Vous êtes sur la page 1sur 34

Audit Checklists & Continuous Auditing for

Financial Close and Sarbanes-Oxley (SOX)


Audit Procedures

December 2006

This document provides a consolidated set of audit checklists


typical of those used by internal and external auditors to evaluate
the financial close process and test compliance with Sarbanes-
Oxley (SOX).
These checklists identify all of the typical controls that comprise a
typical audit and highlight ways that you can automate many of the
tasks by using an independent controls monitoring and audit (CMA)
solution.
Table of Contents
Section 1 – Financial Close Process ......................................................................................... 3
Section 2 – Entity Level Controls - Control Environment ........................................................... 5
Section 3 – Entity Level Controls - Information & Communication............................................. 8
Section 4 – Entity Level Controls – Monitoring ........................................................................ 10
Section 5 – Entity Level Controls – Risk Assessment ............................................................. 12
Section 6 – Expenditure Process Controls .............................................................................. 12
Section 7 – Fixed Assets Process Controls ............................................................................. 17
Section 8 – Inventory Management Process Controls ............................................................. 19
Section 9 – Payroll Process Controls ...................................................................................... 22
Section 10 – Revenue Process Controls ................................................................................. 24
Section 11 – Treasury Process Controls ................................................................................. 27
Section 12 – SOX Checklist..................................................................................................... 30
ABOUT APPROVA .................................................................................................................. 34

Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures 2
Section 1 – Financial Close Process
The financial close process is the single largest source of internal controls weaknesses
disclosed in SEC filings.
Some of the most common challenges include revenue recognition, accruals, capitalization,
and inter-company eliminations. For this reason it is typically a major focus of most audits. The
following checklist highlights the key controls that auditors test and indicate where there are
opportunities to automate processes as part of a continuous audit process.

Checklist #1: Financial Close Process


Business Ability to
Point of Focus/ Control Objective Description of Automation
Activity Automate

1
Financial
Close
Accounting policies exist, are kept current, and are communicated
to the appropriate personnel. z
2
Financial
Close
Procedures are in place to ensure that all transactions are
recorded in accordance with GAAP. z
Continuous controls monitoring

z
Close procedures, including due dates, responsibilities, disclosure
Financial and audit of the financial close
3 updates, and account classifications are defined, communicated,
Close process is an integral part of the
and implemented.
financial close procedure.
CMA solutions can report test

z
results in existing corporate
Financial
4 The standard corporate reporting format is utilized. reports or as part of third party
Close
reporting packages (e.g. Crystal
Reports).
CMA solutions provide detailed
5
Financial
Close
Access to accounting and reporting applications is limited to the
appropriate individuals. z remediation and monitoring of
user access for accounting and
reporting applications.

z
CMA solutions monitor
Financial
6 Journal entry input is restricted to authorized personnel. unauthorized or irregular journal
Close
entries.

7
Financial
Close
There is a checklist of the standard closing journal entries made at
month-end, quarter-end, and year-end. z CMA solutions identify non-
standard journal entries.

8
Financial
Close
Pre-numbered vouchers are used to ensure that all non-recurring
entries are processed only once in the system. z CMA solutions identify duplicate
journal entries.

z
CMA solutions identify manual
Financial Manual journal entries have adequate supporting documentation
9 journal entries that do not have
Close and are approved by the appropriate level of management.
proper approvals.

10
Financial
Close
Standardized journal entries are used for recurring journal entries.
z
11
Financial
Close
Journal entries are supported and authorized before being posted.
z CMA solutions identify
unauthorized journal entries.

z
CMA solutions identify journal
Financial System logic prevents journal entries for which debits do not equal
12 entries for which debits do not
Close credits.
equal credits.

z
CMA solutions identify journal
Financial The system will not allow journal entries to be recorded to a closed
13 entries that have been recorded
Close accounting period.
after a closed accounting period.

14
Financial
Close
System logic will not allow duplicate journal entry numbers.
z CMA solutions identify duplicate
journal entries.

15
Financial
Close
A procedure detailing the calculation of specific accruals and
recording rules exists and is consistently applied. z

Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures 3
16
Financial
Close
Write-offs and reserves are clearly defined, consistently applied,
and monitored in accordance with company policy. z
17
Financial
Close
All account balances are reconciled prior to closing the books,
including confirming that balances agree with related parties. z
18
Financial
Close
Significant variances in reconciliations are investigated and
resolved timely. z
19
Financial
Close
Fluctuation analysis of actual to budget or prior periods is
performed. z
20
Financial
Close
The financial reporting package is reviewed by management before
submission to Corporate. z
z
CMA solutions identify and
Financial
21 Duties are appropriately segregated in the closing process. remediate segregation of duties
Close
violations.

z
CMA solutions monitor all
Financial Access/authorization controls are in place to maintain the integrity
22 changes to the chart of
Close of the chart of accounts.
accounts.

z
Procedure is in place to identify any changes to master data that
Financial CMA solutions monitor all
23 have significant financial accounting and/or reporting implications
Close changes to master data.
to the accounting department
For the operations that CMA
solutions monitor, appropriate

z
A procedure is in place to identify and communicate
Financial alerting and reporting is
24 transactions/events that have significant financial accounting
Close performed to communicate any
and/or reporting implications to the accounting department.
anomalies in financial close
procedures.

z = Significant opportunities to implement a controls monitoring and audit (CMA) solution


z = Some opportunity to implement a controls monitoring and audit (CMA) solution
z = Little or no opportunity to implement a controls monitoring and audit (CMA) solution

Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures 4
Section 2 – Entity Level Controls - Control Environment
The control environment helps define the atmosphere in which people conduct their activities
and carry out their control responsibilities. It sets the tone of an organization by influencing the
control consciousness of its people. It is the foundation for all other components of internal
controls and provides discipline and structure. Control environment factors include the
integrity, ethical values, and competence of the organization’s people; management's
philosophy and operating style; the way management assigns authority and responsibility; the
way management organizes and develops its people; and the attention and direction provided
by the audit committee and board of directors.
The objective of the control environment is to establish and promote a collective attitude
toward achieving effective internal control over the entity's business. The following checklist
highlights the key areas of focus, which auditors test and indicates where there are
opportunities to automate processes as part of a continuous audit process.

Checklist #2: Entity Level Controls - Control Environment


COSO Ability to
Point of Focus/ Control Objective Description of Automation
Attribute Automate

z
A code of conduct and other policies exist regarding acceptable
Integrity &
1 business practices, conflicts of interest, or expected standards of ethical
Ethical Values
and moral behavior.
There is an established "tone at the top" including explicit guidance

z
about what is right and wrong. This tone is communicated and practiced
Integrity &
2 by executives and management throughout the organization.
Ethical Values
Employees are aware of what to do when they encounter improper
behavior.

z
Management follows ethical guidelines in dealing with employees,
Integrity &
3 suppliers, customers, investors, creditors, insurers, competitors,
Ethical Values
regulators, and auditors.

4
Integrity &
Ethical Values
The importance of high ethics and controls is discussed with newly
hired employees through orientations or interviews. z
5
Integrity &
Ethical Values
Management removes or reduces incentives or temptations that might
cause personnel to engage in dishonest or unethical acts. z
z
Management takes appropriate disciplinary action in response to
Integrity &
6 departures from approved policies and procedures or violations of the
Ethical Values
code of conduct.

