Finance AI Skill
Financial Controls Governance
Design, implement, and maintain financial controls framework including SOX compliance, internal control over financial reporting (ICFR), control self-assessment, risk assessment, control testing, and remediation. Use when establishing control frameworks, pe...
Financial Controls & Governance
Design, implement, and maintain financial controls framework including SOX compliance, ICFR, control self-assessment, and remediation tracking.
Workflow
1. Control Framework Design (COSO)
COSO INTERNAL CONTROL FRAMEWORK — 5 COMPONENTS
═══════════════════════════════════════
1. CONTROL ENVIRONMENT
═══════════════════════════════════════
Elements:
→ Tone at the top (board oversight, executive commitment)
→ Code of conduct / ethics policy
→ Organizational structure (clear reporting lines)
→ Authority and responsibility (delegation of authority)
→ Competence (training, qualifications)
→ HR policies (hiring, performance, discipline)
Key Documents:
→ Code of Conduct (annually acknowledged)
→ Delegation of Authority (DoA) matrix
→ Organization chart (updated quarterly)
→ Whistleblower policy (anonymous reporting)
2. RISK ASSESSMENT
═══════════════════════════════════════
Process:
→ Identify business risks (financial, operational, compliance, strategic)
→ Assess likelihood and impact
→ Determine risk appetite and tolerance
→ Identify controls to address risks
Risk Assessment Matrix:
═══════════════════════════════════════
Risk Likelihood Impact Rating Response
──────────────────────────────────────────────────────────────────────
Revenue recognition error HIGH HIGH CRITICAL Preventive +
Detective
Journal entry fraud MEDIUM HIGH HIGH Preventive +
Detective
Financial misstatement MEDIUM HIGH HIGH Detective
Segregation of duties gap MEDIUM MEDIUM MEDIUM Preventive
Unapproved expenditures HIGH MEDIUM HIGH Preventive
Cybersecurity breach MEDIUM CRITICAL HIGH Preventive
Tax non-compliance LOW HIGH MEDIUM Preventive
Foreign exchange exposure MEDIUM MEDIUM MEDIUM Monitor
3. CONTROL ACTIVITIES
═══════════════════════════════════════
Control Types:
═══════════════════════════════════════
Type Description Examples
───────────────────────────────────────────────────────────────────────
Preventive Stops errors before Approval workflows, SoD,
they occur access controls, validation
Detective Identifies errors after Reconciliations, variance
they occur analysis, exception reports
Corrective Fixes identified issues Adjustment procedures,
and prevents recurrence root cause analysis
Directive Guides behavior toward Policies, procedures,
desired outcomes training, standards
Control Method:
═══════════════════════════════════════
Type Description Strength
──────────────────────────────────────────────────────────────
Automated System-enforced HIGHEST (consistent, scalable)
(system configuration)
Manual Human-performed HIGHER (requires monitoring)
(review, approval)
Combination System + human HIGH (layered defense)
(system generates,
human reviews)
4. INFORMATION & COMMUNICATION
═══════════════════════════════════════
→ Financial reporting (timely, accurate, complete)
→ Control awareness (training, communication)
→ External communication (regulators, auditors, investors)
5. MONITORING ACTIVITIES
═══════════════════════════════════════
→ Ongoing monitoring (embedded in processes)
→ Separate evaluations (internal audit, self-assessment)
→ Deficiency reporting (escalation protocol)2. Control Matrix Design
SOX CONTROL MATRIX — Revenue to Cash Process
═══════════════════════════════════════
Process: Order-to-Cash (Revenue Recognition, Billing, Collections)
Control ID Control Description Type Freq Automated Test Method Owner
───────────────────────────────────────────────────────────────────────────────────────────────
RTC-01 Price validation against Prev Each YES General IT Pricing Mgr
approved price list control order IT controls
RTC-02 Credit limit check before Prev Each YES Reconcil. Credit Mgr
order acceptance control order
RTC-03 Four-eyes review on discounts Prev Each NO Sample Sales Ops
> 10% off list price manual discount
RTC-04 Revenue recognition rule Prev Each YES General IT Rev Rec Mgr
