a******h
发帖数: 908 | 1 内审案例请教:
一个分公司的Purchase Order (PO) approval Matrix has the following rule:
1. Manager above have $75,000 approval authority
2. Any PO above $5000 needs two approvers signoff
We found one PO with $6,000 only has one approver. But I think this finding
is a company's compliance issue instead of a SOX issue. What do you think?
My point is that the restriction for $5000 above is company's own rule, the
company can even require any PO above $5000 needs FIVE approvers sign-off,
but you cannot say a $6,000 PO with only 4 sign-off is SOX breakdown, right?
This will not impact the fact that this $6,000 PO has been reviewed and
approved. | l****z
发帖数: 29846 | 2 这个阿, 我正在搞这个,所以说点看法吧.
Sox就是internal control, 所以发现了这个issue你不能说是internal control没有
breakdown. 我认为这个和sox是关系的.因为象你说的那样如果规定是5个签名,但你只
有4个的话,大的来说就是internal control没有起作用,否则为什么只有4个? 但是具体
到你这个case上, 要看不同的external auditor. 我以前公司的auitor这种都是小事情
,绝对可以pass,认为不算是deficiency.
但现在这个家公司当地的pwc的人非常严格.象你这种情况,就要重新test多个样本,比如
说25个, 如果没有再发现其他错误,就认为是isolated case, pass掉. 我其实也不赞成
这种说法. 因为这个做法意味着你不能出错. 假设你再test了25个,又发现一个小错误,
那又说明什么了? 能说明这就是control issue了? 一个公司一年又几十万,几百万个
po,谁能保证没有错误?
所以in summary, 我认为和sox有关,但认为如果只是一个case的话, 可以pass掉. | a******h
发帖数: 908 | 3 hehe, I was thinking to ask you directly. 谢谢!
我的想法是这样,control可能cover Compliance only (in compliance with company
's internal rule) or both Compliance and SOX.
e.g. Company rule is reconciliation need to be done within 5 biz days. One
account rec was done on 7th biz day. I think this will be only a compliance
issue. why? Rec done on 7th biz days does not general additional risk on F/S
.
Totally agree with you, it is a gray area and need a lot of judgement. Go
back to my original example. One of the SOX objective is to evaluate the
design of the control, if the company requires 2 signers, but after you
evaluate this control, we may think it is not necessary to have 2 signers,
one signer is sufficient to address the risk of unauthorized expenditure got
paid. Then we may NOT consider it as a SOX breakdown even it is a breakdown
to company's internal policy.
To be honest, I did not think much about the amount of the errors, if it is
not a SOX issue, then no further work need to be done. If it is, then
follow whatever the external auditor's rule (do more testing... and etc).
误,
【在 l****z 的大作中提到】
: 这个阿, 我正在搞这个,所以说点看法吧.
: Sox就是internal control, 所以发现了这个issue你不能说是internal control没有
: breakdown. 我认为这个和sox是关系的.因为象你说的那样如果规定是5个签名,但你只
: 有4个的话,大的来说就是internal control没有起作用,否则为什么只有4个? 但是具体
: 到你这个case上, 要看不同的external auditor. 我以前公司的auitor这种都是小事情
: ,绝对可以pass,认为不算是deficiency.
: 但现在这个家公司当地的pwc的人非常严格.象你这种情况,就要重新test多个样本,比如
: 说25个, 如果没有再发现其他错误,就认为是isolated case, pass掉. 我其实也不赞成
: 这种说法. 因为这个做法意味着你不能出错. 假设你再test了25个,又发现一个小错误,
: 那又说明什么了? 能说明这就是control issue了? 一个公司一年又几十万,几百万个
| l****z
发帖数: 29846 | 4 我前面忘了说了, 你要看这个东东是不是sox的key control, 如果不是当然就不
管了,但如果是的话,那肯定和sox有关了.我前面假设这个是你rcm里面的一个key
control.
另外,你说的design 什么的,这个如果发现某个key control不对/不合适可以改,但不能
说发现的时候说这个不好要改,所以发现有问题不能算. 这个不行吧. 我前几天还在和
几个locations讨论要不要把一个key control拿掉.
company
compliance
/S
【在 a******h 的大作中提到】
: hehe, I was thinking to ask you directly. 谢谢!