7
Integrity &
Ethical Values
Situations involving pressure to meet unrealistic targets do not exist or
are properly controlled - particularly for short-term results. z
Individual compensation awards are in line with the ethical values of the
8
Integrity &
Ethical Values
company, and foster an appropriate ethical tone (e.g., bonuses are not
given to those that meet objective, but in the process circumvent
established policies, procedures, or controls).
z
9
Commitment to
Competence
Company personnel have the competence and training necessary for
their assigned duties. z
10
Commitment to
Competence
Personnel are cross-trained to understand other functions and the
impact of their specific duties on other areas of the company. z
z
Management possesses broad functional experience (i.e., management
Commitment to
11 comes from several functional areas rather than just a few, such as
Competence
production and sales).

Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures 5
12
Commitment to
Competence
Management provides personnel with access to training programs on
relevant topics. z
13
Commitment to
Competence
Formal job descriptions or other means of defining tasks that comprise
particular jobs exist and are effectively used. z
14
Commitment to
Competence
Adequate staffing levels are maintained to effectively perform required
tasks. z
z
Management's
15 Philosophy & Management analyzes the risks and potential benefits of ventures.
Operating Style

z
Management's
Turnover in management or supervisory personnel is monitored and the
16 Philosophy &
reasons for significant turnover are evaluated.
Operating Style

z
Management's
Senior management maintains contact with and consistently
17 Philosophy &
emphasizes appropriate behavior to operating personnel.
Operating Style

z
Management's
Management exemplifies attitudes and actions reflecting a sound
18 Philosophy &
control environment and commitment to ethical values.
Operating Style

z
Management's
Management adopts accounting policies that best reflect the economic
19 Philosophy &
realities of the business.
Operating Style

20
Organizational
Structure
Executives clearly understand their responsibility and authority for
business activities and how they relate to the entity as a whole. z
21
Organizational
Structure
The entity establishes appropriate lines of reporting, giving
consideration to its size and the nature of its activities. z
For the operations that CMA
solutions monitor,
22
Organizational
Structure
The structure of the entity facilitates the flow of information to
appropriate people in a timely manner. z appropriate alerting and
reporting is performed to
communicate any anomalies
in the control environment

z
CMA solutions identify and
Organizational Incompatible duties are segregated (e.g., separation of accounting for
23 remediate segregation of
Structure and access to assets).
duties (SoD) violations.

z
Assignment of
Employees throughout the entity are assigned authority and
24 Authority &
responsibility related to their specific job functions.
Responsibility

z
Assignment of
Job descriptions contain specific references to control-related
25 Authority &
responsibilities.
Responsibility
CMA solutions are designed
so that the business process
owner can design,

z
Assignment of
Employees are empowered, when appropriate, to correct problems or implement and monitor
26 Authority &
implement improvements. controls and perform
Responsibility
remediation of control
violations without having to
enlist IT resources.

z
Assignment of CMA solutions include
There is a structure for assigning ownership of information including
27 Authority & remediation workflow to
who is authorized to initiate or change transactions.
Responsibility remediate SOD violations.

z
Assignment of
There are policies and procedures for authorization and approval of
28 Authority &
transactions.
Responsibility
Human Management establishes and enforces standards for hiring the most
29
Resources
Policies &
Procedures
qualified individuals, with emphasis on educational background, prior
work experience, past accomplishments, and evidence of integrity and
ethical behavior.
z
Human

z
Screening procedures, including background checks, are employed for
Resources
30 job applicants, particularly for employees with access to assets
Policies &
susceptible to misappropriation.
Procedures

Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures 6
Human

z
Recruiting practices include formal, in-depth employment interviews
Resources
31 and informative, insightful presentations on the entity's history, culture,
Policies &
and operating style.
Procedures
Human
32
Resources
Policies &
Procedures
Training policies communicate prospective roles and responsibilities
and illustrate expected levels of performance and behavior. z
Human
33
Resources
Policies &
Procedures
Job performance is periodically evaluated and reviewed with each
employee. z
Human
34
Resources
Policies &
Procedures
Disciplinary actions send a message that violations of expected
behavior will not be tolerated. z
Human
35
Resources
Policies &
Procedures
An ongoing education process enables people to deal effectively with
evolving business environments. z
1
z = Significant opportunities to implement a controls monitoring and audit (CMA) solution
z = Some opportunity to implement a controls monitoring and audit (CMA) solution
z = Little or no opportunity to implement a controls monitoring and audit (CMA) solution

Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures 7
Section 3 – Entity Level Controls - Information & Communication
Information and communication is the component of internal controls that ensures that
pertinent information is identified, captured, and communicated in a form and timeframe that
enables people to carry out their responsibilities. Information systems produce reports
containing operational, financial, and compliance-related information that make it possible to
run and control the business. They deal with internally-generated data, as well as with
information about external events, activities, and conditions necessary to make informed
business decisions and generate reliable external reports. Effective communication must also
occur in a broader sense, throughout the organization. The “tone at the top” must clearly
demonstrate to all employees that control responsibilities are to be taken seriously. Individuals
must understand their own role in the internal control system, as well as how individual
activities relate to the work of others. Individuals must have a means of communicating
significant information upwards within the organization.
The objective of information and communication audits is to ensure that information relevant to
operating the business and the maintenance of internal controls and records is identified,
captured, and communicated to the appropriate individuals on a timely basis. The following
checklist highlights the key areas of focus, which auditors test and indicates where there are
opportunities to automate processes as part of a continuous audit process.

Checklist #3: Entity Level Controls - Information & Communication


COSO Ability to
Point of Focus/ Control Objective Description of Automation
Attribute Automate

1
Information
Availability
Management monitors relevant external information and considers
the impact on the entity. z
CMA solutions greatly reduce
the time and effort of

z
Internal information regarding financial results is generated by the
Information monitoring information system
2 entity's financial information systems and that information is
Availability controls that affect the
reported regularly.
accuracy of financial
statements.

3
Information
Availability
Entity-wide operating results are reviewed and compared against
budgets at regular intervals. z
4
Information
Availability
The adequacy of the information technology structure is considered
by senior management. z
z
Managers and other personnel have the required information in
Information
5 sufficient detail to carry out their responsibilities and there are
Availability
mechanisms in place to ensure changing needs are met.

Independent CMA solutions


can easily integrate with other

z
governance, risk, compliance,
Reliability of IT Management has a strategic plan for IT systems that are linked to
6 and security-related
Systems the entity's overall strategies.
applications such as Identity
Management, GRC
applications and portals.

Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures 8
CMA solutions can
continuously monitor SOD,
Financial Close, Order to

z
Procedures are in place to provide assurance that relevant Cash, Procure to Pay, System
Reliability of IT
7 information is identified, captured, processed and reported by IT Configuration, Sensitive
Systems
systems in an appropriate and timely fashion. Transactions, and custom
transactions in financial
systems to ensure compliance
is met and enforced.
CMA solutions significantly

z
reduce the effort of monitoring
Reliability of IT Management adequately staffs and designs the IT department to
8 financial system controls by
Systems support the entity's overall business objectives.
effectively utilizing existing
staff.
CMA solutions can assist in

z
There are defined responsibilities for individuals responsible for
Reliability of IT change control by monitoring
9 implementing, documenting, testing, and approving changes to
Systems financial application system
computer programs and systems.
settings.

10
Reliability of IT
Systems
There is a regular back-up of application programs and data files.
z
z
The entity has a disaster recovery plan in place that allows for the
Reliability of IT
11 timely recovery of information. The disaster recovery plan is tested
Systems
regularly and is updated as the business changes.

z
CMA solutions are used by a
Reliability of IT There is a high level of user satisfaction with the IT systems,
12 broad scope of Fortune 1000
Systems including reliability and timeliness of reports.
organizations.

13 Communication
Employee duties and control responsibilities are timely and
effectively communicated. z
For the operations that CMA
solutions monitor, appropriate
14 Communication
Communication across the organization is adequate, complete and
timely to enable people to perform their responsibilities effectively. z alerting and reporting is
performed to communicate any
anomalies in the control
environment.
There is an established channel of communication for people to
15 Communication
report, anonymously when appropriate, suspected improprieties and
management encourages employees to utilize such channels when
necessary.
z
16 Communication
Reported problems are investigated in a timely manner and
disciplinary actions are taken when necessary. z
17 Communication
There are realistic mechanisms in place for employees to provide
recommendations. z
z = Significant opportunities to implement a controls monitoring and audit (CMA) solution
z = Some opportunity to implement a controls monitoring and audit (CMA) solution
z = Little or no opportunity to implement a controls monitoring and audit (CMA) solution

Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures 9
Section 4 – Entity Level Controls – Monitoring
Monitoring is a process that assesses the quality of the entity's internal control performance
over time. Effective monitoring is accomplished through ongoing monitoring activities,
separate evaluations, or a combination of the two. Ongoing monitoring occurs in the course of
operations and includes regular management and supervisory activities, and other actions
personnel take in the performance of their duties. The scope and frequency of separate
evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing
monitoring procedures. Internal control deficiencies should be reported throughout the
organization with serious matters reported to top management and the board.
The objective of monitoring is to detect and remediate control deficiencies throughout the
entire system of internal control. The following checklist highlights the key areas of focus,
which auditors test and indicates where there are opportunities to automate processes as part
of a continuous audit process.

Checklist #4: Entity Level Controls – Monitoring


COSO Ability to
Point of Focus/ Control Objective Description of Automation
Attribute Automate

z
CMA solutions can continuously monitor
SOD, Financial Close, Order to Cash,
Management monitors relevant external and internal
Ongoing Procure to Pay, System Configuration,
1 information and considers the impact on the control
Monitoring Sensitive Transactions, and custom
structure.
transactions in financial systems to ensure
compliance is met and enforced.

z
CMA solutions can continuously monitor
SOD, Financial Close, Order to Cash,
Procedures are in place to monitor when controls are
Ongoing Procure to Pay, System Configuration,
2 overridden and to determine if the override was
Monitoring Sensitive Transactions, and custom
appropriate.
transactions in financial systems to ensure
compliance is met and enforced.

z
CMA solutions include remediation workflow
Ongoing Management takes appropriate action on exceptions to to remediate SOD violations. This
3
Monitoring policies and procedures. remediation includes applying compensating
controls for exceptions.

4
Ongoing
Monitoring
Management responds timely to comments identified
in management letters from the external auditor. z
5
Ongoing
Monitoring
Internal audit has the authority to review any aspect of
the entity's operations.
z CMA solutions enable audit to monitor 100%
of financial system controls on a daily or
weekly basis rather than a 5% sample
performed on a quarterly basis.

z
For the systems that CMA solutions support,
control design, deployment and monitoring is
designed to be operated by the business
Ongoing Controls are reviewed to ensure that they are being
6 process owner (without IT intervention)
Monitoring applied as expected.
which facilitates better controls as the same
person who is responsible for the control
owns the controls.

z
Independent CMA solutions that are not sold
Ongoing by financial applications vendors provide
7 Internal audit is independent of the activities they audit.
Monitoring independent verification of controls
effectiveness.

8
Ongoing
Monitoring
Internal auditors are prohibited from having an
operating role in the activities they monitor. z

Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures 10
9
Ongoing
Monitoring
Management is required to respond in a timely manner
to the internal audit department's findings and
recommendations.
z
10
Reporting
Deficiencies
Internal and/or external audit comments and
management responses are provided to the audit
committee or board of directors.
z
11
Reporting
Deficiencies
Complaints of improper financial matters by external
parties such as suppliers or regulators are fully
investigated and documented.
z
12
Reporting Discrepancies that have been identified by customers z CMA solutions can not only identify
discrepancies in financial applications but
they can also identify the root cause of the
Deficiencies are investigated and resolved.
discrepancy to enable a faster remediation of
the issue.

13
Reporting
Deficiencies
Controls that should have prevented or detected
problems are reassessed when problems occur. z
z
CMA solutions can automate the control
Separate Personnel with the requisite skills conduct evaluations testing for financial applications reducing the
14
Evaluations of appropriate portions of the internal control system. need for highly skilled personnel to manually
conduct control testing.

15
Separate
Evaluations
The frequency and scope of supervision and
monitoring activities are appropriate to the size and z CMA solutions enable audit to monitor 100%
of financial system controls on a daily or
weekly basis rather than a 5% sample
nature of the entity.
performed on a quarterly basis.

16
Separate
Evaluations
Supervisory personnel perform various random and
structured reviews over the functioning of control
z CMA solutions enable audit to monitor 100%
of financial system controls on a daily or
weekly basis rather than a 5% sample
procedures.
performed on a quarterly basis.

z = Significant opportunities to implement a controls monitoring and audit (CMA) solution


z = Some opportunity to implement a controls monitoring and audit (CMA) solution
z = Little or no opportunity to implement a controls monitoring and audit (CMA) solution

Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures 11
Section 5 – Entity Level Controls – Risk Assessment
Risk assessment is the component of the entity’s internal controls that involve identifying and
analyzing risks (both internal and external) relevant to achieving business objectives and
objectives related to the preparation of reliable financial statements.
The objective of the entity's risk assessment process is to establish and maintain an effective
process to identify, analyze, and manage risks relevant to achieving business objectives
and/or the preparation of reliable financial statements. The following checklist highlights the
key areas of focus, which auditors test and indicates where there are opportunities to automate
processes as part of a continuous audit process.

Checklist #5: Entity Level Controls – Risk Assessment


COSO Ability to Description of
Point of Focus/ Control Objective
Attribute Automate Automation

z
Management has a business planning process in place that
Entity-Wide
1 examines existing objectives and establishes new objectives
Objectives
when necessary.

z
Management establishes business plans and budgets with
Entity-Wide
2 realistic goals, and incentives for achievement of plans are
Objectives
balanced.

3
Entity-Wide
Objectives
Objectives are communicated at the appropriate levels and
are understood and adopted by the responsible parties. z
4
Entity-Wide
Objectives
Management has established a process to periodically review
and update entity-wide strategic plans and objectives. z
5
Activity-Level
Objectives
Activity-level objectives are linked with entity-wide objectives
and strategic plans. z
z
Activity-level objectives are consistent with each other (e.g.,
Activity-Level
6 objectives for the sales organization are consistent with the
Objectives
manufacturing organization).

z
Risk
Management identifies risks related to each of the established
7 Identification &
objectives.
Management

z
Risk Management has mechanisms in place to identify business
8 Identification & risks resulting from entering new markets or lines of business
Management or from offering new products and services.

z
Risk
Management identifies financial reporting risks that result from
9 Identification &
operations or compliance with laws and regulations.
Management

z
Risk
Management identifies fraud risk factors, including
10 Identification &
management override of controls.
Management

z
Risk Identifying risks includes estimating the significance of the
11 Identification & risks identified, assessing the likelihood of the risks occurring,
Management and determining the need for action.

z
Risk
12 Identification & Risks are evaluated as part of the business planning process.
Management

z
Risk
Senior management develops plans to mitigate significant
13 Identification &
identified risks.
Management

Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures 12
The responsibilities and expectations for the entity's business

z
Risk
activities and the entity's philosophy about identification and
14 Identification &
acceptance of business risk are clearly communicated to the
Management
executives in charge of separate functions.

z
Risk Risks are reviewed periodically with the appropriate corporate
15 Identification & governance functions (e.g., executive management,
Management disclosure committee, audit committee, and legal).

