SOX COMPLIANCE

AT
TATA MOTORS , LUCKNOW

December 27, 2004 1

 PRESENTATION OUTLINE

 INTRODUCTION

 PROCESS MAPPING

 RISK CONTROL MATRIX (RCM)TEMPLATE

 Risk Information
 Control Information
 Testing Information
 Re-Testing Information

 ACTION STEPS

 MANAGEMENT’S REPORT ON Internal Control over

Financial Reporting
December 27, 2004 2
 INTRODUCTION

December 27, 2004 3

 Emergence
Emergenceof
ofSarbanes
SarbanesOxley
OxleyAct
Act(SOX),
(SOX),2002
2002
The
TheSarbanes
SarbanesOxley
OxleyActActwas
wasenacted
enacteddue
duetotovarious
variousfinancial
financial
Irregularities
Irregularitiescommitted
committedby bycompanies
companieslike
likeEnron,
Enron,Xerox,
Xerox,WorldCom,
WorldCom,
which
whichresulted
resultedinintheir
theircollapse
collapseand
andloss
losstotothe
theinvestors.
investors.

Applicability
Applicabilityto
toTata
TataMotors
MotorsLtd
Ltd
Tata
TataMotors
MotorsLtdLtdhas
haslisted
listedits
itsGlobal
GlobalDepository
DepositoryReceipts
Receipts(GDRs)
(GDRs)ininthe
the
form
formofofAmerican
AmericanDepository
DepositoryReceipts
Receipts(ADRs)
(ADRs)on onthe
theNew
NewYork
YorkStock
Stock
Exchange
Exchange(NYSE).
(NYSE).InInview
viewofofthis
thislisting,
listing,itithas
hasbecome
becomeobligatory
obligatorytoto
comply
complywith
withthe
therequirements
requirementsofofthe theSarbanes
SarbanesOxleyOxleyAct,
Act,2002.
2002.

December 27, 2004 4

 Focus and Objective of SOX Act

The focus of SOX is on the processes and systems through which all
transactions are captured and ultimately flow into the financial statements.

The objective of SOX is to ensure accurate financial reporting.

What does SOX call for?

There are several requirements of SOX Act. One of the main requirements
is extensive and elaborate documentation of business processes
including evaluation and evidence of tests of controls. In other words
the Crux is Assessment of the effectiveness of the internal control
The external auditors will review the process adopted to ensure that it
would result in accurate financial reporting and give their opinion.

December 27, 2004 5

 Broad Steps involved in Process Documentation
1. Process Flowcharting and Narratives a. Flowcharts
b. Key Statistics
c. Key Controls
d. Accounting entries
e. SAP Transaction Codes

2. Risk Identification and Assessment a. Risk Identification

b. Likelihood
c. Significance
d. Rating

3. Control Identification, Evaluation and a. Control Objective

b. Control Activity
Remediation of Design Deficiencies c. Type of Control
d. Assessment of Test of Design of Control

4. Control Testing for Operating a. Testing Strategy

b. Sample size
Effectiveness c. Results of Test of controls
d. Gaps
5. Remediation of deficiency in
a. Remediation Steps
Operating Effectiveness of Controls b. Remediation Schedule
and Re-testing c. Retesting & Conclusion

December 27, 2004 6

 PROCESS MAPPING

December 27, 2004 7

 The steps involved in process mapping are as follows –

1. Identification of Major Business Processes

2. Identification of Sub-Processes for the Business process

identified

3. Identification of activities involved in each sub-process

4. Two/Three tier flowcharting for each process/ sub-process

identified

5. Narratives

6. Accounting Entries

7. Key Statistics

8. Key Controls
December 27, 2004 8
 1. Business Processes(Col No. 1 of the template)

Eleven major Business Processes have been identified for

process mapping in Tata Motors Ltd.

1. Procurement to Payment
2. Order to Collection
3. Hire to Retirement
4. Production planning to Warranty
5. Inventory (Receipt of Material to Consumption)
6. Fixed Assets (Acquisition – Capitalization – Disposal)
7. Regulatory Cycle
8. Establishment and Business Support (e.g. Information
Technology)
9. Sourcing to Utilization of funds (Treasury)
10. Product Development (ERC)
11. Financial closing and reporting process

December 27, 2004 9

 2. Sub-Processes(Col No. 3 of the template)

There may be multiple sub-processes for a main process. You

need to identify the sub-processes for the business process
assigned to you.