: 我的想法是这样,control可能cover Compliance only (in compliance with company
: 's internal rule) or both Compliance and SOX.
: e.g. Company rule is reconciliation need to be done within 5 biz days. One
: account rec was done on 7th biz day. I think this will be only a compliance
: issue. why? Rec done on 7th biz days does not general additional risk on F/S
: .
: Totally agree with you, it is a gray area and need a lot of judgement. Go
: back to my original example. One of the SOX objective is to evaluate the
: design of the control, if the company requires 2 signers, but after you
| a******h
发帖数: 908 | 5 谢谢lczlcz!
It is a key control in RCM. I agree with your point about the 先后顺序 if we
evaluate the design first then perform the detail testing,but sometimes
the details testing and the valuation of the design happens at the same time
. :)
In addition, in my example, the external auditor did not evaluate the design
of the control yet (they are kind of rely on internal audit's testing). In
my company, different locations have their own expenditure approval matrix,
not all location has this additional rule (i.e. needs two approvers if
expenditure is above 5000). -- So I am not sure whether this additional rule
should be considered as part of SOX.
【在 l****z 的大作中提到】
: 我前面忘了说了, 你要看这个东东是不是sox的key control, 如果不是当然就不
: 管了,但如果是的话,那肯定和sox有关了.我前面假设这个是你rcm里面的一个key
: control.
: 另外,你说的design 什么的,这个如果发现某个key control不对/不合适可以改,但不能
: 说发现的时候说这个不好要改,所以发现有问题不能算. 这个不行吧. 我前几天还在和
: 几个locations讨论要不要把一个key control拿掉.
:
: company
: compliance
: /S
| a******h
发帖数: 908 | 6 内审案例请教:
一个分公司的Purchase Order (PO) approval Matrix has the following rule:
1. Manager above have $75,000 approval authority
2. Any PO above $5000 needs two approvers signoff
We found one PO with $6,000 only has one approver. But I think this finding
is a company's compliance issue instead of a SOX issue. What do you think?
My point is that the restriction for $5000 above is company's own rule, the
company can even require any PO above $5000 needs FIVE approvers sign-off,
but you cannot say a $6,000 PO with only 4 sign-off is SOX breakdown, right?
This will not impact the fact that this $6,000 PO has been reviewed and
approved. | l****z
发帖数: 29846 | 7 这个阿, 我正在搞这个,所以说点看法吧.
Sox就是internal control, 所以发现了这个issue你不能说是internal control没有
breakdown. 我认为这个和sox是关系的.因为象你说的那样如果规定是5个签名,但你只
有4个的话,大的来说就是internal control没有起作用,否则为什么只有4个? 但是具体
到你这个case上, 要看不同的external auditor. 我以前公司的auitor这种都是小事情
,绝对可以pass,认为不算是deficiency.
但现在这个家公司当地的pwc的人非常严格.象你这种情况,就要重新test多个样本,比如
说25个, 如果没有再发现其他错误,就认为是isolated case, pass掉. 我其实也不赞成
这种说法. 因为这个做法意味着你不能出错. 假设你再test了25个,又发现一个小错误,
那又说明什么了? 能说明这就是control issue了? 一个公司一年又几十万,几百万个
po,谁能保证没有错误?
所以in summary, 我认为和sox有关,但认为如果只是一个case的话, 可以pass掉. | a******h
发帖数: 908 | 8 hehe, I was thinking to ask you directly. 谢谢!
我的想法是这样,control可能cover Compliance only (in compliance with company
's internal rule) or both Compliance and SOX.
e.g. Company rule is reconciliation need to be done within 5 biz days. One
account rec was done on 7th biz day. I think this will be only a compliance
issue. why? Rec done on 7th biz days does not general additional risk on F/S
.
Totally agree with you, it is a gray area and need a lot of judgement. Go
back to my original example. One of the SOX objective is to evaluate the
design of the control, if the company requires 2 signers, but after you
evaluate this control, we may think it is not necessary to have 2 signers,
one signer is sufficient to address the risk of unauthorized expenditure got
paid. Then we may NOT consider it as a SOX breakdown even it is a breakdown
to company's internal policy.
To be honest, I did not think much about the amount of the errors, if it is
not a SOX issue, then no further work need to be done. If it is, then
follow whatever the external auditor's rule (do more testing... and etc).
