Skip to main content

Checklist for SOX (Ernst and Young)

  1. How are off-balance-sheet transactions and commitments tracked and reported?
  2. Are payments to the external auditing firm monitored through the transactional flags on purchase orders, check requests, or other means within the system?
  3. Are rolling forecasts deployed throughout the business (business unit, product line, functional levels)?
  4. How many tools are used in the forecasting process? The budgeting process?
  5. Do the reporting systems trace back to the general ledgers?
  6. Is cash flow from operations and generally-accepted-accounting-principles (GAAP) cash flow automatically calculated?
  7. Are key measures (drivers of financial results) delivered to operational manager's desktops daily, weekly, monthly?
  8. Are tax reporting systems integrated with the company's consolidation system?
  9. Are consolidation and reporting activities performed on spreadsheets?
  10. Do transactional reporting systems have agent-based alerts?
  11. How are manual entries identified and approved?
  12. How much time is spent compiling data and the financial statements versus analyzing the data?
  13. How many top-level adjustments are made in the consolidation process?
  14. Are reporting activities performed on spreadsheets?
  15. How often is control documentation updated for new changes to the internal controls (transactional and financial statement)?
  16. Are controls in place to ensure that any off-balance-sheet items are properly approved?
  17. Do reporting systems flag reserves and other estimated accounts?
  18. Have the systems been updated to identify new responsibilities under the Sarbanes-Oxley Act?
  19. Are earnings forecasts tied to predictive models?
  20. Do you forecast your business on cash flow drivers?
  21. Are variance between the forecast and actual results reviewed and causes identified?
  22. How long is the process to develop forecasts? Budgets?
  23. Is there a significant difference between financial statements depending on timing, function, or system?
  24. Are standard charts of accounts used across the company?
  25. How long does it take the company to get the results of operations?
  26. What procedures are in place by the company to detect and prevent fraud?
  27. Has the company identified high risk areas where fraud may occur and developed controls to prevent this from occurring?
  28. Are the following categories of non-financial drivers measured: Leadership, communication, brand equity, reputation, networks/alliances, technology, human capital, culture, innovation, intellectual capital, or adaptability?
  29. Do sales systems flag quarter-end sales volumes over selected limits?
  30. How long does it take to develop ad hoc reports?
  31. Do you model the sensitivity of your off-balance-sheet commitments (swap agreements, foreign exchange risk, purchase commitments, etc.)? How often?
  32. Does the company have the ability to determine the profitability by using "what if" scenarios?
  33. Have financial models been created for all high-risk operations, programs, etc.?
  34. How long does it take to create the management package?
  35. Does each operating unit have a financial model for the key drivers of its business?
  36. Are documents backed up periodically to ensure significant reports and information are maintained?
  37. Does the company have a retention policy for electronic information?
  38. Are internal control reviews incorporated into all new system implementations (financial and non-financial)?
  39. How often do you back up your data?
  40. What controls are in place over record retention to avoid tampering with the data?
  41. What best describes your IT capabilities related to financial transaction processing in your company?
  42. How many control weakness/changes have there been to the financial statements controls (including in the authorization of transactions, safeguarding assets, maintaining records and over the reconciliation process) in the past year?
  43. How many different systems are involved in the financial statement development process?
  44. Are IRS and other data retention requirements being met?
  45. Is your starting point for your tax return GAAP-audited financial statements?
  46. Are there flags in place to alert key resources of specific transactions taking place in the company?
  47. Does the company review its transactions for unusual entries?
  48. What controls are in place to detect wire/mail?
Compiled by Ernst and Young.


Popular posts from this blog

Why Madge Networks, the token-ring company, went titsup

There I was shooting the breeze with an old mate. The conversation turned to why Madge Networks which I wrote about here went titsup. My analysis is that Madge Networks had a solution and decided to go out and find a problem. They deferred to more incorrect strategic technology choices. The truth of the matter is that when something goes titsup, its not because of one reason only, but a myriad of them all contributing to the negative consequence. There are the immediate or visual ones, which are underpinned by intermediate ones and finally after digging right down, there are the root causes. There is never a singular root cause for anything but I'll present my opinion and encourage everyone else to chip in. All of them together are more likely the reason the company went titsup. As far as technology brainfarts go there is no better example than Kodak . They invented the digital camera that killed them. However, they were so focused on milking people in their leg

Flawed "ITIL aligned"​ Incident Management

Many "ITIL aligned" service desk tools have flawed incident management. The reason is that incidents are logged with a time association and some related fields to type in some gobbledygook. The expanded incident life cycle is not enforced and as a result trending and problem management is not possible. Here is a fictitious log of an incident at PFS, a financial services company, which uses CGTSD, an “ITIL-aligned” service desk tool. Here is the log of an incident record from this system: Monday, 12 August: 09:03am (Bob, the service desk guy): Alice (customer in retail banking) phoned in. Logged an issue. Unable to assist over the phone (there goes our FCR), will escalate to second line. 09:04am (Bob, the service desk guy): Escalate the incident to Charles in second line support. 09:05am (Charles, technical support): Open incident. 09:05am (Charles, technical support): Delayed incident by 1 day. Tuesday, 13 August: 10:11am (Charles, technical support): Phoned Alice.

Updated: Articles by Ron Bartels published on iot for all

  These are articles that I published during the course of the past year on one of the popular international Internet of Things publishing sites, iot for all .  These are articles that I published during the course of the past year on one of the popular international Internet of Things publishing sites, iot for all . Improving Data Center Reliability With IoT Reliability and availability are essential to data centers. IoT can enable better issue tracking and data collection, leading to greater stability. Doing the Work Right in Data Centers With Checklists Data centers are complex. Modern economies rely upon their continuous operation. IoT solutions paired with this data center checklist can help! IoT Optimi