Audit
Programs
Sarbanes-Oxley Center
AuditNet Links
Ask
the Auditor
AuditNet
Library
AuditNet
Newsletter
Audit
Jobs
Partner
Discounts
Search the Site
Sign the Guestbook
Advertise
Our Sponsors
AuditNet Home
Sarbanes-Oxley Center
AuditNet Links
Ask the Auditor
AuditNet Library
AuditNet Newsletter
Audit Jobs
Partner Discounts
Search the Site
Sign the Guestbook
Advertise
Our Sponsors
AuditNet Home
AuditNet® Ask the Policy Guru Forum
Is there an expense authorization policy that help me get compliance with SOX and yet, easily to implement?
I'm not sure if you are referring to travel and expense, purchasing authorization limits or an authorization policy. Each of these would require a different policy statement and scope for the procedure; for example:
Travel and Expense: It is the Company's policy to reimburse employees
for reasonable expenses incurred on company approved business.
At a minimum, the procedure should include detail to identify
- who the company considers employees (e.g., full time regular employees, not consultants),
- what is considered "reasonable expenses" (i.e., with the types of spending that may occur and the upper allowable limits),
- how to define company approved business (e.g., approved ahead of time, for qualified meetings with names of people / subject / outcomes / trip reports)
- controls and areas of responsibility to ensure compliance with internal control, business practices, Sarbanes-Oxley and others as appropriate
A reference manual may be attached to further identify the employee’s responsibility when traveling on behalf of the company, what is / is not included for reimbursement, what to do when emergencies or unexpected situations occur while traveling.
Purchasing authorization: It is the Company's policy to accept
purchase requisitions for purchases which are in identified within the approved
annual operating plan and approved by management according to the spending
limits identified within the procedure.
At a minimum the procedure should
- reference the approved planning process and how to verify that the requested purchasing is aligned with the plan,
- be approved by line management (do you want approval from the budget cost
center manager)
include or reference a spending authorization matrix based on level within the organization and the chain of command - identify when is cross functional approval required (e.g., approval from information technology and finance when purchasing a new computer system)
- provide controls and areas of responsibility to ensure compliance with internal control, business practices, Sarbanes-Oxley and others as appropriate
Authorization policy: It is the Company’s policy to establish and
delegate financial authorization levels to managers and employees for the
purpose of making commitments and disbursements on behalf of the Company. The
policy may go onto to identify that authorization limits must be approved by the
Board of Directors.
The procedure should include:
- reference that all delegation comes from the Board and is approved by the CEO
- procedure to further delegate (i.e., guidance to managers as to when to delegate and how much to delegate)
- what happens if the person who the delegation was assigned to is away from the office
- how to escalate if approval is denied
- what analysis is required for due diligent approval (perhaps different depending on the level and type of spending; e.g., business case, comparative analysis)
- when cross functional or additional approval is required
- controls and areas of responsibility to ensure compliance with internal control, business practices, Sarbanes-Oxley and others as appropriate
Please let me know if this is helpful and contact me at rosehigh@optonline.net for assistance in composing any one of these important policies, procedures.
Can Accounts Receivable Section and Treasury be handled by one person only?
Policies are not like processes where a separation of duties is required.
Policy programs within a company have taken on a new importance and visibility. Typically, the task to organize and manage the Policy program is handled by a program manager. Generally because experience is required to manage this program, the responsibility is given to a Sr. Program Manager or Director.
Like Internal Audit and Compliance, this role reports to a Sr. Executive within the Company; typically the Chief Compliance Officer, Chief Financial Officer, Corporate Controller, or CAO. In today's SOX environment, it is not unusual that the resume for this position be reviewed and approved by the Board of Directors.
This role calls for the coordination and management of individual department / functional policies. Within a department / function; policies may be drafted by one or several employees. Once drafted policies should be reviewed and approved by cross-functional stakeholders (e.g., Legal, IT, HR) and finally by the policy issuer (typically the CFO and CEO).
Vender master maintenance and management is critical in our organization due to the procurement needs. What are the typical area's of this function that should be covered in policy and procedure.
Vendor Master Policies and Procedures are currently in vogue. There is a lot of attention given to this very important topic including and not limited to: strengthening internal controls, SOX compliance and IT processing.
Since you referred to procurement, I'm assuming you are referring to vendor
master data. Some initial thoughts would be to include:
• Policy statement as to who "owns" the vendor master data, the set up and the
maintenance.
• Type of data to be captured. This area is probably governed by the type of
system you have (e.g., SAP) and should list what information is required versus
optional. Other company policies should address vendor Terms and Conditions such
as payments directed to an address or company other than the vendor's main
location.
• Monitoring and reconciling Vendor Master change requests and activity reports
• Authority required to input, change, delete the data.
• Separation of duties between those who have access to the data and those who
may process / change the orders and/or payments.
• Vendor privacy statement
I need help with a disaster recovery plan
There are many sample policies related to Disaster Recovery on the Internet. These policies may relate to Information Technology Disaster Recovery as well as what is also referred to as Business Continuity / Resiliency. I suggest you review and compare some of these with your Company's requirement.