误,
【在 l****z 的大作中提到】
: 这个阿, 我正在搞这个,所以说点看法吧.
: Sox就是internal control, 所以发现了这个issue你不能说是internal control没有
: breakdown. 我认为这个和sox是关系的.因为象你说的那样如果规定是5个签名,但你只
: 有4个的话,大的来说就是internal control没有起作用,否则为什么只有4个? 但是具体
: 到你这个case上, 要看不同的external auditor. 我以前公司的auitor这种都是小事情
: ,绝对可以pass,认为不算是deficiency.
: 但现在这个家公司当地的pwc的人非常严格.象你这种情况,就要重新test多个样本,比如
: 说25个, 如果没有再发现其他错误,就认为是isolated case, pass掉. 我其实也不赞成
: 这种说法. 因为这个做法意味着你不能出错. 假设你再test了25个,又发现一个小错误,
: 那又说明什么了? 能说明这就是control issue了? 一个公司一年又几十万,几百万个
| l****z
发帖数: 29846 | 9 我前面忘了说了, 你要看这个东东是不是sox的key control, 如果不是当然就不
管了,但如果是的话,那肯定和sox有关了.我前面假设这个是你rcm里面的一个key
control.
另外,你说的design 什么的,这个如果发现某个key control不对/不合适可以改,但不能
说发现的时候说这个不好要改,所以发现有问题不能算. 这个不行吧. 我前几天还在和
几个locations讨论要不要把一个key control拿掉.
company
compliance
/S
【在 a******h 的大作中提到】
: hehe, I was thinking to ask you directly. 谢谢!
: 我的想法是这样,control可能cover Compliance only (in compliance with company
: 's internal rule) or both Compliance and SOX.
: e.g. Company rule is reconciliation need to be done within 5 biz days. One
: account rec was done on 7th biz day. I think this will be only a compliance
: issue. why? Rec done on 7th biz days does not general additional risk on F/S
: .
: Totally agree with you, it is a gray area and need a lot of judgement. Go
: back to my original example. One of the SOX objective is to evaluate the
: design of the control, if the company requires 2 signers, but after you
| a******h
发帖数: 908 | 10 谢谢lczlcz!
It is a key control in RCM. I agree with your point about the 先后顺序 if we
evaluate the design first then perform the detail testing,but sometimes
the details testing and the valuation of the design happens at the same time
. :)
In addition, in my example, the external auditor did not evaluate the design
of the control yet (they are kind of rely on internal audit's testing). In
my company, different locations have their own expenditure approval matrix,
not all location has this additional rule (i.e. needs two approvers if
expenditure is above 5000). -- So I am not sure whether this additional rule
should be considered as part of SOX.
【在 l****z 的大作中提到】
: 我前面忘了说了, 你要看这个东东是不是sox的key control, 如果不是当然就不
: 管了,但如果是的话,那肯定和sox有关了.我前面假设这个是你rcm里面的一个key
: control.
: 另外,你说的design 什么的,这个如果发现某个key control不对/不合适可以改,但不能
: 说发现的时候说这个不好要改,所以发现有问题不能算. 这个不行吧. 我前几天还在和
: 几个locations讨论要不要把一个key control拿掉.
:
: company
: compliance
: /S
| c**********1
发帖数: 201 | 11 如果是SOX RCM里的key control应该算exception吧,但exposure 应该是多少
呢?0吗? 因为这个毕竟也是被批准的啊。
we
time
design
In
,
rule
【在 a******h 的大作中提到】
: 谢谢lczlcz!
: It is a key control in RCM. I agree with your point about the 先后顺序 if we
: evaluate the design first then perform the detail testing,but sometimes
: the details testing and the valuation of the design happens at the same time
: . :)
: In addition, in my example, the external auditor did not evaluate the design
: of the control yet (they are kind of rely on internal audit's testing). In
: my company, different locations have their own expenditure approval matrix,
: not all location has this additional rule (i.e. needs two approvers if
: expenditure is above 5000). -- So I am not sure whether this additional rule
| v*****y
发帖数: 1087 | 12 你的key control 不应该说明expenditure approval should follow locations'
delegation of approval? 然后你就根据每个location的DOA来决定是不是control
exception呀。 |
|