16
Manage
Change
The business planning process includes a broad spectrum of
personnel with collective knowledge of all areas of the entity. z
z
The business planning process includes consideration of
Manage
17 changes in the business environment, including the industry,
Change
competitors, the regulatory environment, and customers.

18
Manage
Change
Changes in risks are identified in a timely manner.
z
19
Manage
Change
Changes are appropriately communicated to the proper level
of management (depending on the significance). z
z
Management has identified the resources needed to achieve
Manage
20 the objectives and has plans to acquire the necessary
Change
resources.

21
Manage
Change
Budgets and forecasts are updated throughout the year to
reflect changing conditions. z
z = Significant opportunities to implement a controls monitoring and audit (CMA) solution
z = Some opportunity to implement a controls monitoring and audit (CMA) solution
z = Little or no opportunity to implement a controls monitoring and audit (CMA) solution

Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures 13
Section 6 – Expenditure Process Controls
For most large organizations the procurement process generates thousands of transactions a
day. Controllers and purchasing managers carry a serious responsibility to oversee these
transactions and ensure that only legitimate payments are made. Sarbanes-Oxley has only
increased the scrutiny with which auditors look at procurement related controls. Auditors
demand evidence of strong controls when they test an organization’s expenditure process
controls. The following checklist highlights the key areas of focus, which auditors test and
indicates where there are opportunities to automate processes as part of a continuous audit
process.

Checklist #6: Expenditure Process Controls


Business Ability to
Point of Focus/ Control Objective Description of Automation
Activity Automate

1 Purchasing Purchase orders are placed only for approved requisitions.


z CMA solutions can monitor purchase
orders for appropriate approvals.

z
CMA solutions can monitor master
2 Purchasing Purchase orders are entered accurately. data and other key fields in purchase
orders.

3 Purchasing All purchase orders issued are input and processed.


z
z
Purchasing has established and follows policies and CMA solutions can ensure that
4 Purchasing procedures to qualify and evaluate vendors prior to becoming vendor policies such as credit limits
approved vendors. are not violated.

5 Purchasing
There is an approved/preferred vendor list that is maintained
by the purchasing department. z
6 Purchasing
A threshold has been established for obtaining competitive
bids and quotations for expenditures. z
z
CMA solutions can identify purchase
After-the-fact PO’s are identified, tracked, and followed-up on
7 Purchasing orders that are issued after goods
regularly.
are received.

8 Purchasing
Vendor performance (price, product quality, delivery, etc.) is
monitored periodically. z
9 Purchasing
Purchase price variances are monitored to evaluate the
effectiveness of the purchasing department. z
10 Purchasing
Justification for using sole source vendors is documented and
approved by management. z
11 Purchasing
There is a contingency plan for alternative sources of supply
with respect to sole source vendors. z
CMA solutions can identify open

z
Unused/open purchase orders are reviewed periodically and
purchase orders independent of
12 Purchasing investigated by individuals independent of the purchasing and
purchasing and receiving
receiving functions.
departments.

z
Contents of incoming shipments, as listed on the packing slip
13 Receiving or bill of lading, are compared to the physical product(s)
received.

14 Receiving Approved purchase orders are required for all receipts.


z CMA solutions can identify goods
received without purchase order.

Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures 14
15 Receiving
A sequentially numbered receiving report is generated for all
items received. z
16 Receiving
All receipts are physically processed and recorded timely in
the relevant systems. z
z
The receiving department maintains a permanent record of
17 Receiving original receiving documents (packing slips, bills of lading, and
receiving reports).

18 Receiving
Written procedures exist identifying which inbound goods
require inspection before being released to production. z
19 Receiving
Rejected goods are clearly marked and segregated to prevent
use. z
20 Receiving Rejected goods are promptly returned to the vendor for credit.
z CMA solutions can identify goods
returned pending credit.

21 Receiving
There are procedures in place to ensure adequate cut-off of
receipts at period end. z
z
Processing CMA solutions can identify anomalies
Amounts posted to accounts payable represent goods or
22 Accounts in accounts payable vs. goods
services received.
Payable received.

z
Processing CMA solutions can monitor changes
23 Accounts Only original invoices are processed for payment. to master data and identify duplicate
Payable payment of invoices.

z
Processing
24 Accounts Prices and extensions on invoices are checked for accuracy.
Payable

z
Processing CMA solutions can monitor master
Vendor discounts are taken in accordance with current cash
25 Accounts data information including vendor
management guidelines.
Payable discounts.

z
Processing
Invoices processed for payment are marked/perforated to
26 Accounts
prevent duplicate processing/payment.
Payable

z
Processing
System logic prevents duplicate invoices from being CMA solutions can identify duplicate
27 Accounts
processed. payments.
Payable

z
Processing CMA solutions can identify anomalies
Accounts payable amounts are accurately calculated and
28 Accounts in accounts payable vs. goods
recorded.
Payable received.

z
Processing
All amounts for goods or services received are input and
29 Accounts
processed to accounts payable in the appropriate period.
Payable

z
Processing
Credit notes and other adjustments are accurately calculated
30 Accounts
and recorded.
Payable

z
Processing
All valid credit notes and other adjustments related to accounts
31 Accounts
payable are input and processed in the appropriate period.
Payable
CMA solutions can perform 3-way

z
Processing
Vendor invoices are matched to purchase order receiving matching to ensure that payments
32 Accounts
information prior to payment. are not disbursed to invoices without
Payable
matching purchase orders.

z
Processing CMA solutions can identify
Disbursements are only made for goods and services
33 Accounts disbursements made without goods
received.
Payable or services received.

z
Processing CMA solutions monitor master data
34 Accounts Disbursements are distributed to the appropriate suppliers. so that appropriate supplier
Payable information is correct.

z
Processing
35 Accounts Disbursements are accurately calculated and recorded.
Payable

z
Processing CMA solutions can identify
All disbursements are recorded in the period in which they are
36 Accounts disbursements made outside of the
issued.
Payable period they were issued.

Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures 15
z
Processing
Accounts payable sub-ledger is reconciled to the general
37 Accounts
ledger at least monthly.
Payable

z
Processing Debit balances in the accounts payable subsidiary ledger are
38 Accounts promptly investigated and, if necessary, refunds are obtained
Payable from vendors.

z
Processing
All necessary accruals (received not vouchered) are computed
39 Accounts
and recorded at period end.
Payable

z
Maintaining CMA solutions monitor master data
40 Vendor Only valid changes are made to the supplier master file. so that appropriate supplier
Master File information is correct.

z
Maintaining CMA solutions monitor master data
All valid changes to the supplier master file are input and
41 Vendor so that appropriate supplier
processed.
Master File information is correct.

z
Maintaining
Changes to the supplier master file are accurate and are
42 Vendor
processed in a timely manner.
Master File

z
Maintaining
43 Vendor Supplier master file data remains pertinent.
Master File

z
Maintaining
Access to the vendor master file is limited to appropriate CMA solutions monitor access to
44 Vendor
individuals. vendor master file.
Master File
CMA solutions monitor segregation

z
Maintaining The functions to create vendor master file, prepare an invoice of duty access controls to ensure
45 Vendor for payment, create the check run, sign and distribute checks changes to vendor master file,
Master File are segregated. prepare invoice for payment, and
distribution of checks are segregated.

z = Significant opportunities to implement a controls monitoring and audit (CMA) solution


z = Some opportunity to implement a controls monitoring and audit (CMA) solution
z = Little or no opportunity to implement a controls monitoring and audit (CMA) solution

Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures 16
Section 7 – Fixed Assets Process Controls
For organizations in most industries the fixed assets represent one of the largest items on the
balance sheet. Auditors require that companies have well controlled processes for recording,
managing and retiring fixed assets. The following checklist highlights the key areas of focus,
which auditors test and indicates where there are opportunities to automate processes as part
of a continuous audit process.

Checklist #7: Fixed Assets Process Controls


Business Ability to
Point of Focus/ Control Objective Description of Automation
Activity Automate
CMA solutions monitor the
1
Acquiring Fixed
Assets
Recorded fixed asset acquisitions represent fixed
assets acquired by the organization. z proper security within the
ERP to reduce unauthorized
changes.

2
Acquiring Fixed
Assets
Prior to the acquisition of any fixed asset, a capital
authorization is obtained. z
3
Acquiring Fixed
Assets
Fixed asset acquisitions are accurately recorded in
the appropriate period. z
4
Acquiring Fixed
Assets
All fixed asset acquisitions are recorded.
z
5
Acquiring Fixed
Assets
Capital expenditure overruns are anticipated and
properly approved. z
CMA solutions monitor the
6
Depreciating
Fixed Assets
Depreciation charges are valid.
z proper security within the
ERP to reduce unauthorized
changes.

7
Depreciating
Fixed Assets
Depreciation charges are accurately calculated and
recorded. z
8
Depreciating
Fixed Assets
All depreciation charges are recorded in the
appropriate period. z
CMA solutions monitor the
9
Disposing of
Fixed Assets
Recorded fixed asset disposals represent actual
disposals. z proper security within the
ERP to reduce unauthorized
changes.
CMA solutions monitor the
10
Disposing of
Fixed Assets
All fixed asset disposals are recorded.
z proper security within the
ERP to reduce unauthorized
changes.

11
Disposing of
Fixed Assets
Fixed asset disposals (and related gain/loss) are
accurately calculated and recorded. z
12
Disposing of
Fixed Assets
Fixed asset disposals (and related gain/loss) are
recorded in the appropriate period. z
13
Managing Fixed
Assets
Records of fixed asset maintenance activity are
accurately maintained. z
14
Managing Fixed
Assets
Fixed assets are adequately safeguarded.
z
15
Managing Fixed
Assets
Fixed asset maintenance records are updated timely.
z

Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures 17
16
Managing Fixed
Assets
The Fixed asset register is reconciled to the General
Ledger on a regular basis. z
17
Managing Fixed
Assets
Management performs regular reviews for impairment
of fixed assets. z
z
A physical inventory of fixed assets is taken
Managing Fixed
18 periodically and reconciled to the fixed asset register
Assets
and general ledger.
Maintaining CMA solutions monitor
19
Fixed Asset
Register and/or
Master File
Only valid changes are made to the fixed asset
register and/or master file. z master data files and General
Ledger to ensure only valid
changes are made.
Maintaining CMA solutions monitor
20
Fixed Asset
Register and/or
Master File
All valid changes to the fixed asset register and/or
master file are input and processed accurately. z master data files and general
ledger to ensure only valid
changes are made.
Maintaining
21
Fixed Asset
Register and/or
Master File
Changes to the fixed asset register and/or master file
are processed in a timely manner. z
CMA solutions monitor
Maintaining

z
Access to transactions such as depreciation, purging sensitive transaction access
Fixed Asset
22 fixed assets, changing the fixed asset register and control to ensure that the
Register and/or
master data should be reviewed on a regular basis appropriate people have
Master File
access to such transactions.

z = Significant opportunities to implement a controls monitoring and audit (CMA) solution


z = Some opportunity to implement a controls monitoring and audit (CMA) solution
z = Little or no opportunity to implement a controls monitoring and audit (CMA) solution

Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures 18
Section 8 – Inventory Management Process Controls
Inventory – both raw materials and work-in-progress – represents a significant asset for most
companies. Auditors demand evidence that inventory on the books is salable and that well
controlled processes exist for accounting for inventory as it moves through the supply chain.
The following checklist highlights the key areas of focus, which auditors test and indicates
where there are opportunities to automate processes as part of a continuous audit process.

Checklist #8: Inventory Management Process Controls


Ability to
Business Activity Point of Focus/ Control Objective Description of Automation
Automate

1 Managing Inventory Inventory is salable or usable.


z
2 Managing Inventory Inventory is adequately safeguarded.
z
z
Adjustments to inventory prices or CMA solutions monitor access to change
3 Managing Inventory quantities relate to valid price changes and prices ensuring only authorized users can
physical inventory differences. change prices.

z
CMA solutions monitor access to change
All adjustments to inventory prices or
4 Managing Inventory prices or quantities ensuring only
quantities are recorded accurately.
authorized users can change prices.

z
Adjustments to inventory prices or
5 Managing Inventory quantities are recorded in a timely manner
and in the appropriate period.

z
Receiving and
Raw materials are received and accepted CMA solutions can identify materials
6 Storing Raw
only if they have valid purchase orders. without valid purchase orders.
Materials
CMA solutions monitor access to receive

z
Receiving and
Raw materials received are recorded and record materials ensuring only
7 Storing Raw
accurately. authorized users can perform
Materials
transactions.

z
Receiving and
8 Storing Raw All raw materials received are recorded.
Materials

z
Receiving and
Receipts of raw materials are recorded
9 Storing Raw
timely and in the appropriate period.
Materials

z
Receiving and
Defective raw materials are returned timely
10 Storing Raw
to suppliers.
Materials

z
All transfers of raw materials to production
Requisitioning
11 are recorded accurately and in the
Materials
appropriate period.

z
All recorded production costs are consistent CMA solutions monitor access to record
Producing/Costing
12 with actual direct and indirect expenses production costs ensuring only authorized
Inventory
associated with production. users can perform transactions.

z
All direct and indirect expenses associated
Producing/Costing
13 with production are recorded as production
Inventory
costs.

z
All direct and indirect expenses associated
Producing/Costing
14 with production are recorded accurately and
Inventory
in the appropriate period.

Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures 19
All transfers of completed units of CMA solutions monitor access to record
15
Producing/Costing
Inventory
production to finished goods inventory are
recorded completely and accurately in the
appropriate period.
z transfers of completed units ensuring only
authorized users can perform
transactions.

All defective products and scrap resulting CMA solutions monitor access to record
16
Producing/Costing
Inventory
from the production process are valid and
recorded completely and accurately in the
appropriate period.
z transfers of completed units ensuring only
authorized users can perform
transactions.

z
Finished goods returned by customers are
Handling Finished
17 recorded completely and accurately in the
Products
appropriate period.
CMA solutions monitor access to record

z
Finished goods received from production
Handling Finished transfers of completed units ensuring only
18 are recorded completely and accurately in
Products authorized users can perform
the appropriate period.
transactions.

z
Goods received from production or returned CMA solutions monitor access to goods
Handling Finished
19 by customers are only accepted in received ensuring only authorized users
Products
accordance with the organization’s policies. can perform transactions.

z
CMA solutions monitor access to
Shipping Finished
20 All shipments are recorded accurately. shipping ensuring only authorized users
Products
can perform transactions.

21
Shipping Finished
Products
Shipments are recorded timely and in the
appropriate period. z
22
Shipping Finished
Products
Inventory is relieved only when goods are
shipped with approved customer orders. z CMA solutions can identify shipments
without valid customer orders.