3. Activities(Col No. 4 of the template)

Every sub-process would have one or more activities. You

need to identify the activities involved for each of the sub-
processes identified.

December 27, 2004 10

4. Flowcharting

The detailed operations and controls associated with various business

processes need to be documented in flowcharts. Each activity in a
given process should be detailed in the flowchart.

A two / three tier flowchart needs to be prepared for each process/ sub-
process

Contents of three tier Flowchart

Level 1: Overview of the process containing each of the main activities

i.e. Top level flowchart / block diagram
Level 2: Breakdown of the main activities into sub-activities i.e. Detailed
flowchart
Level 3: More detailed description of sub-activities i.e. Activity level
flowchart
If you are not able to explode further at the second tier
itself, it would not be necessary to make a 3 tier flowchart.

December 27, 2004 11

4. Flowcharting (Contd.)

All flowcharts need to be prepared in MS Visio only

Please note that the auditor will be doing the walkthrough exactly
as per the document provided by you. He would trace a transaction
box by box as per the process chart. Therefore, we need to ensure
that the auditor does not in reality find that the process is anyway
different than that flowcharted, as it would otherwise call for the
whole thing to be redone. To prevent such an eventuality, you need
to do the walkthrough yourself to ensure that the process is
working as it has been flowcharted.

December 27, 2004 12

 Level 1: Top Level flowchart for the Business Process “Hire to Retire
START

R E C R U IT M E N T

U P D A T IO N O F S A P
M ASTER DATA

PAYRO LL
P R O C E S S IN G IN S A P
HR

PAYM ENT TO CTF / PF PAYM ENT TO P A Y M E N T T O T H IR D

L IA B IL IT Y EM PLO YEES P A R T IE S

BO O K CLO SURE

B A L A N C E S IN S A L A R Y R E L A T E D
S IG N IF IC A N T A C C O U N T S IN
F IN A N C IA L S T A T E M E N T S

END

December 27, 2004 13

 Level 2: Detailed Flowchart for Sub-process “Payroll Processing”
“PAYROLL” PROCESS OF TATA MOTORS

PROCESS ONROLL EMPLOYEES

1 PAYROLL PROCESSING

PROCESS BKY PAYROLL

2 PROCESSING

PROCESS ESS PAYROLL

3 PROCESSING
POSTING TO SIGNIFICANT
FINANCIAL ACCOUNTS
PROCESS
OFFCYCLE
4 (SETTLEMENT) PAYROLL
PROCESSING

OFFCYCLE (ANNUAL
PROCESS
5
PAYMENTS) PAYROLL
PROCESSING

PROCESS DBS PAYROLL

6 PROCESSING

December 27, 2004 14

Level 3: Activity Level Flowchart for the activity “Payroll processing (BKY)”
START
NO Process
2E
Checking
Application & Excepti Excepti Is Payroll run for all YES Posting to
Process for New Approval Updation of SAP HR on Payroll Processing on eligible cases Accounting
Updation of SAP HR
cases after Death by HR/ Master Data by Reports Reports accurately? Simulation Run
Master Data by HR
Personnel Finance
Process Process Process Process Process
2A 2A 2B 2C 2D
Manual
Checking

Payment to Banks
Process Process
Bank 2I 2G
Statements
Cheques NO Is Posting error
Dispatch of Payslips to Acknowledge Customer free?
Payment Run
Nominees of BKY ment Letter
Employees by Post
Process YES
2K
Posting to
EXIT
Accounting
PAYROLL
Transfer of Live Run
Balances in BKY related Actuarial
Provision for Staff Balance Sheet Balance Sheet
Significant Financial Accounts Valuation of BKY
Welfare Expenses Data to Logistic Process
in Finance Statements Liability
Server Proce 2F
Proce Proce ss 2H
ss 2M ss 2L Proce
ss 2J

CONDUCT WALKTHROUGH TO ENSURE CORRECTNESS OF FLOW

December 27, 2004 15

 5. Narratives :
Process Documentation should include brief description of each
process / sub-process with appropriate cross-reference to the
flowcharts.