validation (ASC 606) control invoice IT
RTC-05 Monthly revenue reconciliation Det Monthly NO Perform Rev Accnt
(system vs GL) manual
RTC-06 AR aging review and follow-up Det Monthly NO Inquire/ Collections
(> 60 days) Observe Mgr
RTC-07 Cash application reconciliation Det Daily YES General IT Cash Accnt
(bank vs system) control
RTC-08 Bank reconciliation Det Monthly NO Perform Treasury
(all bank accounts) manual
RTC-09 Cut-off testing (revenue) Det Month NO Perform Rev Accnt
end manual end
RTC-10 Journal entry approval for Prev Each NO Sample Controller
revenue adjustments > $50K manual entry
SEGRAGATION OF DUTIES MATRIX:
═══════════════════════════════════════
Function A Function B Conflict? Mitigation
───────────────────────────────────────────────────────────────────────
Order entry Pricing approval YES System control (RTC-01)
Billing Cash application YES SoD review quarterly
AR write-off approval AR collections YES Dual approval required
Journal entry creation Journal entry approval YES Four-eyes principle
System admin Data access YES Quarterly access review
Purchase creation Vendor payment YES AP automation with approval
Inventory receive Inventory adjustment YES Warehouse supervisor review
SoD CONFLICT RESOLUTION:
═══════════════════════════════════════
Conflict: AP clerk creates vendors AND approves payments
Risk Level: HIGH
Mitigation:
→ System configuration: Separate user IDs for creation and approval
→ If unavoidable (small team): Compensating control — monthly review by Controller
→ Compensating control ID: AP-11 (Management review of vendor master and payments)3. Control Testing
CONTROL TESTING PROGRAM — SOX FY 2024
═══════════════════════════════════════
TEST TYPES:
═══════════════════════════════════════
Test Type Description Sample Size Frequency
──────────────────────────────────────────────────────────────────────
Design Effectiveness Does control exist 100% Annual
(DE) and is designed properly
Operating Effectiveness Is control working Per below Annual
(OE) as designed throughout
the period
SAMPLE SIZES (OE Testing):
═══════════════════════════════════════
Control Frequency Sample Size Population Test Period
───────────────────────────────────────────────────────────────────────
Real-time (each tx) 60 All transactions Full year
Monthly 24 12 months Full year
Quarterly 12 4 quarters Full year
Annual 1 1 year Full year
CONTROL TESTING RESULTS — Q4 2024:
═══════════════════════════════════════
Control ID Test Type Sample Passed Failed Exception Status
────────────────────────────────────────────────────────────────────────────
RTC-01 DE/OE 60 60 0 — OPERATING ✓
RTC-02 DE/OE 60 58 2 3.3% DEFICIENT ⚠
RTC-03 DE/OE 24 24 0 — OPERATING ✓
RTC-04 DE/OE 60 60 0 — OPERATING ✓
RTC-05 DE/OE 12 12 0 — OPERATING ✓
RTC-06 DE/OE 12 10 2 16.7% DEFICIENT ⚠
RTC-07 DE/OE 60 60 0 — OPERATING ✓
RTC-08 DE/OE 12 12 0 — OPERATING ✓
RTC-09 DE/OE 4 4 0 — OPERATING ✓
RTC-10 DE/OE 12 11 1 8.3% DEFICIENT ⚠
DEFICIENCY ASSESSMENT:
═══════════════════════════════════════
RTC-02 (Credit limit check):
→ 2 exceptions: Orders processed without credit check (system override)
→ Root cause: Emergency orders bypassed credit check without proper approval
→ Assessment: SIGNIFICANT DEFICIENCY (not material weakness)
→ Remediation: System enhancement to prevent bypass (Q1 2025)
RTC-06 (AR aging review):
→ 2 exceptions: Aging reviews not performed for 2 months
→ Root cause: Collections manager leave without coverage
→ Assessment: CONTROL DEFICIENCY
→ Remediation: Backup coverage process established (complete)
RTC-10 (Journal entry approval):
→ 1 exception: $75K adjustment approved by same person who created
→ Root cause: Controller approved own entry (SoD conflict)
→ Assessment: SIGNIFICANT DEFICIENCY
→ Remediation: System SoD rule implemented (Q1 2025)4. Deficiency Classification & Remediation
DEFICIENCY CLASSIFICATION FRAMEWORK
═══════════════════════════════════════
Level Definition Action Required
───────────────────────────────────────────────────────────────────────────────
Control Deficiency Control does not operate as designed Remediate; report
to management