23
Shipping Finished
Products
Costs of shipped inventory are transferred
from inventory to cost of sales. z
z
CMA solutions monitor access to
Shipping Finished Costs of shipped inventory are recorded
24 shipping ensuring only authorized users
Products accurately.
can perform transactions.

z
CMA solutions monitor access to
Shipping Finished Amounts posted to cost of sales represent
25 shipping ensuring only authorized users
Products those associated with shipped inventory.
can perform transactions.

z
Costs of shipped inventory are transferred
Shipping Finished
26 from inventory to cost of sales timely and in
Products
the appropriate period.

z
Maintaining
Only valid changes are made to the CMA solutions can monitor the master file
27 Inventory Master
inventory management master file. and identify unauthorized changes.
File

z
Maintaining All valid changes to the inventory
CMA solutions can monitor the master file
28 Inventory Master management master file are input and
and identify unauthorized changes.
File processed.

CMA solutions monitor access to

z
Maintaining
Changes to the inventory management inventory management master data
29 Inventory Master
master file are accurate. ensuring only authorized users can
File
perform transactions.

z
Maintaining
Changes to the inventory management
30 Inventory Master
master file are processed timely.
File

z
Maintaining
Inventory management master file remains
31 Inventory Master
pertinent.
File
Periodic inventory counts are performed to
confirm inventory records. Selection of
items for count is segregated from
32
Inventory
Accounting
performing the count, which is in turn
segregated from recording the count.
System count is reflected on cycle count
z
worksheets (e.g. “Blind” counts are
performed).

Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures 20
33
Inventory
Accounting
Physical counts verify quantities on hand.
z
Written instructions are used by physical
count personnel that provide guidance on
34
Inventory
Accounting
timing of the count, number and
composition of the count teams, areas of
responsibility, how to perform and record
z
the physical counts and count sheet control.
35 Inventory Discrepancies between physical counts and
Accounting perpetual inventory records are researched
prior to posting any adjustments to the
perpetual and/or accounting records.
z
z
36 Inventory Inventory count crews are supervised.
Accounting

z
37 Inventory Receiving/shipping during physical counts is
Accounting controlled.

z
38 Inventory Perpetual records are reconciled to physical
Accounting counts.

z
39 Inventory Perpetual/physical is reconciled to the
Accounting general ledger.

z
40 Inventory Procedures are in place to adjust slow
Accounting moving, obsolete, or damaged items to their
expected realizable value.
41 Inventory Access to transactions such as inventory
Accounting received, recording defective goods, CMA solutions monitor segregation of

z
shipping inventory and master data should duties access controls to ensure changes
be reviewed on a regular basis to inventory received, recording defective
goods, shipping inventory and master
data are segregated.

z = Significant opportunities to implement a controls monitoring and audit (CMA) solution


z = Some opportunity to implement a controls monitoring and audit (CMA) solution
z = Little or no opportunity to implement a controls monitoring and audit (CMA) solution

Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures 21
Section 9 – Payroll Process Controls
Payroll is the largest monthly expenditure for most companies, yet few have effective ways to
ensure proper business controls are in place and are monitored. Discrepancies resulting from
poorly-controlled processes – whether mistakes or fraud – can have a serious impact on a
company’s financial statements. The following checklist highlights the key areas of focus,
which auditors test and indicates where there are opportunities to automate processes as part
of a continuous audit process.

Checklist #9: Payroll Process Controls


Business Ability to
Point of Focus/ Control Objective Description of Automation
Activity Automate

1
Hiring
Personnel
Additions to the payroll master files represent valid
employees. z CMA solutions monitor changes
to employee master data.

2
Hiring
Personnel
All new employees are added to the payroll master files.
z
3
Terminating
Personnel
Terminated employees are removed in a timely manner
from the payroll master files. z CMA solutions can check for
expired employee status.

4
Terminating
Personnel
Employees are only terminated within statutory and/or union
requirements. z
CMA solutions can monitor

z
access to the master data file
Terminating Deletions from the payroll master files represent valid
5 and ensure only authorized
Personnel terminations.
access which reduces master file
data errors.

6
Recording
Time
Time and attendance data recorded reflects actual time
worked and is authorized. z
7
Recording
Time
Time worked is accurately input and processed.
z
8
Recording
Time
Time worked is processed in a timely manner.
z
9
Calculating
Payroll
Payroll is recorded in the appropriate period.
z CMA solutions can monitor out
postings made out of period.

10
Calculating
Payroll
Payroll (including compensation and withholdings) is
accurately calculated and recorded. z
11
Disbursing
Payroll
Payroll disbursements and recorded payroll expenses relate
to actual time worked. z
CMA solutions can check for
12
Disbursing
Payroll
Payroll is disbursed to appropriate employees.
z expired employee status to
ensure terminated employees
are not receiving payroll.

13
Disbursing
Payroll
Payroll registers are reviewed and approved before payroll
is generated. z
CMA solutions can monitor
Maintaining

z
access to the master data file
Payroll
14 Only valid changes are made to the payroll master files. and ensure only authorized
Master
access which reduces master file
Files
data errors.

Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures 22
Maintaining
15
Payroll
Master
Files
All valid changes to the payroll master files are input and
processed. z
Maintaining
16
Payroll
Master
Files
Changes to the payroll master files are accurate.
z
Maintaining
17
Payroll
Master
Files
Changes to the payroll master files are processed timely.
z
CMA solutions can monitor
Maintaining

z
access to the master data file
Payroll
18 Access to the payroll master files is appropriately limited. and ensure only authorized
Master
access which reduces master file
Files
data errors.

z
Managing Payroll related accruals/provisions reflect the existing
19 Payroll business circumstances and economic conditions in
Accounting accordance with the accounting policies being used.

z
Managing
All payroll sub-ledgers and payroll-related bank accounts
20 Payroll
are reconciled to the general ledger at least monthly.
Accounting

z = Significant opportunities to implement a controls monitoring and audit (CMA) solution


z = Some opportunity to implement a controls monitoring and audit (CMA) solution
z = Little or no opportunity to implement a controls monitoring and audit (CMA) solution

Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures 23
Section 10 – Revenue Process Controls
Managing sales orders, ensuring that orders are taken and delivered on time, payment is
collected quickly and revenue recognition conditions are met directly impacts the integrity of a
company’s financial reports. For large companies this can involve thousands of transactions a
day. Last-minute orders, incorrect changes to master data and inappropriate returns can result
in thousands of discrepancies. Small mistakes, such as over-extended credit and incorrectly
recorded receivables can add up and cause serious concern when it comes time to close the
books. In fact, revenue recognition issues are one of the most common reasons for
deficiencies in internal controls. The following checklist highlights the key areas of focus, which
auditors test and indicates where there are opportunities to automate processes as part of a
continuous audit process.

Checklist #10: Revenue Process Controls


Business Ability to
Point of Focus/ Control Objective Description of Automation
Activity Automate

z
Managing and
Credit reviews are required prior to entering into
1 Processing
customer contracts.
Orders
In determining the appropriate credit line, the
following factors have been considered: the

z
Managing and
customer’s purchasing requirements, historical
2 Processing
information about the company, credit rating-
Orders
indications, quantitative (financial) evaluation,
and qualitative (non-financial) factors.

z
Managing and
Credit ratings and line of credits are established
3 Processing
utilizing a consistent methodology.
Orders

z
Managing and CMA solutions can check if credit limits
Orders are only processed within approved
4 Processing for existing customers have been
customer credit limits.
Orders exceeded.

z
Managing and
Orders are approved by management as to CMA solutions can check if appropriate
5 Processing
prices and terms of sale. approvals have been attained.
Orders

z
Managing and There is a policy for handling non-standard
6 Processing terms and conditions including appropriate
Orders management approval.
CMA solutions can monitor access

z
Managing and control to managing and processing
Orders and cancellations of orders are input
7 Processing orders so that only authorized
accurately.
Orders transactions can be performed which
reduces errors.
System logic prevents orders from being
CMA solutions can monitor orders that

z
Managing and processed for invalid customers, customers that
may be processed for invalid customers,
8 Processing are on credit hold, or if the sales order puts the
on credit hold or exceeding their credit
Orders customer's credit balance in excess of their
limit.
established credit limit.

z
Managing and Order entry data is transferred completely and
9 Processing accurately to the shipping and invoicing
Orders activities.

z
Managing and
All, and only, valid orders received from CMA solutions can identify invalid
10 Processing
customers are input and processed. orders.
Orders
CMA solutions can monitor access

z
The shipping function is properly segregated
control to invoicing and accounts
11 Shipping from the invoicing and accounts receivable
receivable functions to ensure
functions.
segregation of duties.

Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures 24
12 Shipping
There are standard policies and procedures and
they are followed by personnel. z
z
Sequentially numbered shipping documents
13 Shipping (BOL, customs forms, ASN, etc.) are prepared
for all items shipped.

14 Shipping
The daily shipping register is reconciled against
orders shipped. z
15 Shipping
Shipped orders are transferred for invoicing
promptly. z
16 Shipping
Period-end procedures exist and are followed to
ensure proper cutoff of shipping activity. z
z
Invoicing, Sales CMA solutions can identify invoices with
Invoices are generated using authorized terms
17 Returns and terms that fall outside the scope of
and prices.
Adjustments authorized terms and prices.

z
Invoicing, Sales
18 Returns and Invoices are accurately calculated and recorded.
Adjustments

z
Invoicing, Sales
CMA solutions can identify goods
19 Returns and All goods shipped are invoiced.
shipped with no invoice.
Adjustments

z
Invoicing, Sales
CMA solutions can identify invoices with
20 Returns and Invoices relate to valid shipments.
no goods shipped.
Adjustments

z
Invoicing, Sales
21 Returns and All invoices issued are recorded.
Adjustments

z
Invoicing, Sales
CMA solutions can identify invoices
22 Returns and Invoices are recorded in the appropriate period.
posted out of period.
Adjustments
CMA solutions can monitor access

z
Invoicing, Sales Credit notes and adjustments to accounts control to credit notes and adjustments
23 Returns and receivable are accurately calculated and to accounts so that only authorized
Adjustments recorded. transactions can be performed which
reduces errors.
CMA solutions can identify credit notes

z
Invoicing, Sales Credit notes for all goods returned and
and adjustments with terms that fall
24 Returns and adjustments to accounts receivable are issued
outside the scope of authorized credit
Adjustments in accordance with organization policy.
and adjustments.

z
Invoicing, Sales
All credit notes relate to a return of goods or CMA solutions can identify credit notes
25 Returns and
other valid adjustments. with no goods returned.
Adjustments

z
Invoicing, Sales
26 Returns and All credit notes issued are recorded.
Adjustments

z
Invoicing, Sales
Credit notes issued are recorded in the
27 Returns and
appropriate period.
Adjustments
Accounts Receivable reflects the existing

z
Invoicing, Sales
business circumstances and economic
28 Returns and
conditions in accordance with the accounting
Adjustments
policies being used.
Sales and Accounts Receivable information is CMA solutions can identify exceptions to

z
Invoicing, Sales appropriately presented, and all information that sales and accounts receivable policies
29 Returns and is necessary for fair presentation and as well as ensure proper segregation of
Adjustments compliance with professional standards or legal duties for access to sales and accounts
requirements is disclosed. receivables systems.

30
Processing
Cash Receipts
Cash receipts are recorded in the period in
which they are received. z CMA solutions can identify cash receipts
posted out of period.
CMA solutions can monitor access
31
Processing
Cash Receipts
Cash receipts data are entered for processing
completely and accurately. z control to cash receipts so that only
authorized transactions can be
performed which reduces errors.

Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures 25
32
Processing
Cash Receipts
Cash receipts data are valid and are entered for
processing only once. z CMA solutions can identify duplicate
cash receipts.

33
Processing
Cash Receipts
Checks are manually logged with customer
name, date and amount when received. z
34
Processing
Cash Receipts
Checks are restrictively endorsed immediately
upon receipt. z
35
Processing
Cash Receipts
Checks are physically secured until deposited.
z
36
Processing
Cash Receipts
Cash discounts are accurately calculated and
recorded. z
37
Processing
Cash Receipts
Unapplied cash receipts are reviewed and
resolved promptly. z
z
Managing
Timely collection of accounts receivable is
38 Accounts
monitored.
Receivable

z
Managing
All A/R accounts and sub-ledgers are reconciled
39 Accounts
to the general ledger at least monthly.
Receivable

z
Managing The A/R aging is reviewed at least monthly for
40 Accounts past-due accounts and unusual items and these
Receivable items are followed up on a timely basis.

z
Managing
Bank reconciliations are prepared and reviewed
41 Accounts
timely.
Receivable

z
Managing The allowance for doubtful accounts is reviewed
42 Accounts and adjusted (if necessary) at least quarterly for
Receivable potential uncollectible accounts.

z
Managing
Write-off policies and procedures have been
43 Accounts
established and adhered to.
Receivable

CMA solutions monitor access and

z
Maintaining transaction changes to the master file to
Only valid changes are made to the customer
44 Customer ensure only appropriate people have
master file.
Master File access to the file and only appropriate
changes are made to the file.

z
Maintaining
All valid changes to the customer master file are
45 Customer
input and processed.
Master File

z
Maintaining
Changes to the customer master file are
46 Customer
accurate and processed timely.
Master File

CMA solutions monitor access and

z
Maintaining transaction changes to the master file to
47 Customer Customer master file data remains pertinent. ensure only appropriate people have
Master File access to the file and only appropriate
changes are made to the file.

z = Significant opportunities to implement a controls monitoring and audit (CMA) solution


z = Some opportunity to implement a controls monitoring and audit (CMA) solution
z = Little or no opportunity to implement a controls monitoring and audit (CMA) solution

Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures 26
Section 11 – Treasury Process Controls
Effective controls for managing cash receipts, disbursements and loans is critical to the
integrity of a company’s financial reporting. The following checklist highlights the key areas of
focus, which auditors test and indicates where there are opportunities to automate processes
as part of a continuous audit process.

Checklist #11: Treasury Process Controls


Business Ability to Description of
Point of Focus/ Control Objective
Activity Automate Automation

1 Borrowing Recorded debt represents a valid liability of the organization.


z
2 Borrowing Borrowings are recorded accurately as to amounts and terms.
z
3 Borrowing All borrowings are recorded in the appropriate period.
z
4 Borrowing
All interest is accurately calculated and recorded in the appropriate
period. z
5 Borrowing Recorded loan repayments are valid.
z
6 Borrowing Loan repayments are accurately recorded.
z
7 Borrowing All loan repayments are recorded in the appropriate period.
z
8 Borrowing Loans are repaid in accordance with the terms of the loan.
z
9 Borrowing The organization complies with loan covenants.
z
z
Managing
10 Cash and Cash receipts are reconciled to general ledger postings daily.
Investments

z
Managing
11 Cash and Recorded investments represent assets of the organization.
Investments

z
Managing
12 Cash and Investment purchases, sales, and maturities are accurately recorded.
Investments

z
Managing
13 Cash and All investment transactions are recorded in the appropriate period.
Investments

z
Managing
All investment income is accurately calculated and recorded in the
14 Cash and
appropriate period.
Investments

Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures 27
z
Managing
15 Cash and Bank reconciliations are prepared and reviewed in a timely manner.
Investments

z
Managing
Senior management has an understanding of the organization's
16 Derivative
derivative activities.
Transactions

z
Managing
Recorded derivative transactions represent assets or liabilities of the
17 Derivative
organization.
Transactions

z
Managing
Disclosed off-balance sheet derivative transactions represent valid
18 Derivative
transactions.
Transactions

z
Managing
19 Derivative Derivative transactions are accurately recorded.
Transactions

z
Managing
Disclosed off-balance sheet derivative transactions are properly
20 Derivative
presented.
Transactions

z
Managing
21 Derivative All derivative transactions are recorded in the financial statements.
Transactions

z
Managing
All off-balance sheet derivative transactions are disclosed in the
22 Derivative
financial statements.
Transactions

z
Managing
23 Derivative Derivative transactions are recorded in the appropriate period.
Transactions

z
Managing
Off-balance sheet derivative transactions are recorded in the financial
24 Derivative
statements in the appropriate period.
Transactions

z
Managing
All investment income on derivative transactions is accurately
25 Derivative
calculated and recorded in the appropriate period.
Transactions

z
Managing
All interest expense on derivative transactions is accurately calculated
26 Derivative
and recorded in the appropriate period.
Transactions

27
Cash
Accounting
Reconciliations of all cash and investment accounts are performed
monthly. z
28
Cash
Accounting
Appropriate segregation of duties is established for the input, release
and reconciliation of wire transfers and daily cash activity. z
29
Cash
Accounting
All bank accounts have been authorized by Corporate treasury.
z
30
Cash
Accounting
Appropriate procedures are established to ensure signers on bank
accounts are properly removed from termination. z

Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures 28
31
Cash
Accounting
Policy has been established which defines appropriate Petty Cash
amounts, usage, required approvals and replenishment procedures. z
32
Cash
Accounting
Petty cash accounts are reconciled to the general ledger at least
monthly. z
33
Cash
Accounting
Only miscellaneous items less than a pre-defined amount are paid
through petty cash. z
34
Cash
Accounting
All payments are supported with appropriate documentation and are
reviewed for reasonableness. z
35
Cash
Accounting
The cash balances in the petty cash funds are reconciled and reviewed
by an independent person monthly z
z = Significant opportunities to implement a controls monitoring and audit (CMA) solution
z = Some opportunity to implement a controls monitoring and audit (CMA) solution
z = Little or no opportunity to implement a controls monitoring and audit (CMA) solution

Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures 29
Section 12 – SOX Checklist

Checklist #12 - SOX Policy Evaluation Checklist

Financial Statement
Financial Statement Area of Significance Policy
Element
Balance Sheet
Assets
Cash & Cash Equivalents Cash receipts
Bank account reconciliations
Banking policy and relationships
Cash disbursements/manual checks
Check signing requirements
Outstanding checks
General cash
Petty cash
Deposits
Investments/ Investment responsibility
Foreign Exchange Foreign currency translation
Fair value of financial instruments
Derivatives policy
Investments in associated companies
Functional currency
Hedging guidelines
Investment portfolio composition
Accounts Receivable General accounts receivable
Credit memos
Allowance for doubtful accounts/credit risk
Credit risk
Credit balances
Customer deposits
Records maintenance
Invoice billings
Property and Equipment AFE's
Acquisitions and dispositions
Assets of discontinued operations
Disposals
Asset retirement obligations
Reconciliations
Physical asset security
General property and equipment
Inventory
Other Assets Inventory accounting
Physical inventory procedures
Multi-client library
Goodwill and intangible assets
Other long-lived assets
Other current assets (pre-paid expenses,
inventory, spares, deferred costs, advances)
Software costs
General other assets

Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures 30
Liabilities
Accounts Payable Accounts payable
Competitive bids
Request for proposal
Purchase requisitions
Purchase orders
Contracts
Purchasing procedures
Vendor selections
Vendor file maintenance
Equipment rentals
Other Liabilities General
Accrued expenses (employee benefits, debt
restrictions, vessel operations, interest,
severance, advances)
Deferred revenue
Allowance for bad debts
Bank overdrafts
Income taxes
Accrued employee compensation
Deferred taxes
Warranties
Debt General
Long-term debt (Approval, debt issuance cost,
accounting for current maturities)
Subsidiaries with separate debt
Operating and capital lease obligations
Short-term debt
Stockholders' Equity Capital stock
Stock transactions
Income Statement
Revenues Revenue recognition
Revenue reporting
Expenses Cost of sales
Third party reimbursable expenses
Payroll
Operating income (expense)
Capitalization
Depreciation and amortization
Research and development
Selling, general and administrative costs
Travel and entertainment
Impairment of long-lived assets
Steaming and mobilization
Income (loss) from associated companies
Interest expense/income
Minority expense
Results of discontinued operations
Insurance
Other expenses
Fiscal adjustments

Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures 31
General
Financial Management Chart of accounts
Consolidation
Segment reporting and disclosures
Reporting packages
Business combinations
Period-end financial reporting
Month-end closing procedures
Reconciliations
Inter-company allocations
Variable interest entities
Commitments and contingencies
Related parties
Disclosures
Process change control
Unusual transactions
Budgeting and forecasts
Release of financial/ confidential information
Journal entry
Human Resources Employment (hiring, promotion) policies
Employee benefits
Compensation / Payroll
Termination
Performance appraisals
Executive compensation
Incentive compensation
Employee handbook
Attendance, holidays, vacation, sick leave
Relocation payments
Internal transfers
Family & medical leave
Americans with Disabilities Act
Share-based compensation plans
Fair employment practices
Orientation and training
Employment verifications / background check
Equal opportunity
Sexual harassment / other harassment
New employee processing
Hiring of consultants / contractors
Personnel files and records
Information Technology Information security
Systems change policy
Software licensing
Electronic information (e-mail) systems
Other Trade shows
Workplace rules, safety and health
Disaster management / business resumption
Corporate credit cards
Use of company vehicles
Magazine subscriptions

Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures 32
Corporate
Governance General Record retention, storage and disposal
Ethics hotline and policy on handling of
complaints
US Antitrust Law Compliance
Delegation of authority
Code of Conduct
Entertainment and gifts
Insider trading
Related party transactions
Conflict of interest
Foreign corrupt practices act
Personal loans to directors and executive
officers
Board of Directors Corporate governance guidelines
Audit committee charter
Remuneration committee charter
Internal Audit Internal audit charter
Pre-approval of audit and non-audit services

Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures 33
ABOUT APPROVA
Approva® Corporation is the industry-leading provider of continuous controls monitoring and
audit software. We enable business, finance, IT and audit professionals to automate the on-
demand testing, closed-loop remediation and continuous, exception-based monitoring of
controls within and across their business systems. Using our solutions, customers are able to
significantly increase visibility into their controls, streamline the audit process, cost-effectively
sustain their compliance initiatives and reduce exposure to mistakes, fraud and inefficiencies
for business processes such as procurement, sales and delivery, payroll and financial close.
In addition, our automated solutions act as key preventative and detective controls, further
strengthening our customers’ financial and operational control environments. Global
companies such as Campbell Soup Company, Colgate-Palmolive, the Commonwealth of
Pennsylvania, DirecTV, Discovery Communications, McCormick & Company, P&G, Pratt &
Whitney, Siemens and Wyndham Hotels & Resorts rely on Approva BizRights® Platform and
Enterprise Controls Suite to reduce compliance risk, increase operational efficiency and flag
exceptions to their business controls.

For more information:

ƒ Website: www.approva.net
ƒ Information: info@approva.net
ƒ Sales: sales@approva.net

Audit Checklists & Continuous Auditing for Financial Close and Sarbanes-Oxley (SOX) Audit Procedures 34