The flow chart will provide the complete flow of activities for a
process/ sub-process. However, you need to create a separate
document where you should write a brief narrative of each
process/ sub-process, to explain what happens in each process/
sub-process with appropriate cross-references to the flowchart.
 
This should be a two column document wherein the first column
contains the description of the process / sub-process along with
the reference no. of the flowchart and the second column
contains a brief narrative of the process / sub-process. The
narrative should indicate, “Who does what, when and how is it
done”. Please write the narrative in simple language. Be brief.

December 27, 2004 16

 6. Accounting Entries :

Typically, most of the activities are captured by the system as

transactions. These transactions invariably result in financial
accounting entries. To ensure proper control, we need to identify
and document the accounting entries at each step mentioned in
the flowchart. It would be easier for you to download these from
the SAP and provide them at the point where the entries are
generated. You may underline the accounts that are scoped in
for SOX compliance.

Financial Accounting entries should be documented separately

and also marked on the flowchart with cross - references.

December 27, 2004 17

 7. Key Statistics :
The key statistics (volumes & values) should be documented to
understand the process and the extent of testing to be done.

The purpose of providing Key Statistics is to understand the

process, its spread and depth. This will also give us an
understanding of the extent of testing to be done based on
volume and value. We need to provide the key statistics on an
annual basis. For example the statistics for accounts payable is
as under:
 
         No of invoices processed
         Total no of active vendors
        Value of invoices processed
        No of GIN’s
        No of Hundis generated
         No of cheques generated

December 27, 2004 18

 8. Key Controls :
Controls that are placed on steps critical to the process are key
controls (mainly related to financial reporting). All key controls
need to be marked on the flowchart by using the prescribed
symbol
Based on the key controls identified, you need to prepare a
summary document describing each of the key controls and also
mark the same in the flowchart with appropriate cross-
references.
 
Note:
Before you proceed for identification of risks please review
whatever you have done with the process in-charge. This will
avoid rework at a later stage.
9. SAP Transaction codes :
SAP Transaction Codes used for the activities depicted on the
flowchart need to be stated to indicate the activity done on the
system.

December 27, 2004 19

 RISK CONTROL MATRIX TEMPLATE

December 27, 2004 20

 RISK CONTROL MATRIX
1 2 3 4 5 6 7 8 9 10
RISK INFORMATION
Sr Process Sub- Activities Owner Risk COSO Probability of Magnitude of Risk Rating (=
No Process Identified Objective Occurence Impact (Refer Probability X
(Refer Table 1) Table 2/3/4) Magnitude)

11 12 13 14 15
16 17 18 19 20 21 22 23
CONTROL INFORMATION
Control Control Nature of Type of Frequenc Key Anti Performer Financial Assessment Remediat Remediat Walkthro
Objective Description Control Control y of Control Fraud Statement of Design of ion steps ion ugh
(Preventive (Manual or Control (Y/N) Control Assertions Control(Test required, Schedule summary
or Automated) (Y/N) of Design) if any (Date
Detective) and reason when)
PASS/ FAIL

24 25 26 27 28 29 30 31 32 33
TESTING INFORMATION
Test of Testing Sample Results Supporting Conclusi Gaps in What is the Remediation Remediation
Control Strategy Tested of test of Documentati on operating alternate control steps Schedule
(Y/N) control on and its Fail/Pass effectivenes (if there is failure required, if (Date when)
location s of controls of the control) any

34 35 36 37 38 39 40 41 42
RETESTING INFORMATION
Test of Testing Sample Results Supporting Gaps in operating Remediation Remediation Final
Control Strategy Tested of test of Documentation effectiveness of steps required, Schedule Conclusion
(Y/N) control and its location controls if any (Date when)

December 27, 2004 21

 RISK INFORMATION

December 27, 2004 22

 1. Risk Identification:(Col No. 6 of the template)

Identification of Risks in the process being documented is the most

important part of the documentation. In a way it is the core of
documentation and inturn the success of the complete SOX
compliance depends on the successful risk Identification &
understanding of the controls that need to be put in place.

Risk is an event or condition that can negatively / adversely

affect the outcome of the activity.
Examples of Risk-
1. Payables may be processed incorrectly or fraudulently
2. Payables may not be recorded in appropriate period
3. Unauthorized access to sensitive areas having confidential
information

December 27, 2004 23

 Methods of Risk Identification

• Conduct a walkthrough the flowchart and determine “WHAT

CAN GO WRONG” at each activity of the flowchart
• Identify risks based on the type and nature of risk involved.
The various types of risks are –

i. Financial Risks – Risks which result in direct financial loss

ii. Operational Risks – Risks which result in improper/ sub-
optimal use of resources
iii. Regulatory Risks – Risks which result in regulatory non-
compliance
iv. Fraud Risks – Risks which result in an unlawful personal
gain

December 27, 2004 24

 • Identify risks based on the source of risk. Risks could occur due to
internal or external factors.
Internal factors could be-
Personnel, Systems, Policies etc
External factors could be-
Vendors, customers, third parties,
regulatory agencies, new technology etc
A combination of the above three methods of identifying risks
should be used to ensure that all risks have been covered.

IT IS EXTREMELY IMPORTANT TO ENSURE THAT THE AUDITOR

DOES NOT IDENTIFY A SIGNIFICANT RISK WHICH YOU
HAVE NOT BEEN ABLE TO IDENTIFY.

December 27, 2004 25

 TIP: After doing the risk identification exercise, if you find
that you have not identified any risk pertaining to one of
the types (e.g. fraud or external), you need to re-think
whether you have missed identifying any risk or really
there is no risk pertaining to that type.
CAUTION:
You should identify and record all risks irrespective of the
possibility of their happening or however ridiculous it may
seem. Do not omit recording of a risk just because you
perceive that “it may not happen” or you feel “this can never
happen.”
 
MOST IMPORTANT:
Once you go through the complete process and identify all the
risks, go through the process once again with some one who
is knowledgeable about the process and the risks or do
brainstorming with your colleagues.
 
December 27, 2004 26
 COSO
To assess the effectiveness of our internal controls, we need to have a
standard set of control criteria. COSO (Committee of Sponsoring
Organizations of Treadway Commission) framework is the most
Commonly used criteria to assess the effectiveness of internal control.
The COSO framework describes five components of internal control:

1)     Control Environment

2)     Risk Assessment
3)     Control Activities
4)     Information and Communication
5)     Monitoring

December 27, 2004 27

 Tiers of COSO Framework

5. Monitoring 3. Control Activities

 Assessment of a control  Policies/procedures that ensure
system’s performance over time. management directives are
carried out.
 Combination of ongoing and
separate evaluation.  Range of activities including
approvals, authorizations,
 Management and supervisory
verifications, recommendations,
activities.
performance reviews, asset
 Internal audit activities. security and segregation of
duties.

4. Information and 2. Risk Assessment

1. Control Environment
Communication
 Sets tone of organization-  Risk assessment is the
 Pertinent information identified,
captured and communicated in a
influencing control identification and analysis of
consciousness of its people. relevant risks in achieving
timely manner.
 Factors include integrity, ethical the entity’s objectives-
 Access to internal and externally
generated information.
values, competence, authority, forming the basis for
responsibility. determining control
 Flow of information that allows for activities.
 Foundation for all other
successful control actions from
components of control.
instructions on responsibilities to
summary of findings for
management action. All five components must be in place
for controls to be effective.
December 27, 2004 28
 2. COSO Objective: (Col . No. 7 of template)
When evaluating effectiveness of internal controls, we look at it as
an integrated whole. Weak controls in one area can be offset by
stronger controls in another area. COSO defines internal control
as a process. When you evaluate internal control, you are
evaluating a process and not an outcome
The COSO framework states that the five components are
required to be in place to meet the following objectives:

• Efficiency and effectiveness of Operations

• Accuracy of the Financial Reporting
• Ensuring Regulatory Compliance Consider
the most
Every Risk Identified may impact one or pre-dominant
more of the above COSO objectives objective

December 27, 2004 29

 3. Risk Assessment:(Col No. 8,9&10 of template)
Evaluation of risks involves determining-
Probability of Occurrence of the Risk(Col No.8) – It is the
chance or probability of occurrence of a particular risk in a
specified timeframe. ( Page 17of Manual)
Magnitude of Impact of the Risk(Col. No. 9) – It is the impact of
the risk on a particular activity. Depending on the bearing that
the risk has on the COSO objective, the impact of the risk can
be considered.
Risk Rating(Col No. 10) – Rating the risk helps to determine the
priority of the risks for risk management. On a scale of 1 to 25,
the risks will be rated. Higher the rating, higher the seriousness
of the risk.
(Refer tables in the manual for determining the probability of
Occurrence and Magnitude of Impact of the risks)

December 27, 2004 30

 CONTROL INFORMATION

December 27, 2004 31

 1. Identifying Control Objectives(Col No. 11 of template) :
Control objectives is a statement of the desired result or purpose to
be achieved by implementing control procedures in a particular sub-
process / activity. They are the goals of the management such as
operational efficiency, effectiveness and compliance with applicable
rules and regulations.

Control objectives can be segmented as per the various types of risks

that they address e.g. financial, operational, regulatory, fraud etc.

Typically, every sub-process/ activity would have a control objective.

It is this control objective, which would not be met if a risk
materialises. We therefore need to ascertain the control objective
affected for each risk identified by us. It may so happen that a control
objective is common to more than one risk. In such a case, please
repeat the control objective for each risk.

December 27, 2004 32

 2. Identifying Control Activities: (Col No. 12 of template) :
Control activities are the policies and procedures (actions taken) to
mitigate the risks and to achieve the control objectives. Control
activities may be in the form of authorizations, variance analysis,
analysis of exception reports, computer validation checks, review by
seniors etc

There may exist many control activities for a particular risk or control
objective. Conversely, a control activity can cover more than one
control objective/risk.

December 27, 2004 33

 Examples
a. “Invoices for goods/services received are authorized and
accompanied by appropriate supporting documents.”
b. “Ability to input, change, cancel or release vendor invoices for
payment is restricted to authorized personnel.”
c. “A physical access control mechanism is used to restrict and
record access to protected areas and authority to change
physical access control mechanisms is restricted to appropriate
personnel.”

3. Determining Nature of Controls(Col No. 13 of template) :

Controls could be of preventive or detective nature.

Controls that prevent risk from occurring / materializing are

preventive controls. Examples of preventive controls are-
i. User Authorization controls
ii. System Validation Controls
iii. Access to Computer Centre based on ID Cards

December 27, 2004 34

 Controls that detect if the risk has occurred are detective controls.
Examples of detective controls are-

i. Analysis of exception reports generated

ii. Account or bank reconciliations

4. Automated Vs Manual Controls (Type of Control) (Col No. 14 of

template)

Automated: Controls which operate without any action from user to

ensure control on the process

Manual: Procedures which users carry out to exercise control on

the process

December 27, 2004 35

 5. Frequency of Control(Col No. 15 of template) :
Every control needs to be exercised at specified intervals in order to
ensure its effectiveness. Depending on the criticality of controls, the
frequency of control needs to be determined.
The number of times the control is exercised is to be documented.
The control could be exercised at the following frequencies-
•      Every transaction
  Daily
•      Weekly
    Monthly
•     Quarterly
•     Annually

December 27, 2004 36

 6. Determining if the control is a Key Control(Col No. 16 of
template) :
There are some steps in the process, which are very important
because of the nature of activity being performed. Hence, the
controls to be placed on these steps are equally important.These
important controls are ‘key controls’ .
Controls that have a significant impact on the financial
reporting are referred to as key controls. Failure of key controls will
seriously hamper the accuracy of financial reporting.
The following factors need to be considered to determine if the
control is a key control-
i. Risk Rating
ii. Threshold limit
iii. Qualitative factors
iv. Risks impacting COSO Objective of Financial Reporting

December 27, 2004 37

 7. Anti Fraud Control(Col No. 17 of template)

SOX places considerable importance on prevention and detection of

fraud. The likelihood of fraud occurring can be reduced by
implementing effective controls that can either prevent or identify
fraud in a timely manner and minimise the resulting damage.
Antifraud controls are those actions taken by the management to
mitigate specific fraud risks and to prevent, detect and deter fraud

Thus , Controls that prevent or detect fraud in a timely manner

and minimize the resulting damage are referred to as Anti Fraud
Controls. For fraud risks identified, the associated controls would be
considered as Anti Fraud Controls
Examples
i. Segregation of duties
ii. Authorizations on “need to know, need to do” basis
iii. Appropriate approvals for transactions
iv. Periodic review and reconciliations
December 27, 2004 38
 8. Performer of Control(Col No. 18 of template)

The one who exercises the control, is the performer of the control.
Depending upon the type of control, the performer of control can be
identified.
If the control is manual, the performer of control is the person
exercising the control. If the control is automated, the performer of
control is the system.

December 27, 2004 39

 9. Financial Statement Assertions(Col No. 19 of template) :
Financial Statement Assertions are representations by management
regarding the completeness, validity and accuracy of financial
statements
The financial statement assertions are as follows-
i. Existence- Assets, liabilities and ownership interests exist at a
specific date.
ii. Occurrence- The recorded transactions represent events that
actually occurred during a certain period.
iii. Completeness- All transactions and other events and
circumstances that occurred during a specific period and should
have been recognized in that period, have in fact, been recorded.
iv. Valuation- Asset, liability, revenue and expense components are
recorded at appropriate amounts in conformity with relevant and
appropriate accounting principles
v. Rights and obligations- Assets are the rights, and liabilities are
the obligations, of the entity at the given date.
vi. Presentation- Items in the statements are properly described,
sorted and classified.
December 27, 2004 40
 IMPORTANT
10. Assessment of Control Design(Col No. 20 of template)

In order to ensure the effectiveness of controls, the basic construction

of the control needs to be fool proof. Any deficiencies in the design would
adversely affect the reliability of the control. There may be deficiencies in
the design of controls when-
i. The control itself is missing / cannot be relied upon
ii. A control has not been designed effectively to ensure achievement of
control objectives.
The nature and type of control plays an important role in review of
design deficiencies. The controls could be-

i. Preventive Automated
TEST OF DESIGN
ii. Detective Automated (TOD)
iii. Preventive Manual
iv. Detective Manual
Contd…

December 27, 2004 41

 Contd..

By their nature ‘automated’ controls are reliable and need less oversight
than the ‘manual’ controls and preventive controls have preference over
detective controls at the process level. It is preferable to have more controls
in the category of preventive and automated. In case it is not possible to
shift from 4 to 1, compensating/ supplementary controls should be
instituted to improve the reliability of the control.

Note:
1. A detailed description of the shortcoming in the design of control, if
any, should be documented at the time of assessment of design of
control.

2. Please do not proceed further if a design shortcoming is identified.

One needs to close the gap and then the testing of the modified / new
control should be done.

December 27, 2004 42

11. Remediation Measures(Col No. 21 of template)

Remediation of design deficiencies can be done in the following ways-

1. Installing proper controls

2. Changing existing controls to meet the control objectives

Example
i. Segregation of duties
ii. Removal of excess authorizations

Remediation measures are more critical in case of controls that are

manual and detective.Efforts should be made to convert the Manual
detective controls to Automated preventive controls.In case it is not
possible, supplementary controls need to be put in place.

Remediation of controls should be done based on pre-determined

schedule.

December 27, 2004 43

12. Remediation Schedule (Col No. 22 of template)

Remediation steps identified above will have to be carried out as per

predetermined schedule. This schedule, giving detailed timeline for
remediation, needs to be prepared by every process team and
documented.
 

December 27, 2004 44

 PURPOSE
12. Walkthrough To ensure controls identified
Actually exist
Conduct a Walkthrough:
A walkthrough is a process in which a transaction is traced from
origination to the reflection of the transaction in the company’s
financial reports. A walkthrough should encompass the entire
process of initiating, authorising, recording, processing, and
reporting individual transactions and controls for each significant
process, including controls to address the risk of fraud.
 Walkthrough Summary: (Col No. 23 of template)
After control assessment and remediation of the design gaps, a
walkthrough of the process should be conducted. A walkthrough is
conducted in order to ensure that process flows is as indicated in
the flow chart and the controls identified are actually working
effectively. A summary of this walkthrough needs to be
documented.

December 27, 2004 45

 12. Walkthrough – HOW ?

Conducting a walkthrough:
1. Take a transaction at random
2. Start at the origin of the transaction.
3. Identify the documents and the data fed in the system
4. Check for the correctness and completeness of the data
5. Check for the authorizations and signatures of the proper authorities
as indicated in the process document
6. Check for the evidence of records being kept and the backup
papers being stored for reference.
7. Check whether all the steps in the process as indicated in the
process map and the narrative occur and in the same sequence.
8. Check whether all the controls indicated in the process map are
working and effective.
9. Document all your observations and conclusion.

December 27, 2004 46

 COMPUTER CONTROLS
General Computer Controls: Controls over data center
operations, system software controls and access security are defined as
general computer controls. E.g.: Access to data centre, Disaster Recovery
Plans etc.
Application Controls:
Input Control Checks and ensures input of
correct data only Validation controls,
Alpha/ numeric fields,
Master data validation,
Inter-field compatibility
Processing Control Ensures required
processing has been done as per the schedule and
completely.
Output Control Ensures that the output is correct.
Authorizations: Very important from the point of SOX compliance.
“Need to know , need to do” basis for authorizations. Role based.
Permissions based on written requests of the group in-charge.

December 27, 2004 47

 MATERIAL
SAP Authorizations WEAKNESS

1. Identify all persons involved in the process / sub-processes in your

area and having SAP user codes.
2. List out the activities they need to perform on the system.
3. Identify the SAP transaction codes for which they need to be given
authorizations based on step 2 above.
4. List out the SAP transaction codes for which they currently have
authorizations, based on the roles attached to their user code.
5. Match the SAP transaction codes listed as per step 3 and those
currently authorized as identified based on step 4.
6. Identify excess authorizations based on step 5.
7. Remove excess authorizations and any obvious segregation of
duties conflicts.
8. Ensure documentation as per format given.
9. Institute appropriate approval processes to make any change to the
newly granted authorizations.
10. Any new induction of personnel / change of job would warrant
conducting step 1 to 9.
December 27, 2004 48
 TESTING INFORMATION

December 27, 2004 49

 1.Testing of Controls (Col No. 24 of template)

The next step is to determine the extent of testing of controls to be

conducted for the process. Management has to demonstrate that
controls covering all the five COSO components of internal controls
are operating effectively. Only those controls that are identified as
key controls and that are affecting the financial assertions need
to be tested. The process teams will do the first round of testing for
each of their sub-processes.
TEST OF
OPERATING
EFFECTIVENESS
(TOE)

December 27, 2004 50

 Testing of Controls – STEPS TO FOLLOW
IMPORTANT
• More THOROUGH than A SIMPLE walkthrough.
• Concentrate on the controls.
• Finalize the testing strategy (key controls, nature of testing)
• Based on the ‘population’ identify the sample size. Pick at random as
many documents/ transactions as indicated by the sample size
• Test the transactions for the key controls as per the process flow.
• If, out of the total samples tested, instances of failure of key controls
are found, select another sample which is double the no.of failed
samples and retest.
• Document the process of testing as well as the results.
• Retain the documentation at a central place.
• Give a rating (pass/fail) for every control that is tested.

December 27, 2004 51

 Testing Strategy: (Col No. 25 of template)

The test plans should cover the following key elements-

• Key controls to be tested
• Nature of tests such as inquiry, observation, examination or re-
performance
• Extent of testing which should cover testing of automated and manual
controls
• Timing of test of controls
• Description of the tests conducted
• Key administrative items like who will perform the tests, evidence to
be reviewed and where the controls are performed
• Documentation of the tests conducted
• Exceptions observed, if any

December 27, 2004 52

 Sample to be tested: (Col No. 26 of template)

All manual controls identified as key controls, need to be tested

using sampling techniques.

Results of Test of Control: (Col No. 27 of template)

In order to conclude that the controls are operating effectively the following
steps are necessary-
 
•Management should develop an inventory of all deficiencies /
control failures.
•Root cause of each deficiency should be documented and assessment
of corrective action should be made.
•Steering committee should assess each deficiency and
prioritise remedial action.

