Internal Controls Toolkit

CHRISTINE H. DOXEY, CAPP, CCSA, CICA, CPC, is president of Doxey, Inc. Prior to forming her company, she served in executive positions with Verizon Business (formerly MCI), Hewlett Packard, Compaq, and Digital Equipment. Doxy is on the Advisory Boards of The Exchange Summit and The Institute of Internal Controls. She has authored several books and speaks at conferences globally on financial process best practices.

Introduction to The Internal Controls Toolkit 9

Introduction 9

Internal Controls And Fraud Prevention 9

Internal Controls And Fraud Prevention: Additional Statistics 10

Who Will Benefit From This Toolkit 11

About The Standards of Internal Control 12

How Were The Standards Developed? 12

How Are The Standards Used? 12

What Is The Basic Premise of The Standards? 12

When Should The Standard Be Updated? 12

What Is A Best Practice For Implementing And Using The Standards? 12

General Standards of Internal Control 13

How This Toolkit Is Organized 14

1.0 Background On Internal Controls 15

The Goals And Challenges of Internal Controls 15

Risk Based Internal Controls 15

Application of Internal Controls 16

The Three Critical Corporate Controls 17

The Background And History of Internal Controls 19

Securities Act of 1933 19

Securities Exchange Act of 1934 19

Trust Indenture Act of 1939 19

Investment Company Act of 1940 19

Investment Advisors Act of 1940 19

Foreign Corrupt Practices Act (Fcpa) of 1977 19

Comprehensive Crime Control Act – 1984 20

Federal Sentencing Guidelines For Organizations – 1991 20

Internal Control – Integrated Framework – 1992 And 2013 20

Coso’s Monitoring Guidance 21

Cobit – 1996 23

Systrust – 1999 23

Corporate Frauds – 2001-2002 23

U.S. Sarbanes Oxley Act of 2002 24

Enterprise Risk Management (Erm) Integrated Framework – 2004 And 2013 25

Example: Enterprise Risk Management (Erm) And The Application to The Procure to Pay (P2p) Cycle 26

An Erm Checklist 27

Internal Control Over Financial Reporting — Guidance For Smaller Public Companies - 2006 28

Guidance On Monitoring Internal Control Systems – 2009 28

Definition of Internal Controls 29

Types of Internal Controls And Control Mechanisms 29

Major Types of Internal Control 29

Compensating Controls 30

Other Controls 30

Organization Controls 30

Policy Controls 31

Procedure Controls 31

Supervisory Controls 31

Review Controls 31

Leveraging The Standards of Internal Control to Implement A Controls Self-Assessment (Csa) Program 32

Ethics And “Tone At The Top” 34

What Is ‘Tone At The Top’? 34

What Are The Components of An Effective Ethics Policy? 34

What Are The Components of A Well-Defined Code of Conduct? 34

What Are Examples of Poor “Tone At The Top”? 35

Code of Conduct Considerations 35

Entity Level Controls 36

Benefits For Entity Level Controls 36

“Tone At The Top” 36

Roles And Responsibilities For Internal Control 38

2.0 The Order to Cash (O2c) Process 42

2.1 Order Entry/Edit 45

2.1 Order Entry/Edit (Continued) 46

2.1 Order Entry/Edit (Continued) 47

2.2 Export Controls 48

2.2 Export Controls (Continued) 50

2.2 Export Controls (Continued) 51

2.3 Sales Contracts 53

2.3 Sales Contracts (Continued) 54

2.4 Credit 55

2.4 Credit (Continued) 56

2.5 Shipping 58

2.5 Shipping (Continued) 59

2.5 Shipping (Continued) 60

2.6 Revenue Recognition/Billing 61

2.6 Revenue Recognition/Billing (Continued) 62

2.6 Revenue Recognition/Billing (Continued) 63

2.6 Revenue Recognition/Billing (Continued) 64

2.7 Accounts Receivable (Ar) 66

2.7 Accounts Receivable (Ar) (Continued) 67

2.8 Collection 69

2.9 Cash Receipts And Application 70

2.9 Cash Receipts And Application (Continued) 71

2.10 Price Establishment 72

2.10 Price Establishment (Continued) 73

2.11 Promotional Activities 74

2.11 Promotional Activities (Continued) 75

2.11 Promotional Activities (Continued) 76

3.0 Treasury Process 77

3.1 General Treasury Controls 80

3.1 General Treasury Controls (Continued) 81

3.1 General Treasury Controls (Continued) 82

3.2 Financing Operations 83

3.2 Financing Operations (Continued) 84

3.3 Investment of Available Funds 85

3.3 Investment of Available Funds (Continued) 86

3.4 Foreign Exchange 87

3.4 Foreign Exchange (Continued) 88

4.0 Procure to Pay (P2p) Process 89

4.2 Purchasing/Ordering 99

4.2 Purchasing/Ordering (Continued) 100

4.2 Purchasing/Ordering (Continued) 101

4.2 Purchasing/Ordering (Continued) 102

4.3 Import Controls 103

4.3 Import Controls (Continued) 104

4.4 Receiving 105

4.4 Receiving (Continued) 106

4.4 Receiving (Continued) 107

4.5 Accounts Payable 108

4.5 Accounts Payable (Continued) 109

4.5 Accounts Payable Continued) 110

4.6 The Payment Process - General 111

4.6 The Payment Process – General (Continued) 112

4.6 The Payment Process – General (Continued) 113

4.7 The Payment Process - Travel And Entertainment 114

4.7 The Payment Process - Travel And Entertainment 115

4.8 Research And Product Development 116

4.8 Research And Product Development (Continued) 117

4.8 Research And Product Development (Continued) 118

4.9 Procurment Cards (P-Cards) 119

4.9 Procurment Cards (P-Cards) (Continued) 120

4.9 Procurment Cards (P-Cards) (Continued) 121

5.0 Hire to Retire (H2r) Process 122

5.1 Payroll Preparation And Security 125

5.1 Payroll Preparation And Security (Continued) 126

5.2 Payroll Payment Controls 128

5.2 Payroll Payment Controls 129

5.3 Distribution of Payroll 130

5.4 Compensation And Benefits 131

5.4 Compensation And Benefits (Continued) 132

5.5 Hiring And Termination 133

5.5 Hiring And Termination (Continued) 134

5.6 Education, Training, And Development 135

5.7 Contingent Workforce 136

5.7 Contingent Workforce (Continued) 138

6.0 The Supply Chain Process 139

6.1 Planning & Control 142

6.1 Planning & Control (Continued) 143

6.2 Inventory Control 144

6.2 Inventory Control (Continued) 145

6.2 Inventory Control (Continued) 146

6.3 Inventory Verification 147

6.3 Inventory Verification (Continued) 148

6.4 Inventory Valuation 149

6.5 Product Cost Management 150

6.5 Product Cost Management (Continued) 151

6.5 Product Cost Management (Continued) 152

6.6 Original Equipment Manufacturers (Oems) / Alliance Partners 153

6.6 Original Equipment Manufacturers (Oems) / Alliance Partners (Continued) 154

6.6 Original Equipment Manufacturers (Oems) / Alliance Partners (Continued) 155

6.8 Tranportation And Logistics 158

6.8 Tranportation And Logistics (Continued) 159

7.0 Record to Report (R2r) 161

7.1 International Transfer Pricing 166

7.2 Intercompany Transactions 167

7.2 Intercompany Transactions (Continued) 168

7.3 Accumulation of Financial Information 169

7.3 Accumulation of Financial Information (Continued) 170

7.4 Processing And Reporting of Financial Information (The Final Mile) 171

7.5 Fixed Assets 174

7.5 Fixed Assets (Continued) 175

7.5 Fixed Assets (Continued) 176

8.0 Government Contracts 177

8.1 United States Government Contracts - General 178

8.1 United States Government Contracts – General (Continued) 179

8.1 United States Government Contracts – General (Continued) 180

8.1 United States Government Contracts – General (Continued) 181

8.1 United States Government Contracts – General (Continued) 182

8.2 United States Government Contracts - Non-Commercial Products 183

8.2 United States Government Contracts - Non-Commercial Products (Continued) 184

8.3 United States Government Contracts - Commercial Products 185

8.3 United States Government Contracts - Commercial Products (Continued) 186

8.3 United States Government Contracts - Commercial Products (Continued) 187

8.4 Contracts With State And Local Governments And Educational Institutions Within The United States 188

8.5 Contracts With Governments Outside The United States 190

8.5 Contracts With Governments Outside The United States (Continued) 191

9.0 Records And Information Management 192

9.2 Standards of Internal Record Keeping Requirements 197

9.2 Standards of Internal Record Keeping Requirements (Continued) 198

9.2 Standards of Internal Record Keeping Requirements (Continued) 198

10.0 Computer, Telecommunication And Systems Controls 201

10.1 Owners, Users, And Service Providers 206

10.1 Owners, Users, And Service Providers 207

10.1 Owners, Users, And Service Providers (Continued) 208

10.1 Owners, Users, And Service Providers (Continued) 209

10.3 Computer Access Control 214

10.4 Network Operations And Security Controls 224

10.4 Network Operations And Security Controls (Continued) 225

10.5 Systems Development Methodology 228

10.5 Systems Development Methodology (Continued) 229

10.5 Systems Development Methodology (Continued) 230

10.6 Change Management 231

10.6 Change Management (Continued) 232

10.7 Computer And Telecommunications Backup For Production Restart/Recovery 235

10.8 Disaster Recovery And Business Contingency Planning 237

10.8 Disaster Recovery And Business Contingency Planning (Continued) 241

10.8 Disaster Recovery And Business Contingency Planning (Continued) 242

10.9 Input Controls 243

10.10 Output Controls 245

10.11 Paperless Transactions, Electronic Commerce, And Edi 247

10.12 Non-Company Networks And Bulletin Boards 250

11.0 Protection of Assets: Human, Physical And Intellectual 256

11.1 Security Framework 258

11.1 Security Framework (Continued) 259

11.1 Security Framework (Continued) 260

11.2 Perimeter Security 261

11.2 Perimeter Security (Continued) 262

11.3 Interior Security 264

11.3 Interior Security 265

11.4 Protecting Intellectual Property 266

12.0 The Insurance Process 268

12.1 Protection Against Physical Damage And Other Accidents 269

12.2 Insurance (Property & Casualty Risks) 270

12.3 Business Continuity 272

13.0 Environmental, Health, And Safety (Eh&S) 273

13.1 General Controls 275

13.1 General Controls (Continued) 276

14.0 Customer Services 277

14.1 Policy 279

14.1 Policy (Continued) 280

14.1 Policy (Continued) 281

14.2 Call Center Management 282

14.2 Call Center Management (Continued) 283

14.3 Warranty 284

14.3 Warranty (Continued) 285

14.3 Warranty (Continued) 286

14.4 Support Sales 287

15.0 Professional Services (Ps) 288

15.1 General Controls 290

15.1 General Controls (Continued) 291

15.2 Opportunity-Bid Process 292

15.2 Opportunity-Bid Process (Continued) 293

15.2 Opportunity-Bid Process (Continued) 294

15.3 Program Management 295

15.3 Program Management (Continued) 296

15.3 Program Management (Continued) 297

15.3 Program Management (Continued) 298

15.3 Program Management (Continued) 299

15.4 Customer Order Management 300

15.4 Customer Order Management (Continued) 301

15.4 Customer Order Management (Continued) 302

16.0 Entity Level Controls 303

16.1 Compliance And Compliance Screening 305

16.1 Compliance And Compliance Screening (Continued) 306

16.2 Internal Controls Roles And Responsibilities 308

16.2 Internal Controls Roles And Responsibilities (Continued) 309

16.4 Audit Committee Controls 313

16.4 Audit Committee Controls (Continued) 314

16.4 Audit Committee Controls (Continued) 315

17.0 Glossary 318

18.0 Addendum – Additional Tools 327

18.1 Example Internal Controls Policy 327

18.2 Delegation of Authority (Doa) Policy 330

18.3 Segregation of Duties (Sod) Policy 338

18.4 System Access (Sa) Policy 352

18.5 Pricing Policy Example 355

18.6 Testing Internal Controls And Selecting Sample Sizes 357

References 361