--- name: audit-compliance description: Manage internal audit, SOX compliance, internal controls testing, segregation of duties, audit trail management, and external audit coordination. Use when performing controls testing, monitoring segregation of duties, maintaining audit trails, preparing for external audits, managing audit findings, or ensuring regulatory compliance. Triggers on phrases like "SOX compliance", "internal controls", "segregation of duties", "audit trail", "controls testing", "external audit", "audit findings", "remediation plan", "compliance monitoring", "change tracking", "access review". --- # Audit & Compliance Maintain strong internal controls, ensure regulatory compliance, and streamline audit processes. ## Internal Controls Framework ### SOX Controls Inventory & Testing ``` SOX CONTROLS INVENTORY — Finance Processes ════════════════════════════════════════════ FINANCIAL REPORTING CONTROLS: ┌──────┬────────────────────────┬───────────┬──────────┬──────────┐ │ ID │ Control Description │ Frequency │ Type │ Owner │ ├──────┼────────────────────────┼───────────┼──────────┼──────────┤ │ FC-01│ JE approval workflow │ Monthly │ ITGC │ Controller│ │ FC-02│ Month-end close checklist│ Monthly │ Manual │ Controller│ │ FC-03│ Revenue recognition review│ Monthly │ Manual │ Rev. Acct│ │ FC-04│ Account reconciliation│ Monthly │ Manual │ Acctg Mgr│ │ FC-05│ Financial statement review│ Quarterly│ Manual │ CFO │ │ FC-06│ General Ledger access │ Quarterly │ ITGC │ IT + Fin │ │ FC-07│ Chart of accounts change│ Ad-hoc │ Manual │ Controller│ │ FC-08│ Consolidation review │ Monthly │ Manual │ Controller│ └──────┴────────────────────────┴───────────┴──────────┴──────────┘ PAYMENT CONTROLS: ┌──────┬────────────────────────┬───────────┬──────────┬──────────┐ │ ID │ Control Description │ Frequency │ Type │ Owner │ ├──────┼────────────────────────┼───────────┼──────────┼──────────┤ │ PC-01│ 3-way match (PO/RX/INV)│ Per trans │ Automated│ AP Mgr │ │ PC-02│ Payment approval matrix│ Per trans │ Automated│ Finance │ │ PC-03│ Vendor master change │ Ad-hoc │ Manual+IT│ AP + Fin │ │ PC-04│ Wire payment dual auth │ Per trans │ ITGC │ Treasury │ │ PC-05│ Duplicate payment check │ Per trans │ Automated│ AP Sys │ │ PC-06│ Bank rec review │ Monthly │ Manual │ Controller│ └──────┴────────────────────────┴───────────┴──────────┴──────────┘ REVENUE CONTROLS: ┌──────┬────────────────────────┬───────────┬──────────┬──────────┐ │ ID │ Control Description │ Frequency │ Type │ Owner │ ├──────┼────────────────────────┼───────────┼──────────┼──────────┤ │ RC-01│ Contract review & approval│ Per contract│ Manual│ Rev. Acct│ │ RC-02│ Revenue recognition schedule│ Monthly │ Manual │ Rev. Acct│ │ RC-03│ Billing accuracy check │ Per invoice │Automated│ Billing │ │ RC-04│ AR reconciliation │ Monthly │ Manual │ AR Mgr │ │ RC-05│ Write-off approval │ Ad-hoc │ Manual │ CFO │ └──────┴────────────────────────┴───────────┴──────────┴──────────┘ TOTAL CONTROLS: 18 (Finance) + 12 (ITGC) + 6 (HR/Payroll) = 36 controls TESTING CYCLE: Quarterly sampling (manual) + Continuous (automated) LAST FULL TEST: Q4 2024 — All controls operating effectively ✓ ``` ### Controls Testing Process ``` QUARTERLY CONTROLS TESTING — Q1 2025 Plan ══════════════════════════════════════════ TESTING SCHEDULE: Planning: Feb 1-7 (define scope, sample selection) Execution: Feb 8 — Mar 15 Reporting: Mar 16 — Mar 21 Remediation (if needed): Mar 22 — Apr 10 Sign-off: Apr 15 SAMPLE SELECTION: Manual controls: 25 transactions per control (per company policy) Automated controls: 100% test (system configuration review + operating effectiveness) ITGC controls: Configuration review + change management testing TEST PROCEDURES (per control): 1. Obtain understanding: Review control design documentation 2. Test design effectiveness: Does the control, if operating properly, prevent/detect error? 3. Test operating effectiveness: Did the control operate as designed during the period? 4. Document results: Pass/Fail with evidence 5. Evaluate exceptions: Root cause, materiality, remediation EVIDENCE REQUIREMENTS: - Screenshots of system configurations - Approval emails/system logs - Signed checklists and review documentation - Reconciliation workpapers with sign-off - Transaction samples with supporting documentation PRIOR YEAR RESULTS: Q4 2024: 36/36 controls passed (100%) Q3 2024: 35/36 passed (1 minor exception — remediated) Q2 2024: 36/36 passed (100%) Q1 2024: 34/36 passed (2 exceptions — remediated) Annual: 141/144 tests passed (98% — within target) ``` ## Segregation of Duties (SOD) ### SOD Monitoring Framework ``` SEGREGATION OF DUTIES MATRIX — Key Incompatible Roles ══════════════════════════════════════════════════════ INCOMPATIBLE DUTY PAIRS: ┌──────────────────────────┬──────────────────────────┬───────────┐ │ Duty A │ Duty B │ Risk │ ├──────────────────────────┼──────────────────────────┼───────────┤ │ Create vendor │ Approve payment │ HIGH — │ │ │ │ Fraud risk│ ├──────────────────────────┼──────────────────────────┼───────────┤ │ Create JE │ Approve JE │ HIGH — │ │ │ │ Financial │ │ │ │ misstate. │ ├──────────────────────────┼──────────────────────────┼───────────┤ │ Process payment │ Reconcile bank statement │ HIGH — │ │ │ │ Misapp. │ ├──────────────────────────┼──────────────────────────┼───────────┤ │ Create customer │ Apply cash / write-off │ MEDIUM — │ │ │ │ Revenue │ │ │ │ misstate. │ ├──────────────────────────┼──────────────────────────┼───────────┤ │ Manage GL access │ Post to GL │ HIGH — │ │ │ │ Unauthorized│ │ │ │ entries │ ├──────────────────────────┼──────────────────────────┼───────────┤ │ Process payroll │ Approve payroll changes │ HIGH — │ │ │ │ Fraud risk│ └──────────────────────────┴──────────────────────────┴───────────┘ CURRENT SOD VIOLATIONS (Q1 2025): Total violations identified: 3 HIGH severity: 1 MEDIUM severity: 2 LOW severity: 0 VIOLATION #1 — HIGH: User: J. Smith (AP Analyst) Violation: Create vendor + Approve payment (same user in NetSuite) Risk: Could create fictitious vendor and approve payment Status: Remediation in progress Action: Remove vendor creation access; assign to AP Supervisor Deadline: Feb 15, 2025 Compensating control: Dual approval for all new vendors VIOLATION #2 — MEDIUM: User: M. Lee (Accountant) Violation: Create JE + Approve JE (amounts <$10K) Risk: Could post unauthorized journal entries Status: Compensating control documented Action: Implement system rule — self-created JEs require 2nd approval Deadline: Mar 1, 2025 VIOLATION #3 — MEDIUM: User: K. Patel (Rev. Accountant) Violation: Manage revenue schedules + Write AR adjustments Risk: Could manipulate revenue recognition Status: Acceptable risk (amounts immaterial; quarterly review by Controller) Action: Document compensating control; monitor quarterly Deadline: Ongoing SOD REVIEW CYCLE: Automated monitoring: Continuous (daily system check) Formal review: Quarterly (comprehensive access review) Annual certification: Manager attestation of team access appropriateness ``` ## Audit Trail & Change Management ### Financial System Change Tracking ``` AUDIT TRAIL POLICY: ═══════════════════ CAPTURED CHANGES: 1. General Ledger: - Journal entry creation, modification, voiding - Chart of accounts changes - Fiscal period open/close - Currency/rate changes 2. Sub-ledgers: - Invoice creation/modification (AP/AR) - Customer/vendor master changes - Payment processing - Credit memo issuance 3. System Administration: - User access grants/revocations - Role/permission changes - Configuration changes - Integration settings 4. Financial Close: - Close checklist status changes - Reconciliation sign-offs - Financial statement approvals AUDIT TRAIL DATA RETAINED: Who: User ID + name What: Action performed (create, modify, delete, approve) When: Timestamp (UTC + local timezone) Where: System/module Why: Business justification (captured at time of change) Before/After: Previous and new values RETENTION POLICY: Active audit logs: 7 years (regulatory requirement) Archived logs: 10 years (offsite, immutable storage) Access: Read-only for auditors; write access restricted to system admins ANOMALY DETECTION: Automated alerts for: - After-hours GL changes - High-value JEs outside normal close window - Multiple voids/reversals by same user - Vendor master changes without approval - Access changes to financial systems - Unusual volume of transactions in short period Current month anomalies: 2 (both investigated, no issues found) ``` ## External Audit Coordination ### Audit Preparation & Management ``` EXTERNAL AUDIT PREPARATION — FY2024 Audit ══════════════════════════════════════════ AUDIT FIRM: [Big 4 / Regional Firm] AUDIT TEAM: Engagement partner + 4 seniors + 6 staff AUDIT PERIOD: January 1 — December 31, 2024 TARGET REPORT DATE: April 30, 2025 AUDIT TIMELINE: ┌─────────────────────────┬──────────────────────┐ │ Phase │ Dates │ ├─────────────────────────┼──────────────────────┤ │ Planning & scoping │ Jan 15 — Feb 7 │ │ Interim testing │ Feb 10 — Mar 15 │ │ Data room access │ Feb 1 (ongoing) │ │ Substantive testing │ Mar 16 — Apr 10 │ │ Close procedures │ Apr 11 — Apr 21 │ │ Management letter │ Apr 22 — Apr 25 │ │ Audit opinion │ Apr 30 │ └─────────────────────────┴──────────────────────┘ AUDIT PREPARATION CHECKLIST: Corporate & Governance: [ ] Org chart (current) [ ] Board meeting minutes (FY2024) [ ] Audit committee charters and meeting minutes [ ] Key policies (code of conduct, whistleblower, related party) [ ] Insurance certificates [ ] Legal register and litigation status Financial: [ ] Trial balance (monthly, FY2024) [ ] General ledger detail [ ] Journal entry log (all JEs, FY2024) [ ] Balance sheet reconciliations (all months) [ ] Bank reconciliations (all months) [ ] Intercompany reconciliations [ ] Fixed asset register [ ] Inventory records (if applicable) [ ] Revenue contracts (significant) [ ] Debt agreements and schedules Tax: [ ] Tax returns filed (federal, state, international) [ ] Tax provision workpapers [ ] Transfer pricing documentation [ ] Tax audit correspondence (if any) IT: [ ] ITGC testing results [ ] System access logs [ ] Change management records [ ] Disaster recovery documentation [ ] Cybersecurity assessment DATA ROOM STATUS: Total items required: 85 Uploaded: 72 (85%) In progress: 10 Missing: 3 (legal opinions, insurance certs, DR test results) Target completion: Feb 15 PRIOR YEAR AUDIT RESULTS: Opinion: Unqualified (clean) Management letter findings: 3 (all resolved) 1. Timely bank recs — RESOLVED (implemented automated recs) 2. JE documentation — RESOLVED (enhanced templates) 3. Access review frequency — RESOLVED (quarterly reviews started) No material weaknesses or significant deficiencies ``` ## Audit Findings & Remediation ### Finding Management Process ``` AUDIT FINDING MANAGEMENT: ══════════════════════════ FINDING CLASSIFICATION: Material Weakness (MW): Most severe — reasonable likelihood of material misstatement Significant Deficiency (SD): Less severe than MW but important enough to merit attention Observation/Recommendation: Best practice improvement, not a deficiency Observation: Informational — no deficiency identified CURRENT FINDINGS (FY2023 Audit — All Remediated): ┌──────┬────────────────────────┬──────────┬──────────────┬──────────┐ │ # │ Finding │ Severity │ Remediation │ Status │ │ │ Description │ │ Action │ │ ├──────┼────────────────────────┼──────────┼──────────────┼──────────┤ │ F-01 │ Late bank recs (3 │ SD │ Auto-rec │ ✓ Closed │ │ │ months >5 days late) │ │ implementation│ │ ├──────┼────────────────────────┼──────────┼──────────────┼──────────┤ │ F-02 │ Insufficient JE │ SD │ Enhanced JE │ ✓ Closed │ │ │ documentation │ │ templates + │ │ │ │ │ │ approval │ │ ├──────┼────────────────────────┼──────────┼──────────────┼──────────┤ │ F-03 │ Annual (not quarterly)│ Obs │ Quarterly │ ✓ Closed │ │ │ access review │ │ reviews │ │ │ │ │ │ implemented │ │ └──────┴────────────────────────┴──────────┴──────────────┴──────────┘ REMEDIATION WORKFLOW: 1. Finding issued (audit report) 2. Management assessment (agreement with finding, severity) 3. Remediation plan (action steps, owner, deadline) 4. Implementation (execute remediation) 5. Testing (verify remediation effectiveness) 6. Close (document resolution, auditor confirmation) Average remediation time (prior year): 45 days Target: 30 days for SD, 60 days for MW ``` ## Compliance Monitoring ### Regulatory Compliance Calendar ``` REGULATORY COMPLIANCE CALENDAR: ════════════════════════════════ SOX COMPLIANCE: Quarterly controls testing: ✓ On schedule (Q1 2025 in progress) Annual management assessment: Feb 28, 2025 External auditor attestation: April 2025 SOD review: Quarterly (next: Mar 15) Annual access certification: Apr 30, 2025 DATA PRIVACY (GDPR/CCPA): Data protection impact assessments: Annual (next: Q3 2025) Privacy policy review: Annual (last: Jan 2025) ✓ Data subject request process: Ongoing (avg. 12 days response) Third-party data processing agreements: Quarterly review Breach response plan: Annual test (next: Q2 2025) FINANCIAL REGULATORY: SEC filings (if public): 10-K (Apr 30), 10-Q (quarterly), 8-K (as needed) Sarbanes-Oxley: CEO/CFO certifications on all filings Whistleblower program: Annual communication (last: Jan 2025) ✓ Code of conduct training: Annual (completion rate: 96%) EMPLOYEE/PAYROLL COMPLIANCE: DOL wage & hour: Ongoing monitoring I-9 audit readiness: Quarterly spot checks EEO reporting: Annual (EEO-1 filing: Sep 2025) Benefits compliance (ERISA): Annual CYBERSECURITY: SOC 2 Type II: Annual (report due: June 2025) Penetration testing: Semi-annual (next: Apr 2025) Vulnerability assessment: Monthly Incident response drill: Semi-annual (next: May 2025) ``` ## Output ### Audit & Compliance Dashboard ``` AUDIT & COMPLIANCE DASHBOARD — Q1 2025 ══════════════════════════════════════════ Controls Testing: Q1 2025 testing: In progress (45% complete) Prior year pass rate: 98% (141/144) Current exceptions: 0 (on track for 100%) Target: 95%+ pass rate SOX Compliance: Overall status: ✓ COMPLIANT Material weaknesses: 0 Significant deficiencies: 0 Observations: 2 (non-material) SOD Monitoring: Total violations: 3 (1 HIGH, 2 MEDIUM) Remediated: 0 (in progress) Compensating controls: 3 documented Next review: Mar 15 Audit Trail: Coverage: 100% financial systems Anomalies (current month): 2 (investigated, no issues) Retention: 7 years active, 10 years archived Last integrity check: Jan 2025 ✓ External Audit (FY2024): Status: Interim testing phase Data room: 85% complete Prior year opinion: Unqualified (clean) Prior year findings: 3 (all remediated) Target report date: April 30, 2025 Compliance Calendar: Upcoming deadlines: Feb 28: SOX management assessment — 2 days ⚠ Mar 15: SOD review — 17 days Apr 30: Annual access certification — 53 days Jun 30: SOC 2 Type II report — 95 days Risk Rating: LOW All key controls operating effectively No unresolved material findings Audit preparation on track ``` ## Integration Points - ERP/GL (NetSuite, SAP): Transaction data, audit log, change tracking - GRC platforms (ServiceNow GRC, MetricStream, AuditBoard): Controls management, testing - Access management (Okta, Azure AD): User access, role assignment, SOD analysis - Document management (SharePoint, Box): Audit evidence, workpapers - External auditor portals: Data room, document sharing, Q&A - BI platforms: Compliance dashboards, metrics tracking - IT monitoring tools: System logs, anomaly detection, change tracking - HR systems: Employee access provisioning/deprovisioning - Cybersecurity platforms: SOC 2 compliance, penetration testing results ## Edge Cases - **Remote/hybrid workforce**: Access controls for remote users; multi-factor authentication enforcement - **Cloud ERP migration**: Parallel testing during transition; data integrity validation; cut-over controls - **Acquired entities**: Controls gap assessment; integration into SOX program; timeline for compliance - **Regulatory changes**: New compliance requirements assessment; control updates; training - **Whistleblower allegations**: Investigation process; documentation; remediation; reporting - **Audit scope changes**: Auditor expands scope → additional testing; resource allocation - **Material weakness identification**: Immediate escalation to Audit Committee; emergency remediation plan - **International compliance**: Multiple regulatory regimes; local audit requirements; cross-border data transfer - **System failures**: Disaster recovery testing; data restoration validation; business continuity - **Third-party risk**: Vendor audit rights; SOC report review; sub-service provider monitoring