--- name: financial-controls-governance description: Design, implement, and maintain financial controls framework including SOX compliance, internal control over financial reporting (ICFR), control self-assessment, risk assessment, control testing, and remediation. Use when establishing control frameworks, performing SOX testing, identifying control deficiencies, designing preventive/detective controls, or reporting to audit committee. Triggers on phrases like "internal controls", "SOX compliance", "ICFR", "control framework", "COSO", "control testing", "material weakness", "significant deficiency", "control deficiency", "control self-assessment", "key controls", "process owner", "control matrix", "remediation plan", "four eyes", "segregation of duties", "SoD conflict", "automated controls", "manual controls". --- # Financial Controls & Governance Design, implement, and maintain financial controls framework including SOX compliance, ICFR, control self-assessment, and remediation tracking. ## Workflow ### 1. Control Framework Design (COSO) ``` COSO INTERNAL CONTROL FRAMEWORK — 5 COMPONENTS ═══════════════════════════════════════ 1. CONTROL ENVIRONMENT ═══════════════════════════════════════ Elements: → Tone at the top (board oversight, executive commitment) → Code of conduct / ethics policy → Organizational structure (clear reporting lines) → Authority and responsibility (delegation of authority) → Competence (training, qualifications) → HR policies (hiring, performance, discipline) Key Documents: → Code of Conduct (annually acknowledged) → Delegation of Authority (DoA) matrix → Organization chart (updated quarterly) → Whistleblower policy (anonymous reporting) 2. RISK ASSESSMENT ═══════════════════════════════════════ Process: → Identify business risks (financial, operational, compliance, strategic) → Assess likelihood and impact → Determine risk appetite and tolerance → Identify controls to address risks Risk Assessment Matrix: ═══════════════════════════════════════ Risk Likelihood Impact Rating Response ────────────────────────────────────────────────────────────────────── Revenue recognition error HIGH HIGH CRITICAL Preventive + Detective Journal entry fraud MEDIUM HIGH HIGH Preventive + Detective Financial misstatement MEDIUM HIGH HIGH Detective Segregation of duties gap MEDIUM MEDIUM MEDIUM Preventive Unapproved expenditures HIGH MEDIUM HIGH Preventive Cybersecurity breach MEDIUM CRITICAL HIGH Preventive Tax non-compliance LOW HIGH MEDIUM Preventive Foreign exchange exposure MEDIUM MEDIUM MEDIUM Monitor 3. CONTROL ACTIVITIES ═══════════════════════════════════════ Control Types: ═══════════════════════════════════════ Type Description Examples ─────────────────────────────────────────────────────────────────────── Preventive Stops errors before Approval workflows, SoD, they occur access controls, validation Detective Identifies errors after Reconciliations, variance they occur analysis, exception reports Corrective Fixes identified issues Adjustment procedures, and prevents recurrence root cause analysis Directive Guides behavior toward Policies, procedures, desired outcomes training, standards Control Method: ═══════════════════════════════════════ Type Description Strength ────────────────────────────────────────────────────────────── Automated System-enforced HIGHEST (consistent, scalable) (system configuration) Manual Human-performed HIGHER (requires monitoring) (review, approval) Combination System + human HIGH (layered defense) (system generates, human reviews) 4. INFORMATION & COMMUNICATION ═══════════════════════════════════════ → Financial reporting (timely, accurate, complete) → Control awareness (training, communication) → External communication (regulators, auditors, investors) 5. MONITORING ACTIVITIES ═══════════════════════════════════════ → Ongoing monitoring (embedded in processes) → Separate evaluations (internal audit, self-assessment) → Deficiency reporting (escalation protocol) ``` ### 2. Control Matrix Design ``` SOX CONTROL MATRIX — Revenue to Cash Process ═══════════════════════════════════════ Process: Order-to-Cash (Revenue Recognition, Billing, Collections) Control ID Control Description Type Freq Automated Test Method Owner ─────────────────────────────────────────────────────────────────────────────────────────────── RTC-01 Price validation against Prev Each YES General IT Pricing Mgr approved price list control order IT controls RTC-02 Credit limit check before Prev Each YES Reconcil. Credit Mgr order acceptance control order RTC-03 Four-eyes review on discounts Prev Each NO Sample Sales Ops > 10% off list price manual discount RTC-04 Revenue recognition rule Prev Each YES General IT Rev Rec Mgr validation (ASC 606) control invoice IT RTC-05 Monthly revenue reconciliation Det Monthly NO Perform Rev Accnt (system vs GL) manual RTC-06 AR aging review and follow-up Det Monthly NO Inquire/ Collections (> 60 days) Observe Mgr RTC-07 Cash application reconciliation Det Daily YES General IT Cash Accnt (bank vs system) control RTC-08 Bank reconciliation Det Monthly NO Perform Treasury (all bank accounts) manual RTC-09 Cut-off testing (revenue) Det Month NO Perform Rev Accnt end manual end RTC-10 Journal entry approval for Prev Each NO Sample Controller revenue adjustments > $50K manual entry SEGRAGATION OF DUTIES MATRIX: ═══════════════════════════════════════ Function A Function B Conflict? Mitigation ─────────────────────────────────────────────────────────────────────── Order entry Pricing approval YES System control (RTC-01) Billing Cash application YES SoD review quarterly AR write-off approval AR collections YES Dual approval required Journal entry creation Journal entry approval YES Four-eyes principle System admin Data access YES Quarterly access review Purchase creation Vendor payment YES AP automation with approval Inventory receive Inventory adjustment YES Warehouse supervisor review SoD CONFLICT RESOLUTION: ═══════════════════════════════════════ Conflict: AP clerk creates vendors AND approves payments Risk Level: HIGH Mitigation: → System configuration: Separate user IDs for creation and approval → If unavoidable (small team): Compensating control — monthly review by Controller → Compensating control ID: AP-11 (Management review of vendor master and payments) ``` ### 3. Control Testing ``` CONTROL TESTING PROGRAM — SOX FY 2024 ═══════════════════════════════════════ TEST TYPES: ═══════════════════════════════════════ Test Type Description Sample Size Frequency ────────────────────────────────────────────────────────────────────── Design Effectiveness Does control exist 100% Annual (DE) and is designed properly Operating Effectiveness Is control working Per below Annual (OE) as designed throughout the period SAMPLE SIZES (OE Testing): ═══════════════════════════════════════ Control Frequency Sample Size Population Test Period ─────────────────────────────────────────────────────────────────────── Real-time (each tx) 60 All transactions Full year Monthly 24 12 months Full year Quarterly 12 4 quarters Full year Annual 1 1 year Full year CONTROL TESTING RESULTS — Q4 2024: ═══════════════════════════════════════ Control ID Test Type Sample Passed Failed Exception Status ──────────────────────────────────────────────────────────────────────────── RTC-01 DE/OE 60 60 0 — OPERATING ✓ RTC-02 DE/OE 60 58 2 3.3% DEFICIENT ⚠ RTC-03 DE/OE 24 24 0 — OPERATING ✓ RTC-04 DE/OE 60 60 0 — OPERATING ✓ RTC-05 DE/OE 12 12 0 — OPERATING ✓ RTC-06 DE/OE 12 10 2 16.7% DEFICIENT ