pre-year 1 sox roadmap - audit report

8/9/2019 Pre-Year 1 SOX Roadmap - Audit Report

1/33

Pre-Year 1 SOX Roadmap

Observations and Recommendations for Remediation

(insert date)


2/33

2

Table of Contents

Prioritization Heat Map 5

Observations & Recommendations 8

Project Background 2

Summar o! Observations "


3/33

3

Project Background

In October,


4/33

+

$ummary of Bus!ness Process Obser#at!ons#$e c$art be%o depicts t$e observations made b process and categorized into eig$t di!!erent groups'

(ategories T"e -!sk Obser#at!on !s related to


5/33

8

$ummary of IT =eneral Control Obser#at!ons#$e c$art be%o categorizes t$e .# /enera% (ontro% observations made in scope app%ication'

0pp%ications $ystem 6> ?sed to manage secur!ty and access across Intranet and net*ork dr!#es'

$ystem 2> Payroll and payroll process!ng soft*are @"ostedA' $ystem 3> Integrat!on soft*are used to transfer contract and b!ll!ng !nformat!on bet*een $ystem 1, $alesforce'com, and CC : $ @"ostedA'

$ystem +> 0mployee e&pense management soft*are @"ostedA'

$ystem 8> Purc"ase re4u!s!t!on soft*are @currently, purc"ase orders are manually entered !n $ystem 1 after appro#ed !n $ystem CA @"ostedA'

$ystem D> $tock and e4u!ty plan soft*are @"ostedA'

$ystem ;> =eneral Eedger and f!nanc!al appl!cat!on'

$ystem F > Customer -elat!ons"!p )anagement soft*are used to enter customer contracts @"ostedA'

$ystem G >


6/33

D

Issue Pr!or!t!(at!on 9eat )ap > Bus!ness Process1 @!nsert processA

( @!nsert processA

, @!nsert processA

. @!nsert processA

) @!nsert processA

/ @!nsert processA

+ @!nsert processA

@!nsert processA

* @!nsert processA

10 @!nsert processA

11 @!nsert processA

1( @!nsert processA

1, @!nsert processA

1. @!nsert processA

1) @!nsert processA

1/ @!nsert processA

1+ @!nsert processA

1 @!nsert processA

1* @!nsert processA

(0 @!nsert processA

Risk-

eve%

2i#!

Medim

3ow

S!ort 'erm Medim 'erm 3on# 'erm

Operational SOX

#iming

1/

1

*

)( ,

1+

10

1.

(0

1)

1,

/

1 1*

.

+ 11 1(


7/33

;

Issue Pr!or!t!(at!on 9eat )ap > Bus!ness Process

Risk-

eve%

2i#!

Medim

3ow


Operational SOX

#iming

(1 @!nsert processA

(( @!nsert processA

(, @!nsert processA

(. @!nsert processA

() @!nsert processA

(/ @!nsert processA

(+ @!nsert processA

( @!nsert processA

(* @!nsert processA

,0 @!nsert processA

,1 @!nsert processA

,( @!nsert processA

,, @!nsert processA

,. @!nsert processA

,) @!nsert processA

,/ @!nsert processA

,+ @!nsert processA

, @!nsert processA

() ((/((

(1

,1

(,

,.,0 ,)

(*

,,

(.

,+ ,,(

(+

,/


8/33

F

Issue Pr!or!t!(at!on 9eat )ap > IT

1 @!nsert processA

( @!nsert processA

, @!nsert processA

. @!nsert processA

) @!nsert processA

/ @!nsert processA

+ @!nsert processA

@!nsert processA

* @!nsert processA

10 @!nsert processA

11 @!nsert processA

1( @!nsert processA

1, @!nsert processA

Risk-

eve%

2i#!

Medim

3ow


#iming

1 ( ,

+

1(

)

10

/

.

*

1,11

Operational SOX


9/33

Observations and RecommendationsSOX


10/33

6

Obser#at!ons and -ecommendat!ons > Bus!ness ProcessItem Observation 'itle rrent State Risk 4 Impact Observation $escription Owner 4 $e $ate

1 IndependentReview of Pa%roll

Master 5ile

!an#es

0mployee c"anges t"at aremade to 9- )aster 7!le arelogged on t"e Payroll Jotes

spreads"eet by 9- andfor*arded to t"e 1ccount!ng/!rector for re#!e*' 1 report ofall c"anges made to Payroll)aster 7!les not generated'

0mployee c"anges !n t"ePayroll Jotes spreads"eet arenot re#!e*ed aga!nst sourcedocumentat!on by t"e1ccount!ng /!rector'

Complete populat!on ofc"anges made *!t"!n 9-)aster 7!le are not

!ndependently re#!e*ed @!'e'by t"e 1ccount!ng /!rectorA'

Independent re#!e* ofemployee c"anges may notcapture all c"anges madenor t"e appropr!ateaut"or!(at!ons'

T"e Company s"ould !nst!tute a process t"atpulls a report of all rele#ant c"anges to bere#!e*ed from t"e Payroll )aster 7!le'

C"anges s"ould be matc"ed to sourcedocumentat!on to conf!rm accuracy by an!nd!#!dual !ndependent of t"e 9- )aster 7!le orPayroll )aster 7!le update process @!'e'1ccount!ng /!rectorA'

( Independent

Review of$eliver%Sbmissions

Profess!onal ser#!ce fees and

ot"er products related to t"ee#ent may not be subm!tted fordel!#ery or are subm!tted at t"e*rong pr!ce' 1dd!t!onally,profess!onal ser#!ce fees andot"er products may besubm!tted for del!#ery *!t"out anassoc!ated e#ent'

T"e b!ll!ng reconc!l!at!onperformed by t"e -e#enue andB!ll!ng /epartment !s only ableto marry t"e base e#entdel!#ery and not t"e assoc!atedprofess!onal ser#!ce fees and

ot"er products pro#!ded to t"ecustomer'

7ull ser#!ce test e#ents ordemos e&ecuted by customersare not al*ays flagged byProfess!onal $er#!ces dur!ngdel!#ery subm!ss!ons and areb!lled and re#enue !srecogn!(ed'

7ees manually entered may be!ncorrect and not adjusted pr!orto !n#o!c!ng'

Profess!onal ser#!ce fees

and ot"er products may notbe b!lled to customer andre#enue !s not recogn!(ed'

Pr!c!ng for profess!onalser#!ce fees and ot"erproducts may be !naccuratefor b!ll!ng and re#enuerecogn!t!on'

Customers are erroneouslyb!lled for test e#ents anddemos'

-e#enue !s recogn!(ed for anon%e#ent'

)anagement s"ould !mplement a process of

re#!e*!ng e#ents and ser#!ces @!'e'profess!onal ser#!ce fees, product!on,eng!neer!ngA pro#!ded to customers aga!nste#ents and ser#!ces subm!tted for b!ll!ng and toreflect proper pr!c!ng !n appro#ed customercontracts'

7urt"er, re#!e* s"ould !nclude a #al!dat!on oftest e#ents to conf!rm t"e test e#ents t"at "a#eoccurred are flagged as non%b!llable dur!ng t"eb!ll!ng subm!ss!ons process'


11/33

66


, Se#re#ation of$ties - redit

Memos

In#o!ces are manuallygenerated !n $ystem 1 basedon t"e content !n t"e B!ll!ng

$ubm!ss!ons -eport from$ystem B'

Cred!t )emos are manuallyappro#ed @not #!a system*orkflo*A, t"en entered !nto$ystem 1 by t"e B!ll!ng$pec!al!st'

T"ere !s no !ndependentre#!e* process for !n#o!ces@posted or un%postedA or Cred!t)emos !n $ystem 1, *"!c"may be left un%posted'

In#o!ces and Cred!t )emoscan be prepared and posted bysame B!ll!ng $pec!al!st !n$ystem 1'

In#o!ces or Cred!t )emos maybe entered !ncorrectly or leftunposted'

T"e Cred!t )emo process canbe c!rcum#ented as B!ll!ng$pec!al!sts may makec"anges to !n#o!ces beforet"ey are posted *!t"out#!s!b!l!ty from )anagement,B!ll!ng and Collect!ons'

)anagement s"ould des!gnate personnel@)anager, B!ll!ng and Collect!onsA to re#!e*and post cred!t memos upon re#!e* of t"e un%

posted Cred!t )emo aga!nst e#!dence of ema!lappro#al'

7urt"er, to conf!rm t"at t"ere !s suff!c!ent$egregat!on of /ut!es, access to generateCred!t )emos s"ould be remo#ed from t"e)anager, B!ll!ng and Collect!ons'

. Se#re#ation of$ties - P(P

$egregat!on of /ut!es % 1ccesstoK

> 0nter : 0d!t #endorsK P-1Pand 1P $pec

> =enerate and 0nter POKP-1P and 1P $pec

> 0nter !n#o!cesK P-1P and1P $pec

> Custody of C"ecksK P-1P

> Pr!nt C"ecksK P-1P

> )a!l C"ecksK P-1P

> -econc!le 1PK P-1P

T"e only segregat!on !n t"eprocess !s c"eck s!gn!ngaut"or!ty, "o*e#er forgery mayoccur and go undetected s!ncet"ere !s no !ndependent partyre#!e*!ng t"e pr!nted c"eckreg!ster aga!nst all s!gnedc"ecks'

$egregat!on of dut!es doesnot e&!st'

T"e company s"ould cons!der segregat!ngsome dut!es *!t"!n t"e P2P process' Items forcons!derat!on may !ncludeK !ndependent re#!e*of a #endor c"ange report from $ystem 1,!ndependent re#!e* of s!gned c"ecks aga!nstt"e pr!nted c"eck reg!ster, or reass!gnment of#endor master ma!ntenance dut!es to an!nd!#!dual outs!de 1P'


12/33

62

Obser#at!ons and -ecommendat!ons > Bus!ness Process

@Contd'AItem Observation 'itle rrent State Risk 4 Impact Observation $escription Owner 4 $e $ate) Independent

Review of Pre-billontracts

T"e B!ll!ng /epartment pulls a4uery of ne* pre%b!lled contractsand *ork orders from $ystem B !n

order to generate !n#o!ces for pre%b!ll !tems'

Pre%b!ll contracts and : or *orkorders are not al*ays flagged aspre%b!ll !n $ystem B @t"!s !s amanual step t"at needs to becompletedA and t"us *ould not bereflected !n t"e $ystem B b!ll!ng4uery'

T"ere !s a pre%b!ll c"eck bo& f!eld !n$ystem B t"at !s not currently be!ngut!l!(ed' 1s suc", pre%b!ll contractsand : or *ork orders are !dent!f!ed!n t"e b!ll!ng terms drop do*n

menu !n $ystem B record as 8%6L pay up front'

Customers are not!n#o!ced t!mely andaccurately'

/eferred re#enue !s notcomplete'

In add!t!on to enabl!ng t"e pre%b!ll c"eck bo&*!t"!n $ystem B to !dent!fy pre%b!ll contractsseparate from t"e b!ll!ng terms drop do*n

menu, t"e Company s"ould also establ!s" astandard re#!e* process to conf!rm t"at forne* contracts and *ork orders, proper!dent!f!cat!on of pre%b!ll !tems are reflected !n$ystem B'

/ IndependentPeriodic Reviewof S%stem andS%stem A 6endor

Master Access

$ystem 1 and $ystem C access !snot re#!e*ed on a per!od!c bas!s to#er!fy access to add and ed!t#endors !s appropr!ately restr!cted'

Inappropr!ate access toadd or ed!t #endor!nformat!on may !ncreaset"e r!sk of fraud'

Per!od!cally @or at least annuallyA, t"eCompany s"ould re#!e* access to t"e endor)aster 7!le !n $ystem 1 and $ystem C toconf!rm t"at access !s appropr!ately restr!ctedto aut"or!(ed !nd!#!duals based on bus!nessneed and employee role' T"e re#!e* s"ould beformally e#!denced #!a s!gn off on t"e systemgenerated screens"ot of perm!ss!ons'

+ S%stem toS%stem A PO

Reconciliation

T"e $ystem C P- : PO system !snot !ntegrated *!t" $ystem 1' P-sare generated, appro#ed,con#erted to PO, and sent to#endors t"roug" $ystem C'

POs are also manually entered!nto $ystem 1 by t"e 1P spec!al!st'T"ese POs are typ!cally entered!nto $ystem 1 s!multaneously *!t"t"e !n#o!ce'

$ystem C and $ystem 1 are not!ntegrated and t"ere !s no #al!dat!onof completeness, accuracy, or

t!mel!ness of entry !nto $ystem 1'

Purc"ase comm!tmentsmay not be !dent!f!ed andrecorded !n t"e =E atper!od%end'

)ont"ly, t"e Corporate Controller or1ccount!ng /!rector s"ould reconc!le a l!st!ngof POs t"at *ere con#erted from P-s !n$ystem C to a l!st!ng of POs t"at *eremanually entered !n $ystem 1 to conf!rmcompleteness'

T"!s re#!e* s"ould also address Blanket POs'


13/33

63


'!ree-wa% Matc! T"ere !s no formal t"ree%*aymatc" process !n place toconf!rm t"at mater!als or goods

rece!#ed are compared to!n#o!ces and t"e or!g!nal PO'

Eack of a t"ree%*ay matc" formater!als or goods purc"asedplaces "ea#y rel!ance on

department Ps to #al!datet"at !n#o!ces support p"ys!calrece!pts' In#o!ces may bepa!d for goods not rece!#ed'

T"e company s"ould !mplement a control*"ereby t"e 1P $pec!al!st performs a t"ree%*ay matc" bet*een t"e !n#o!ce, PO, and

rece!#!ng document @pack!ng sl!p, b!ll of lad!ng,etc'A to conf!rm t"at all goods *ere rece!#ed'T"ese forms s"ould be subm!tted to andreta!ned by 1P !n t"e endor f!les for pa!d!n#o!ces'

* Se#re#ation of$ties - 2R

S%stems

T"e $en!or /!rector, 9- "as*r!te access to bot" 9-)aster 7!le and Payroll )aster7!le modules @0mployee)aster 7!le and Payroll )aster7!le, respect!#elyA'

$ystem access !s not

appropr!ately segregated topre#ent unaut"or!(ed systemc"anges to payroll and 9-master f!les'

Eack of proper $egregat!on of/ut!es'

Inappropr!ate c"anges may bemade to 9- @bot" 9- )aster7!le and Payroll )aster 7!leAsystems and go undetected'

$en!or /!rector of 9- s"ould "a#e Mread onlyMaccess to Payroll )aster 7!le module'

Perm!ss!ons to ed!t s"ould not be allo*ed forbot" 9- and Payroll systems'

10 IndependentReview of 7ons

alclations

0mployee bonus payouts arenot re#!e*ed aga!nst sourcedocumentat!on !n t"e re#!e* oft"e Payroll Pre#!e* -eport byt"e 1ccount!ng /!rector'

Bonus payments may be!naccurate or unappro#ed'

T"e 1ccount!ng /!rector s"ould perform an!ndependent re#!e* of bonus appro#als :calculat!ons aga!nst source documentat!onpr!or to payment'

11 Independent

Review of S%stem$ SAS +0

Currently, t"ere !s no process

or des!gnated re#!e*er tore#!e* t"e $ystem / $1$ ;report and assoc!ated ?serControl Cons!derat!ons'

T"e $1$ ; @and fort"com!ng$$10 6DA report t"e system of!nternal controls for e&ternalser#!ce pro#!ders and t"econtrols re4u!red to be !n placeat compan!es us!ng t"e!rser#!ces'

Payroll and payroll%related

data are not calculated orprocessed accurately'

$uff!c!ent controls may not be!n place *!t"!n


14/33

6+


1( Se#re#ation of$ties - stod%and Recordin# of

!eck $eposits

C"ecks are rece!#ed atCorporate 9N by t"e frontdesk, t"en for*arded to t"e

Collect!ons $pec!al!st, *!t"outbe!ng entered !nto a log'

T"e Collect!ons $pec!al!st "asrespons!b!l!ty for apply!ng cas"and prepar!ng bank depos!ts'

$egregat!on of dut!es does note&!st bet*een preparat!on ofdepos!ts for c"eck rece!pts atCorporate 9N and cas"appl!cat!on'


Potent!al for m!sappropr!at!on

of cas"'

)anagement s"ould !mplement a process t"atspec!f!es t"at t"e !nd!#!dual respons!ble forrece!#!ng c"eck rem!ttances at Corporate

s"ould log c"eck numbers, amounts, and ot"erpert!nent deta!l onto a c"eck rece!pt log'

In t"e e#ent t"at t"e respons!b!l!ty for prepar!ngdepos!ts and apply!ng cas" can not besegregated, t"e c"eck rece!pt log s"ould bereconc!led aga!nst t"e bank depos!t by an!ndependent !nd!#!dual @1ccount!ng /!rectorA'

9o*e#er, t"e respons!b!l!ty for prepar!ngdepos!ts and apply!ng cas" s"ould besegregated'

1, 7d#et to ActalProcess

$evelopment

On a mont"ly bas!s, t"e 7P51Team performs a Budget #s'

1ctual analys!s on e&pensesby major !tem at t"e =Edepartment le#el and re#!e*#ar!ances depend!ng upon t"enature of account and : orune&pected fluctuat!ons'

T"ere !s no establ!s"ed re#!e*of budget #s' actual t"res"oldsor documentat!on of s!gn!f!cant#ar!ances'

Eack of establ!s"edmet"odology around re#!e*

and documentat!on ofs!gn!f!cant #ar!ances may"!nder cont!nuous mon!tor!ngof department budgets'

*ote 1 n%ess a e%% documentedbudget process is in p%acedocumenting t$e majorassumptions Managementconsidered in deve%oping t$ebudget as e%% as t$e rationa%e!or t$e revie o! variancesabove an estab%is$ed t$res$o%d3Management s$ou%d consideractua% to actua% varianceana%ses on a period basis'

)anagement s"ould document t"e course ofd!scuss!ons related to t"e establ!s"ment of t"e

262 budget' T"ose assumpt!ons s"ould bememor!al!(ed *!t" t"e goal of substant!at!ngt"e rat!onale be"!nd assumpt!ons and potent!al!mpacts'

T"e process s"ould also establ!s" #ar!ancet"res"olds on an account le#el bas!s to promptt"e follo* up and resolut!on of !dent!f!ed#ar!ances' T"!s can be performed on e!t"er :or L #ar!ance or dollar #ar!ance'

1. IndependentPeriodic AccessReview - 5inance

5older

1ccess to t"e f!nance f!&ed

asset spreads"eet !s not

appropr!ately restr!cted on t"e

7!nance s"ared dr!#e'

Inaccurate record!ng of f!&ed

assets may lead to a

m!sstatement !n t"e f!nanc!al

statements and potent!ally

!ncrease t"e r!sk of fraud by

conceal!ng t"eft'


15/33

68


1) Se#re#ation of$ties - S%stem A

S%stem

Administrator

T"e 1ccount!ng /!rector !s t"eadm!n!strator to grant andremo#e $ystem 1 access

r!g"ts for ne* "!res andterm!nat!ons, as *ell as tomod!fy access for currentemployees'

Please see IT Issue 3


T"e 1ccount!ng /!rector, also

a $ystem 1 user, ser#es ast"e system adm!n!strator'

)anagement s"ould des!gnate a systemadm!n!strator to ass!gn and mon!tor access to$ystem 1 t"at !s !ndependent of t"e user

group'*ote4 #$e 0ccounting irector s$ou%d sta deep%invo%ved in determining t$e access privi%eges to begranted3 but s$ou%d be independent o! sstemaccess c$anges'

1/ IndependentPeriodic Access

Review - S%stem A

T"ere !s no per!od!c re#!e* ofaccess to #er!fy f!nance users"a#e proper access based ont"e!r current job funct!ons'

1ccess to $ystem 1 modulesmay not be properly restr!cted'

)anagement s"ould establ!s" a formalprocess to re#!e* system access on a per!od!cbas!s' In add!t!on to t"e standard ?ser 1ccess-e#!e* to conf!rm t"at no term!nated users st!ll"a#e access pr!#!leges, t"!s re#!e* s"ouldconf!rm t"at pr!#!leges for #al!d users arereasonable for t"e!r job dut!es'

/ef!c!enc!es related to system access and$egregat!on of /ut!es are typ!cally !dent!f!ed !ns!tuat!ons *"ere employees c"ange job rolesand re4u!re ne* access, but pre#!ous accessto menus are not re#!e*ed or restr!cted'

1+ 5ormali"ation ofPA8 Approval

Personnel 1ct!on Jot!ces@P1JsA are used to #al!datedata entry !nto 9- )aster 7!lebut are not ut!l!(ed todocument appro#al for ne*"!res, salary c"anges,term!nat!ons : se#erances ,and bonuses'

erbal and ema!l appro#al !soften obta!ned !n l!eu of P1Jappro#al'

$upport for ne* "!res @pay,bonus, etc'A may !s notformally e#!denced'

Ident!fy management des!gnates for appro#alof P1Js !n order to reduce burden of e&ecut!#e!n#ol#ement !n day to day 9- process!ng'

Conf!rm appropr!ate part!es formally appro#eP1Js pr!or to act!ons tak!ng place'

1 Se#re#ation of$ties - S%stem A

9ornal Entr%Access

)embers of t"e 7!nance=roup "a#e access !n $ystem1 to bot" prepare and postt"e!r o*n journal entr!es'

Jo !ndependent re#!e* ofjournal entr!es takes place forentr!es prepared and posted byt"e same !nd!#!dual to conf!rmaccuracy'


?naut"or!(ed journal entr!escould be posted *!t"out#!s!b!l!ty by t"e 1ccount!ng/!rector'

*ote 1 Suc$ entries ma becaptured in mont$% P&- !%u6ana%ses o! unusua% !%uctuations

in account activit'

)anagement s"ould mod!fy current appl!cat!oncontrols to restr!ct t"e ab!l!ty for t"e same!nd!#!dual to prepare and post t"e!r o*n journalentry !n $ystem 1'


16/33

6D

Obser#at!ons and -ecommendat!ons > Bus!ness Process

@Contd'AItem Observation 'itle rrent State Risk 4 Impact Observation $escription Owner 4 $e $ate1* Mana#ement

Review of '!irdPart% 'a: Services

0#!dence of re#!e* andappro#al of ta& memos,pro#!s!ons, journal entr!es, ta&

returns, and pert!nent ta&documents !s not cons!stentlydocumented or reta!ned'

T"e Company may be unableto demonstrate !ts !nternalre#!e* of rele#ant ta& act!#!t!es

and may appear o#erly rel!anton outs!de spec!al!sts'


17/33

6;

Obser#at!ons and -ecommendat!ons > ITItem Sb-Process Application rrent State Observation $escription

Owner 4 $e$ate

1 ;ser AccessProvisionin#

Approval

@!nsert systemA -e4uests and appro#als for access !s not formally ma!nta!ned!n a track!ng system for $ystem 1 and $ystem C' -at"er,

appro#als e#!dence !s ma!nta!ned #!a ema!ls' Boom! , $alesforce'com, and CC:$ accounts are created

based on not!f!cat!on from 9-' 9o*e#er, t"ere !s no process toformally document suc" account creat!on re4uests @!'e'"elpdesk systemA'

T"ere !s no document or matr!& l!st!ng t"e roles to be grantedbased on job funct!on or department' -at"er, t"e$alesforce'com adm!n!strators grant access based on t"e!ro*n kno*ledge'

)anagement s"ould cons!derus!ng t"e e&!st!ng "elpdesk

t!cket!ng system @OT-$A todocument t"e act!on performed*"en rece!#!ng re4uests tomod!fy e&!st!ng user accounts'

)anagement s"ould cons!derperform!ng a re#!e* anddocument!ng t"e roles !n$alesforce'com and *"at roless"ould be g!#en to users basedon t"e!r job funct!on'

)anagement s"ould cons!der!mplement!ng a formal process togrant access to $ystem 7' T"!sprocess s"ould be central!(ed

and documented @e'g', re4uestand appro#alA' In add!t!on,)anagement s"ould cons!dercreat!ng a document l!st!ng t"eroles t"at s"ould be ass!gned to auser based on job funct!on toensure t"at only appropr!ate rolesare granted to users'


18/33

6F


Owner 4 $e$ate

( ;ser Access$e-

Provisionin#

@!nsert systemA T"ere !s no formal!(ed process to d!sable:remo#e useraccounts !n $ystem 1 and $ystem C upon term!nat!on as t"e

1ccount!ng /!rector !s not on t"e 9- term!nat!on not!f!cat!ond!str!but!on l!st' T"e d!sabl!ng:term!nat!ng of $ystem 1 accessupon term!nat!on !s performed on a an ad%"oc:*ord of mout"bas!s'

Boom! and $alesforce'com accounts are d!sabled based onnot!f!cat!on from 9-' 9o*e#er, t"ere !s no process to formallydocument suc" account re4uests @!'e' "elpdesk systemA'

)anagement s"ould cons!dermo#!ng t"e respons!b!l!ty of user

account adm!n!strat!on !n $ystem1 and $ystem C from 1ccount!ngto IT' By "a#!ng IT ma!nta!n useraccounts, t"e e&!st!ng formalprocess can be mod!f!ed to!nclude t"e d!sabl!ng of useraccounts !n $ystem 1 !nconjunct!on *!t" 1ct!#e /!rectoryaccess upon term!nat!onnot!f!cat!on'

)anagement s"ould cons!der!mplement!ng a formal process todocument and reta!n term!nat!onre4uests @!'e' "elpdesk systemA'

, AdministrativeAccess

@!nsert systemA 1dm!n!strat!#e access to $ystem C and $ystem 1 !s restr!ctedto t"e 1ccount!ng /!rector, *"!c" may result !n segregat!on ofdut!es confl!cts as t"e 1ccount!ng /!rector !s also t"e end%userof t"e appl!cat!on'

1dm!n!strat!#e access to $alesforce'com !s granted to users*"o do not perform account adm!n!strat!on act!#!t!es'

*ote4 0dministrative access to Sstem 0 is a%so restricted to t$e0ccounting irector and s$ou%d be transitioned to .#' 7see s%ide 9:3item 95;' #$is issue is ca%%ed out separate% as administrative accessto in scope app%ications is a re


19/33

6G


Owner 4 $e$ate

. Se#re#ation of$ties

@!nsert systemA T"e /e#elopment team lead, 9omer $antos, bot" de#elopsand m!grates code to product!on'

Joted t"at alt"oug" Oleg )assako#ks! m!grates c"anges toproduct!on s!nce "e !s a non%de#eloper, noted t"at !nd!#!dualson t"e 0ng!neer!ng team de#elop and also "a#e t"e ab!l!ty tom!grate code to t"e product!on en#!ronment @!'e'amal =los"A'

)anagement s"ould cons!dersegregat!ng de#elopers from

"a#!ng t"e ab!l!ty to m!grate codeto product!on and:or!mplement!ng a re#!e* process by*"!c" )anagement re#!e*s asample of c"anges made to t"eproduct!on en#!ronment on aper!od!c bas!s to ensure onlyaut"or!(ed c"anges *erem!grated'

) PasswordRles

@!nsert systemA $ystem 1 and Boom! are currently not conf!gured to enforceany pass*ord re4u!rements'

Currently t"e only pass*ord rule enforced !n $alesforce'com !sm!n!mum pass*ord lengt" of 8 c"aracters'

)anagement s"ould cons!derenabl!ng pass*ord re4u!rementsett!ngs !n $ystem 1 to m!n!m!(et"e r!sk of unaut"or!(ed userscorrectly guess!ng t"e pass*ordsand logg!ng !nto $ystem 1'

)anagement s"ould cons!derenforc!ng pass*ord rules !nBoom! and $alesforce'com'


20/33

2


Owner 4 $e$ate

/ !an#eApproval

@!nsert systemA -e4uests for c"anges are not formally documented to pro#!dee#!dence of re#!e* and appro#al by t"e 1ccount!ng /!rector'

)anagement s"ould cons!der!mplement!ng a formal

documented process c"angemanagement process *"erebyappro#als are documented beforea c"ange !s mo#e to product!onen#!ronment' Typ!cally, a"elpdesk solut!on !s deployed atcustomers to document suc" aprocess'

+ Access Review @!nsert systemA T"ere !s currently no process to perform access re#!e*s form!ssed term!nat!ons on a regular bas!s @!'e' 4uarterlyA'

T"ere !s currently no process to perform access re#!e*s to#al!date t"e appropr!ateness of users access based on jobfunct!on a regular bas!s @!'e' sem!%annualA'

)anagement s"ould cons!der!mplement!ng a formal process tore#!e* user access for m!ssedterm!nat!ons on a regular bas!s@!'e' 4uarterlyA to ensure noterm!nated employees orcontractors "a#e act!#e access to!n%scope appl!cat!ons

)anagement s"ould cons!der!mplement!ng a formal process tore#!e* access r!g"ts ass!gned to

accounts to ensure noemployees or contractors "a#e!nappropr!ate access per t"e!r jobfunct!ons' T"e re#!e* can bee&ecuted by e&tract!ng a l!st ofuser accounts, !nclud!ng ass!gnedroles, and send!ng t"em to t"eappropr!ate !nd!#!duals for re#!e*@e'g', department "eads or d!rectreportsA'


21/33

26


Owner 4 $e$ate

!an#e'estin#

@!nsert systemA /ocumentat!on s"o*!ng test results and appro#als by t"e end%user commun!ty are not formally documented'

)anagement s"ould cons!der!mplement!ng a formal

documented process c"angemanagement process *"erebytest plans and test results aredocumented and appro#ed beforea c"ange !s mo#e to product!onen#!ronment' Typ!cally, a"elpdesk solut!on !s deployed atcustomers to document suc" aprocess''

* !an#eReview

@!nsert systemA )anagement does not "a#e a formal process !n place tore#!e* c"anges m!grated to product!on on a regular bas!s to#er!fy t"at all s!gn!f!cant c"anges are formally documented andappro#ed'

)anagement s"ould cons!der!mplement!ng a formal process ofre#!e*!ng c"anges made to$alesforce'com on a regularbas!s @!'e' 4uarterlyA to ensuret"at only aut"or!(ed c"anges*ere made'


22/33

22


Owner 4 $e$ate

10 SAS+0 Review @!nsert systemA )anagement does not "a#e a formal process !n place tore#!e* $1$; for 3rd party ser#!ces to ensure appropr!ate

!nternal controls are !n place'

)anagement s"ould cons!der!mplement!ng a formal process of

re#!e*!ng $1$; reports onregular bas!s @!'e' annualA toensure !nternal controls are !nplace and effect!#e at 3rd partylocat!ons'

1( 7ackp 'apeRotation

@!nsert systemA Joted t"at t"ere !s currently no e#!dence !n place @!'e'c"eckl!stA to conf!rm t"at backup tapes are rotated off%s!te on a*eekly bas!s'

)anagement s"ould cons!der!mplement!ng a formal process ofre#!e*!ng c"anges made to$alesforce'com on a regularbas!s @!'e' 4uarterlyA to ensuret"at only aut"or!(ed c"anges*ere made'


23/33

23


Owner 4 $e$ate

1, Restoration'est

@!nsert systemA Joted a formal process !s not !n place to perform restorat!ontests of backup med!a for !n%scope appl!cat!ons'

)anagement s"ould perform anddocument restorat!on tests from

tape on a regular bas!s @!'e'annuallyA to ensure t"atproduct!on systems can berestored !n t"e e#ent of a ser#erfa!lure'


24/33

Observations and RecommendationsOperational


25/33

28


(1 PI ompliance Cred!t Card aut"or!(at!on forms@!ncludes f!eld for customer cred!tcard and C aut"or!(at!on codeA

are sent to customers, t"enema!led or e%fa&ed back to3>>> ?.S0 transactions annua%%3 areusua%% c%assi!ied as a %eve% : merc$ant3re


26/33

2D


(, Prc!asin# Polic% Jo pol!cy e&!sts deta!l!ng !temsor transact!ons re4u!red or notre4u!red to "a#e a PO, ort"ose t"at s"ould be

purc"ased *!t" t"e companycred!t card and !ntent!onallyouts!de of t"e PO process'

Blanket Purc"ase Orders arealso not co#ered by currentpol!c!es'

1 lack of establ!s"ed pol!c!esdoes not clearly commun!catedes!red procedures,respons!b!l!t!es, or

accountab!l!t!es'

Incons!stent use of POs andt"e purc"as!ng process maylead to e&cess cost,decreased 4ual!ty, r!ske&posure !f not co#ered bystandard terms andcond!t!ons, and process!neff!c!enc!es : dupl!cat!on ofefforts'

T"e company s"ould de#elop a PO andPurc"as!ng pol!cy address!ng !tems andser#!ces re4u!r!ng POs or Blanket POs, P-and : or PO appro#al "!erarc"y, processes for

add!ng or de%act!#at!ng #endors, gu!del!nes forcompet!t!#e b!dd!ng of purc"ases, gu!del!nesfor us!ng female or m!nor!ty o*nedbus!nesses, use of company cred!t cards, etc'

(. 6endor Masterleanp

Currently, t"ere !s no per!od!cre#!e* performed to !dent!fy

#endors t"at s"ould be de%act!#ated !n $ystem 1@Product!on related and non%Product!on related'

endor records !n $ystem Bare set to Me&p!reM on anestabl!s"ed date, and t"eymust re%subm!t bus!nessl!censes, %F : %G, etc' toe&tend t"e!r de%act!#at!on date'

endor records are not l!nkedbet*een $ystem B and t"e$ystem 1 endor )aster 7!le'

Jo formal!(ed commun!cat!onprocess or reconc!l!at!on !s !nplace to conf!rm t"at Me&p!redM#endors !n $ystem B are de%act!#ated !n $ystem 1'

$tale #endor records !n t"e =Eor mult!ple #endors operat!ng

as t"e same company!ncrease t"e r!sk of fraud dueto f!ct!t!ous !n#o!ces orpayments subm!tted on !dleaccounts, and !ncrease t"er!sk of mak!ng dupl!catepayments'

T"e Company s"ould analy(e all #endorrecords !n t"e #endor master and organ!(e

#endors by t"e last act!#!ty date' endors *!t" act!#!ty *!t"!n t"e last 6F mont"ss"ould rema!n as !s'

endors *!t" no act!#!ty *!t"!n t"e last 6Fmont"s but act!#!ty *!t"!n 6G%2+ mont"s s"ouldbe assessed and determ!ned #!able or to bede%act!#ated @most of t"ese #endors s"ould bede%act!#atedA'

endors *!t" no act!#!ty !n t"e last 2+ mont"ss"ould be de%act!#ated'

T"e Company s"ould also !nst!tute a processto de%act!#ate all #endors t"at are set toMe&p!reM !n $ystem B !n a t!mely manner'


27/33

2;


() Streamlineontractor

Onboardin#

9- !s not closely !n#ol#ed !nprocess to onboard andterm!nate contractors'

Contractors may be "!red andterm!nated by department Psand pa!d t"roug" 1P *!t"outany not!ce or update g!#en to9-'

$ystem access may not beproperly appro#ed, granted,and remo#ed t!mely once

contracted employee "asfulf!lled t"e!r obl!gat!ons'

T"ere may be e&cess!#e useof gener!c or s"ared user !dsfor cr!t!cal appl!cat!ons and norecord of c"anges made byusers'

Jo complete populat!on ofcontract labor !s read!lya#a!lable'

Potent!ally arduous to managemult!ple !ndependent resourcepools'

Contractors used by t"e Company s"ould beonboarded @and term!natedA us!ng t"e same9- processes as for regular employees @or at

a m!n!mum, a standard process for all ContractemployeesA'

Pol!c!es and procedures s"ould be updated toreflect any spec!f!c!t!es for contract employeesand mon!tor!ng tasks s"ould be e&tended toco#er t"e contract labor pool @e'g', systemaccess, perm!ss!ons, etc' s"ould be assessedfor t"e contract employeeA'

(/ stomer $e$ili#ence

Jo cred!t or backgroundc"ecks are conducted forcustomers'

One full%t!me collect!ons agent!s employed by t"e company'

Jo formal!(ed customer due%d!l!gence process !s !n place'

-e#enue collectab!l!tye&posure may not be!dent!f!ed pr!or to enter!ng !ntosales agreements'

Collectab!l!ty of re#enue !s notfully #etted'

-espons!b!l!ty andaccountab!l!ty for non%standard customer accounts!s not clearly def!ned'

)anagement s"ould !mplement a process*"ereby customer cred!t *ort"!ness !sassessed per!od!cally @for current customersAas *ell as for ne* customers' T"!s processs"ould be formal!(ed to denote any customertypes t"at may be !ntent!onally e&empted fromt"!s process, or any spec!al procedures t"ats"ould be performed based on customer type@e'g' sc"ools, go#ernment !nst!tut!ons, etc'A'


28/33

2F


(+ Prc!asin# Polic% T"e Company re4u!res t"at fornon tra#el related generalcompany cred!t card

purc"ases, t"e P- processmust be follo*ed'

T"e process "as beendes!gned as suc" tod!scourage o#eruse of t"ecompany cred!t card based onpast e&per!ences and a lack ofpurc"ase backup for cred!tcard purc"ases'

T"e use of a purc"as!ng card!s typ!cally des!gned topurc"ase lo* cost !tems

outs!de of t"e purc"as!ngprocess, t"ereby reduc!ngcost needed to generate,re#!e*, and appro#e t"e PO,as *ell as !ncrease cycle t!mefor purc"ases'

T"ere "as been !ncreased useof purc"as!ng cards asanot"er d!sbursement type @!fpa!d t"roug" 1PA, "o*e#ercustody of cred!t cards,track!ng and custody ofre*ards or rebates, and#endor mon!tor!ng @ensur!ng

#endors are engaged !n t"eprocess and not add!ngadd!t!onal ser#!ce feesA s"ouldbe formal!(ed and mon!tored'

If cred!t cards are used topurc"ase goods or ser#!cesouts!de of t"e 1P process, t"eprocess s"ould be des!gnedsuc" t"at !t does not re4u!ret"e formal P- and POprocess'

T"e company s"ould de#elop a PO andPurc"as!ng pol!cy address!ng !tems andser#!ces re4u!r!ng POs or Blanket POs, P-

and : or PO appro#al "!erarc"y, processes foradd!ng or de%act!#at!ng #endors, gu!del!nes forcompet!t!#e b!dd!ng of purc"ases, gu!del!nesfor us!ng female or m!nor!ty o*nedbus!nesses, use of company cred!t cards, etc'

( $evelopment of;napplied as!

A#in# andEsc!eatment

Process

If a cas" rece!pt cannot bematc"ed *!t" a correspond!ngcontract, t"e cas" !s appl!ed toa gener!c $ystem 1 customeraccount unt!l !t !s determ!ned*"ere to be appl!ed @on an ad%"oc bas!sA'

T"ere !s no process !n placefor reconc!l!ng or *ork!ngunappl!ed cas" and apply!ng tocorrect customer accounts ona t!mely bas!s'

?nappl!ed cas" may rema!n !nt"e gener!c account for anundeterm!ned amount of t!me'

T"ere !s currently noesc"eatment for unappl!edcas"'

)anagement s"ould de#elop @or en"ance t"ecurrentA process to track appl!cat!on ofMunappl!ed cas"M to t"e gener!c customeraccount !n $ystem 1'

7urt"er, )anagement s"ould assess statere4u!rements for esc"eatment for long agedunappl!ed cas" to be !n compl!ance *!t" stateregulat!ons'


29/33

2G


(* 5i:ed Asset'rackin# Process

Re-desi#n

7!nance enters all f!&ed asset!nformat!on !nto t"e f!&ed asset subledger spreads"eet *"!c" !s used to

record !n $ystem 1' $!gnal Operat!ons, Product!on, andJet*ork Operat!ons track and ma!nta!nf!&ed asset purc"ases a on manualspreads"eet'

1 per!od!c reconc!l!at!on of $ystem =and departmental f!&ed assetspreads"eets to t"e f!&ed asset subledger spreads"eet does not occur to#er!fy assets are captured cons!stentlybet*een eac" track!ng med!um'

Jo f!&ed asset !n#entor!es areperformed'

Inab!l!ty to #al!date t"ee&!stence of f!&ed assets@departmental spreads"eets

to sub ledger or p"ys!calassets to departmentalspreads"eetsA'

Inaccurate record!ng of f!&edassets may lead to am!sstatement !n t"e f!nanc!alstatements and potent!ally!ncrease t"e r!sk of fraud byconceal!ng t"eft'

)anual spreads"eetma!ntenance !s prone to"uman error'

)anagement s"ould cons!derstreaml!n!ng t"e mult!ple f!&ed assettrack!ng processes for cons!stency'

1s a component of t"!s, managements"ould also cons!der perform!ng areconc!l!at!on of kno*n f!&ed assets"eld !n t"e d!sparate track!ngmec"an!sms and el!m!nat!ng !tems not!dent!f!ed pr!or to consol!dat!ng t"etrack!ng funct!on'

1ccess to mod!fy t"e consol!dated7!&ed 1sset $preads"eet s"ould berestr!cted to pre#ent unaut"or!(ed or!nad#ertent c"anges from be!ng madeto t"e system of record'

,0 $evelop 5i:edAsset Polic%

7ormal f!&ed asset pol!c!es do not e&!stfor follo*!ng processes or "a#e not beenf!nal!(ed and documentedK

> 1 #endor select!on process'

> 7!&ed asset cycle counts'

> 7ormal re#!e* and appro#al of t"ef!&ed asset d!sposals'

> 1 formal re4uest and appro#alprocess for soft*are appl!cat!onsdoes not e&!st'

> endor select!on, rece!pt, track!ng,d!sposal, account!ng for f!&edassets, e#!dence t"e rece!pt ofgoods, !mplementat!on of a t"ree%*ay matc"'

> 7rom a process perspect!#e,e#!dence of rece!pt can be ac"!e#edfrom rece!#!ng documents orautomat!ng t"e process t"roug"$ystem C, $ystem =, or $ystem 1'


30/33

3


,1 Atomation ofP'O 'rackin# and

alclation

PTO !s ma!nta!ned manually !nan e&cel spreads"eet by Off!ce)anager to keep track ofemployee balances'

)anual ma!ntenance ofspreads"eets !s prone to"uman error'

0mployee PTO balances maynot be properly recorded andaccrual calculat!on may not beaccurate'

By t"e end of N+66 % PTO re4uests *!ll bemade t"roug" $ystem / ork7orceJo* andemployee balance *!ll no longer be trackedmanually on spreads"eet'

,( onfirmin# POReport

T"e current pract!ce !s t"at t"e1P $pec!al!st *!ll not enter!n#o!ces !f t"ey e&ceed t"eappro#ed PO amount @for POrelated !n#o!cesA'

T"e 1P $pec!al!st or t"ePayroll and 1P )anager canMforceM enter !n#o!ces !f t"eye&ceed t"e PO amount'

Jo re#!e* !s performed to!dent!fy Mconf!rm!ngM POs@s!tuat!ons *"ere t"epurc"as!ng process *asc!rcum#ented and POs aregenerated after t"e factA'

!despread use of conf!rm!ngPOs c!rcum#ents t"eestabl!s"ed purc"as!ngprocess and controls and maynot pro#!de suff!c!entmon!tor!ng and o#ers!g"t ofpurc"ases'

