’s structure, and minimum standards for processes, controls and reporting.
Treasury Process Controls Questionnaire
The treasury process is important to a company because it is the function overseeing the cash flow of the company’s operations and its use related to payments, receipts, and investments. This excel-based template provides a number of business activities and related control objectives for each activity. Within the questionnaire you can document items such as whether the control exists; whether it was designed properly; related test procedures; and management action plan for deficiencies.
U
Unlocking the Value of Enterprise Risk Management in the Public Sector
Enterprise risk management (ERM) has demonstrated its value in the private sector, producing successful organizations that follow an effective process to minimize risks and achieve desired outcomes. It should come as no surprise, then, that the federal government has taken a heightened interest in this proven practice, adapting it to public agencies in an effort to better manage risks that tend to hide in complex bureaucracies with limited interdepartmental communication.
Update Testing – Control Self Assessment Questionnaire
This questionnaire has been designed to facilitate an assessment of whether the controls within a business unit are currently operating effectively. To meet the guidelines of Section 404 requiring management attestation as of a company’s fiscal year-end, this questionnaire is used to identify any changes that have occurred or are planned prior to year-end. Questions in this tool focus on verifying that process documentation is complete and accurate, all key internal controls and key information systems have been identified, and all areas within a business unit that are relevant to Sarbanes-Oxley have been identified.
Updated COSO ERM Framework: What's New?
This issue of The Bulletin discusses why the COSO ERM Framework needed to be updated and how the focus is now on what is really important in making enterprise risk management work within an organization.
Upload Data from General Ledger to the Consolidations System
This questionnaire focuses the financial close process, specifically when data is uploaded the general ledger (G/L) to the consolidations system. This document includes: a process description, key risks, expected key controls, and key questions to ask during this process review.
V
Vice President, Chief Compliance Officer (CCO) Job Description
This job description outlines the specific duties and responsibilities of the chief compliance officer.
W
When Insolvency Issues Arise
Independent directors are charged with protecting the interests of the organization and its shareholders by providing appropriate oversight and making objective decisions. When the organization is in financial distress, a whole new set of issues arise; experienced independent directors can provide a fresh unbiased perspective on corporate issues. In circumstances involving matters of insolvency or potential insolvency, independent directors should be mindful of the issues involved. In this issue of Board Perspectives: Risk Oversight, we focus on personal liability risks and responsibilities for independent directors in times of financial distress.
Whistleblower Policy and Procedures
This policy establishes standards and procedures to ensure that the accounting and audit-related complaint handling process complies with management’s and the audit committee’s objectives.