December 27, 2004 53

 Supporting documentation and its location: (Col No. 28 of template)

After you complete the testing and finalise the results of the same, these
need to be documented and retained for the review by the
management and the external auditors

Conclusion (Col, No. 29 of template

the conclusion of the testing can be indicated only as “PASS or FAIL”

and no other way.

December 27, 2004 54

 Gaps in Operating effectiveness of Controls (Col. No. 29 of template)

Identify the gaps which need to be plugged so that the control works
the way it should.

The alternate control ( If this control fails)(Col No. 30)

Identify if there is an alternate control which can compensate for the

failure of this control.

December 27, 2004 55

 Remediation of control gaps

1. Prioritize the failed controls to be remediated, based

on the discussions and guidance from the team leader.

2. Identify the remediation which will close the gap and

ensure the working of the control in the desired way.

3. Draw up a schedule for the action plan and

a time frame for the same.

4. Ensure that remediation is done as per the time-

schedule.

IMPORTANT : Remediated controls need to be operating

for a sufficient time to ensure no adverse comment by
auditors
December 27, 2004 56
 RE-TESTING INFORMATION

December 27, 2004 57

 Post Remediation Testing and further remediation
required, if any:
Perform the same steps that have been followed for
testing as given above in case of the controls that have
been identified for retesting. In case of any deficiencies
identified after retesting has been done, the controls
have to be looked at from both design as well as
effectiveness point of view.
THIS IS THE LAST CHANCE
Based on the testing after remediation the final
conclusion should be

“CONTROL WORKING EFFECTIVELY”

ELSE
YOU NEED TO DETERMINE
THE LEVEL OF DEFICIENCY
December 27, 2004 58
 Level of Deficiency – Operating Effectiveness of Controls
The ineffective controls can be graded based on the severity.
Internal Control Deficiency:
An internal control deficiency exists when the design or operation of a
control does not allow management or employee, in the normal course of
performing their assigned functions, to prevent or detect misstatement on a
timely basis.
Significant Deficiency:
A significant deficiency is an internal control deficiency that adversely
affects the entity’s ability to initiate,record, process or report external
financial data reliably.
Material weakness:
A material weakness is a significant deficiency that, by itself or in
combination with other significant deficiencies, results in more than a
remote likelihood that a material misstatement of the annual or interim
financial statements will not be prevented or detected.
December 27, 2004 59
 Important Things to remember
1. We need to do walkthrough at three stages
• Once when we are doing the flowcharts – to ensure that the flowchart
depicts exactly the way process is moving and no other way.
• Second time when we are doing Risk identification – as a process to
do it.
• Finally when we are doing the testing of the controls – to check
effectiveness of the controls.

2. Identification of risks is THE MOST IMPORTANT task in the whole

exercise. We need to brainstorm to ensure that all the risks are captured.

3. We need to ensure that the auditor does not find any difference between
the flowchart and the process in reality. Also, the auditor does not identify
any significant risk which we have not been able to foresee.Else it would
call for significant re-work.

4. Having an internal control deficiency - significant or otherwise would be

viewed seriously and reported to the Management & Audit Committee.
December 27, 2004 60
 TIME IS THE ESSENCE

We need to complete this

exercise
by
31st March 2005

December 27, 2004 61

 ACTION STEPS

• After you complete the entire cycle for a process / sub-process – review by
an independent agency like Internal Audit
• Remediation and re-testing if any deficiencies are found
• Re-check by an Independent Agency
• Final Audit by Statutory Auditors

December 27, 2004 62

 CEO AND CFO CERTIFICATION: Section 404
CEO & CFO to certify that:
 They have designed, established and maintained internal controls &
procedures over financial reporting
 They have reviewed the financial statements & there is no material
misstatement.
 They have used a specific framework (e.g. COSO) to evaluate
effectiveness of internal controls over financial reporting
 Based on their knowledge, financial statements present in all material
respects, the company’s financial position.
 They have reported to Audit Committee & External Auditors significant
deficiencies & any fraudulent activities.
 They have disclosed significant changes affecting internal controls and
any corrective actions taken with regards to significant deficiencies.
 The external auditor has issued an attestation report on assessment of
internal controls.

December 27, 2004 63

 Thank You

December 27, 2004 64