)ont"ly, t"e Corporate Controller or1ccount!ng /!rector s"ould perform a re#!e* of!n#o!ces rece!#ed or entered *!t" a PO datet"at !s e4ual to or less t"an @ne*erA t"an t"e!n#o!ce date' Items !dent!f!ed s"ould be routedfor e&planat!on and trended to !dent!fydepartments or !nd!#!duals re4u!r!ng add!t!onaltra!n!ng'

T"!s re#!e* s"ould also !nclude Blanket POs'

,, Open PO Report T"ere !s no formal!(ed re#!e*of an open PO report'

T"e Product!on departmentsubm!ts an accrual l!st!ng to1ccount!ng on a mont"ly

bas!s, but t"e process !s!ncons!stent across ot"erdepartments'

Purc"ase comm!tments maynot be !dent!f!ed and recorded!n t"e =E at per!od%end'

)ont"ly, t"e Corporate Controller or1ccount!ng /!rector s"ould perform a re#!e* ofan open @!ssued but not rece!#ed or notrece!#ed completeA PO report' POs !dent!f!edbeyond an establ!s"ed date s"ould be

cancelled or assessed for accuracy' T"!s re#!e* s"ould also address Blanket POs'

T"e f!rst p"ase of t"!s effort *!ll be a more!ntens!#e researc" and clean up project *"!c"*!ll trans!t!on to a standard mont"ly re#!e* andfollo* up process'

,. $evelop orEn!ance Revene

Policies

Compre"ens!#e re#enuepol!c!es do not e&!st @e'g',Cas" -ece!pts 5 Collect!ons,Cred!t )emo, and 1llo*ancefor /oubtful 1ccountsA'

$taff perform!ng act!#!t!es maynot be a*are of appropr!atepol!c!es and procedures !norder to e&ecute t"e!rrespons!b!l!t!es'

0stabl!s", ma!nta!n, commun!cate, andper!od!cally re#!e* formal pol!c!es surround!ngre#enue @e'g', Cas" -ece!pts 5 Collect!ons,Cred!t )emo, and 1llo*ance for /oubtful1ccountsA


31/33

36


,) $evelop &3odin# Procedre

"!le a l!st!ng of =E accountse&!sts and "as been pro#!dedto !nd!#!duals respons!ble for=E cod!ng, add!t!onal!nformat!on s"ould be pro#!dedas to *"at goods and ser#!cesare appropr!ate to !nclude !nt"e accounts'

-eclass!fy!ng account cod!ng!s a regular act!#!ty, spec!f!callyfor codes !dent!f!ed outs!de oft"e =E team'

/upl!cat!on of efforts by t"e$en!or 1ccountant to re#!e*and re%class !n#o!ces'

7!nance s"ould pro#!de all !nd!#!dualsrespons!ble for =E cod!ng *!t" add!t!onal!nformat!on as to *"at goods : ser#!ces s"ouldbe coded to spec!f!c =E accounts' "!le t"e=E accounts and descr!pt!ons are pro#!ded,furt"er clar!f!cat!on *!ll ass!st t"e !nd!#!duals !n!dent!fy!ng t"e correct accounts'

T"!s *!ll reduce t"e number of errors andt"erefore c"anges needed dur!ng t"e re#!e*process' T"!s s"ould !nclude IT purc"ases*"om t"e P of Jet*ork Operat!ons !srespons!ble for'

,/ S%stem 7onversion

Earger customer contracts@e'g', IB)A are trackedmanually !n e&cel for b!ll!ng,rat"er t"an !n $ystem B as are

all ot"er customer contracts'

)anual ma!ntenance ofspreads"eets !s prone to"uman error'

B!ll!ng and re#enuerecogn!t!on for contractstracked manually !n e&cel maynot be complete and accurate'

In order to conf!rm t"at b!ll!ng and re#enuerecogn!t!on !s accurate and cons!stent *!t"ot"er customers, management s"ould mod!fyt"e current process to !nclude large customer

contracts as part of t"e current b!ll!ngsubm!ss!ons process'

,+ S%stemEn!ancement -

S%stem A -Sbsidiar%

onsolidations


32/33

32

Obser#at!ons and -ecommendat!ons > Bus!ness Process Contd'Item Observation 'itle rrent State Risk 4 Impact Observation $escription Owner 4 $e $ate

, Prc!asin#S%stems

Inte#ration

Currently, t"ere !s no per!od!cre#!e* performed to !dent!fy#endors t"at s"ould be de%act!#ated !n $ystem 1@Product!on related and non%Product!on related'

endor records !n $ystem Bare set to Me&p!reM on anestabl!s"ed date, and t"eymust re%subm!t bus!nessl!censes, %F : %G, etc' toe&tend t"e!r de%act!#at!on date'

endor records are not l!nkedbet*een $ystem B and t"e$ystem 1 endor )aster 7!le'

Jo formal!(ed commun!cat!on

process or reconc!l!at!on !s !nplace to conf!rm t"at Me&p!redM#endors !n $ystem B are de%act!#ated !n $ystem 1'

$tale #endor records !n t"e =Eor mult!ple #endors operat!ngas t"e same company!ncrease t"e r!sk of fraud dueto f!ct!t!ous !n#o!ces orpayments subm!tted on !dleaccounts, and !ncrease t"er!sk of mak!ng dupl!catepayments'

1ssess t"e potent!al to !ntegrate #endorrecords bet*een $ystem B and $ystem 1 and$ystem 1 and $ystem C'

It !s unclear !f de%act!#ated #endors !n $ystem1 are automat!cally or manually de%act!#ated !n$ystem 1'

Incons!stent #endor master f!les may lead topotent!al fraud, !ncreased r!sk for dupl!catepayments, and process !neff!c!enc!es ofgenerat!ng and appro#!ng purc"asere4u!s!t!ons for #endors t"at "a#e been de%act!#ated and not a#a!lable for use'


33/33

33


Owner 4 $e$ate

11 &eneral J:1 Compre"ens!#e pol!c!es do not e&!st @e'g', 1ccess $ecur!ty,C"ange )anagement, Computer Operat!ons, and etc'A'

)anagement s"ould establ!s",ma!nta!n, commun!cate, andper!od!cally re#!e* formal pol!c!es@e'g' 1ccess $ecur!ty, C"ange)anagement, ComputerOperat!ons, etc'A

pre-year 1 sox roadmap - audit report

Documents