Significant Deficiency (or combination) that merits Remediate; report
Deficiency (SD) attention by those responsible for to audit committee;
ICFR disclose if needed
Material Weakness Reasonable possibility that material Remediate urgently;
(MW) misstatement will not be prevented/ disclose in proxy
detected; audit opinion impacted and 10-K; restatement
possible
REMEDIATION PLAN:
═══════════════════════════════════════
Deficiency: RTC-02 (Credit check system override)
Classification: Significant Deficiency
Target remediation date: March 31, 2025
Remediation Steps:
═══════════════════════════════════════
Step Action Owner Target Date Status
─────────────────────────────────────────────────────────────────────────────
1 Identify root cause IT/Finance Nov 15, 2024 COMPLETE ✓
2 Design system enhancement IT Dec 15, 2024 IN PROGRESS
3 Develop system fix IT Dev Jan 15, 2025 PLANNED
4 Test enhancement (UAT) QA Feb 15, 2025 PLANNED
5 Deploy to production IT Ops Mar 1, 2025 PLANNED
6 Operational testing (1 month) Process Ow Mar 31, 2025 PLANNED
7 Management attestation Controller Apr 15, 2025 PLANNED
MONITORING:
→ Weekly status updates during remediation
→ Monthly reporting to audit committee
→ Interim testing at Step 6 to confirm operating effectiveness5. Internal Audit & Governance Reporting
INTERNAL AUDIT PLAN — FY 2025
═══════════════════════════════════════
Risk-Based Audit Plan:
═══════════════════════════════════════
Audit Area Risk FY2025 Scope Timeline Resources
Rating Priority
─────────────────────────────────────────────────────────────────────────────────
Revenue Recognition HIGH 1 ASC 606 compliance Q1 2 staff × 6 weeks
Journal Entry Controls HIGH 2 JE testing, SoD Q1 1 staff × 4 weeks
IT General Controls HIGH 3 Access, change, ops Q2 2 staff × 8 weeks
Financial Close Process MEDIUM 4 Close timeline, rev Q2 1 staff × 4 weeks
Expense Management MEDIUM 5 Policy compliance Q3 1 staff × 3 weeks
Fixed Assets LOW 6 Physical inventory Q3 1 staff × 2 weeks
Tax Compliance HIGH 7 Transfer pricing Q4 2 staff × 6 weeks
Cybersecurity HIGH 8 SOC 2, access Q4 1 staff × 4 weeks
AUDIT COMMITTEE REPORTING:
═══════════════════════════════════════
Quarterly Report Contents:
═══════════════════════════════════════
1. ICFR Status
→ Controls tested: 150 of 180 (83%)
→ Controls operating effectively: 142 (94.7%)
→ Deficiencies identified: 8 (5.3%)
■ Material weaknesses: 0
■ Significant deficiencies: 3
■ Control deficiencies: 5
2. Remediation Progress
→ Open deficiencies: 8
→ Remediation on track: 6
→ Remediation at risk: 2
→ Expected closure: 100% by Q2 2025
3. Audit Plan Progress
→ Audits completed: 3 of 8
→ Findings: 12 (2 high, 5 medium, 5 low)
→ Management acceptance rate: 100%
4. External Audit Coordination
→ External audit scope: Confirmed
→ SOX testing overlap: 40% of controls
→ Draft management letter findings: Under reviewEdge Cases
- Sarbanes-Oxley section 404: Requires management assessment AND auditor attestation
- Smaller reporting companies: May use reduced scope (targeted approach)
- Non-U.S. companies: May use COZO, ISO 31000, or local frameworks
- Emerging companies (pre-SOX): Implement controls in preparation for IPO
- Acquired companies: Integrate into control framework; assess inherited deficiencies
Integration Points
- GRC platforms: AuditBoard, MetricStream, SAI360 (control management)
- ERP: Oracle, SAP (embedded controls, workflow approvals)
- ITGC systems: ServiceNow, Archer (access management, change management)
- Audit management: Workiva, TeamMate (audit planning, testing)
- Reporting: SEC EDGAR, board portals (disclosure)
- HR systems: Access provisioning, termination workflows
Output
Controls Summary
INTERNAL CONTROLS REPORT — Q4 2024
═══════════════════════════════════════
Overall ICFR status: EFFECTIVE (no material weaknesses)
Controls tested: 150/180 (83%)
Operating effectively: 142/150 (94.7%)
Open deficiencies: 8
→ Material weaknesses: 0
→ Significant deficiencies: 3 (remediation by Q2 2025)
→ Control deficiencies: 5 (remediation in progress)
Next steps:
→ Complete system enhancements for RTC-02 and RTC-10
→ Deploy IT SoD rules (Q1 2025)
→ Conduct interim testing before year-end