I would like to have an Investigation Reporting Form for my company. We get lots of requests to conduct an investigation on an employee in our company regarding email misuse or leaking of information. To keep a track of all these investigations we would like to make an investigation request form for the same. Can you help me with one?
There are several policies that could refer to the topic you are looking to
expand. They include:
• Corporate Security policy where a procedure for internal investigations
• Email Policy
• Internet access and use
• Information classification and use
• Insider trading
These policies could be more Information Technology or Human Resources centered, depending on the emphasis and scope. There are sample policies available on the Internet you can use as a guide.
Could you provide information on Dealers 'Code Of Conduct?
Typically there are about a dozen or more Treasury related policies depending on the type of Company. I'm not sure if by "Dealers" you mean: stock brokers, insurance, real estate, and commodity. The Treasury function would be very different depending on the industry. There may also be external regulatory requirements depending on the industry and countries where you conduct business.
As the
best practice, should policy and procedure be written separately or just
combined both into one document?
The answer will depend on the type of policy program your Company chooses to implement and the other types of documentation that is available. Personally, I like to see a simple policy statement and a high level description of the procedure. Additional procedural information should be referenced or reside within the department(s) that perform the actual tasks. Refer to the samples on AuditNet to see what I mean.
Policies are different from procedures and in most complex companies, the Company's policy and procedure program is centrally organized. In smaller or less complex companies, it may be handled by someone within the department.
A Company's complexity has do with the type of industry (as to impact from external regulations, levels of management (with more levels requiring clarity of roles and responsibilities), product and service mix (depending on the volume and scope of these Customer offerings), employee mix (union workers, contract / temporary / part time, full time regular, remote office).
When starting a policy program, the Company should determine the hierarchy of the various communication and correspondence. For example, a Company may determine the following hierarchy for internally prepared documents: Policy statement may be the highest level, then procedures, then quarterly instruction letters, job descriptions, work instructions. And the Company may have a different hierarchy for externally focused documents.
Policy programs within a company have taken on a new importance and visibility. Typically, the task to organize and manage the Policy program is handled by a program manager. Generally because experience is required to manage this program, the responsibility is given to a Sr. Program Manager or Director.
Like Internal Audit and Compliance, this role reports to a Sr. Executive within the Company; typically the Chief Compliance Officer, Chief Financial Officer, Corporate Controller, or CAO. In today's SOX environment, it is not unusual that the resume for this position be reviewed and approved by the Board of Directors.
This role calls for the coordination and management of individual department / functional policies. Within a department / function; policies may be drafted by one or several employees. Once drafted policies should be reviewed and approved by cross functional stakeholders (e.g., Legal, IT, HR) and finally by the policy issuer (typically the CFO and CEO).
Are there any data analysis document policies and procedures?
There are several ways to include data analysis within polices and procedures: One way is to include the type of data and the type of analysis within specific policies: eg. DSO within A/R. The other option is to have a Company policy that indicates the formula and calculation for company approved data analysis. This approach is often included within a series of policies addressing the Company's financial planning and analysis department.
Do you have any policy's that are distributed to 3rd party vendor or sub contractors detailing fraud and kick back policy? IE we don't do business this way, if you are asked for kick backs contact us at the following address.
Thank you for your interesting and topically current question. There is a lot of focus and attention paid to this area; especially if you are dealing between the U.S. and non-U.S. subsidiaries, Customers or Vendors.
Thanks for taking on this project. With all the new policies being implemented for SOX compliance, this must be the rising Golden Age of the Policy and Procedure Manual!
I'm on the lookout for Data and Document Retention Policies. Seen any good ones lately?
Yes, there are many resources for very good Records Information Management and Document Control policies to use as a guide in creating your own.
AIIM is the association for Records Managers and their online magazine can be accessed at the following web-address http://www.edocmagazine.com/vault_articles.asp?ID=24999
NARA is another good source of information
http://www.archives.gov/records_management/policy_and_guidance/policy_and_guidance.html
Some of the following criteria will impact the depth and scope of the policy
you will want to create / adopt. It depends on
a) whether or not there is an existing program with related procedures /
instructions,
b) the processes that predominate your Company e.g., Sales vs. Manufacturing,
Lawyer, Consultants, eCommerce, Non-Profit
c) the type of industry you are in
d) the countries where you conduct business
e) the degree of implementation for an enterprise-wide IT system
I have a generic policy and detailed procedure that may be of assistance. I'd also be happy to help you construct something specific for your Company. However, I'd need to have additional, more specific information.
What are the meaning of 1st, 2nd, 3rd and 4th level controls in the banking system?
I'm not sure where you are writing from, but each country would have
different regulations. For the U.S. one website to begin the research would be
the following.
http://www.federalreserve.gov/regulations/
Can you please tell me what acts and legislations are relevant to accountants?
I would first encourage you to use your own research skills to answer your question. This would include using a discussion list to tap the combined knowledge of other peers.
You can start by referring to the following websites:
FASB Financial Accounting Standards Board
AICPA
SEC Security and Exchange Commission
I am looking for Procure to Pay policies for a retail furniture chain with an e-commerce aspect. Negotiation of Vendor Contracts, Procure & Generate Orders, Maintaing Master Files, Receiving, etc.
Procure to Pay covers a broad range of Policy related topics. Could you be more specific about what you are looking for? I think there is a Purchasing and an Accounts Payable policy within the Exchange list.
Company policy Statement on Sarbanes-Oxley to include: things such as process owners' responsibilities, level of documentation for various control activities by risk classifications, etc.
Sarbanes' related policies must coincide with the Company's Internal Audit / Internal Control policy. The policy, the related roles and responsibilities, the timeline and the types of evidence will depend on how the Company has organized the S-O initiative and controls activity.
If your Company is typical, last year, consultants and outside auditors played the larger role that on a go-forward basis should be assumed in-house. I'd suggest beginning with how this process will unfold in the future.
Do you have any Systems Development Life Cycle Methodology/Policy document to share? A template would be sufficient
Try COBIT to see what structures they might have on the topic.
Otherwise, if you can summarize the process in about a dozen steps, I'd be happy to figure out something with you.
My company controls cash and investments for a high net worth family. We are looking for a source for internal control policies related to trades, investment management and cash management
This can be a complex area. I have policies and procedures related to trades, investment and cash management. If you send me some contact information (offline) I'd be happy to discuss the scope and course of action with you.
Information Risk Management policy
Tell me a little more about the scope of what you are calling Information Risk Management. Are you referring to Information Technology security issues, or Records Management, document control or information relating to Risk assessments, insurance or disaster recovery? As you can see, there could be many interpretations to this title. Can you be more specific?
I am looking for guidelines to develop a business continuity plan for a bank
It is a wonderful topic and deserves a policy and procedure. In order to build our library we'd like you to submit a policy as an exchange for one posted. Look for contributions to this site on this topic.
I am new to this and would like your help if possible. I would like to have a sample copy of any type of SOX procedures & policy.
There is nothing special about SOX policies versus other policies. Generally when people refer to a SOX compliant policy they mean that there are additional details relating to internal control procedures or measurements. All good policies should contain a section on internal controls.
You are in the correct place to view good policies. The policies within AuditNet and the related website links are appropriate examples of SOX policies.
I am in the process of writing from scratch a policies and procedures
manual.
Does any one know or could suggest where I can purchase an off the shelf manual
that I can conform to my specific company. My company is a securities
broker/dealer. Additionally, I am looking for any existing books, websites or
publications relating to writing/updating/maintaining policies and procedures
manuals.
Over the years, I have found many good Internet sources for individual policies and procedures. You could locate samples by searching on key words and adding "policy" or "procedure". The policies you will find are generally poorly written (either too much detail, not really policy statements, or describe broken processes).
There are companies that offer off-the-shelf solutions such as Bizmanuals http://www.bizmanualz.com/index.html?link=nav However, I haven't found companies that offer industry specific manuals. Other websites or book dealers that may have your subject material would be John Wiley and Sons and of course the sites listed within the policy and procedure (APPLE) page of AuditNet. .
Like you, several years ago, I was given the task of creating a policy and procedure program for a large multinational retail company. I found out researching, developing and gaining internal approval for the issuance of policies and procedures is both an art and a science. Since then I have developed policies and procedures and implemented programs in other companies.
I have developed many (over 100) policies and procedures that have passed the scrutiny of the executive approval process, SOX assessment and audit readiness. However, my manual is more generic and not aimed at the brokerage industry.
From scratch, you'll need to determine the scope of the manual - the entire company or just the brokerage division - that is will you be including such functional areas as: real estate, human resources, legal, and information technology?
Will this be an ongoing program or just a one shot project to develop and issue the policies?
I now make a business of assessing existing Policies and Procedures or am available to assist in the research and development of Policies and Procedures. To find out more about your needs, I'll call you.
I enjoy learning more about audit procedures and would like to know more about systems auditing and flowcharts.
The topic you are asking about is very broad. The best one stop resource I know of is the Information Systems Audit and Control Association
They offer something called Control Objectives for Information and Related Technology COBIT. COBIT has been developed as a generally applicable and accepted standard for good Information Technology (IT) security and control practices that provides a reference framework for management, users, and IS audit, control and security practitioners.
Within this site you will find many interesting articles, courses and related learning activities. There is a section that is specifically related to Auditing and you will see many IT related policies and procedures.
There are many interesting search words you can use to locate information via
the
Internet, but I'd strongly recommend beginning with this reputable site.
The Ask the Policy Guru forum answers highlight general information on a particular matter and are not exhaustive reviews of such subjects. Accordingly, the information in this website is not intended to constitute legal, accounting, tax, investment, consulting, or other professional advice or services. Before making any decision or taking any action which might affect your organization you should consult a qualified professional advisor.
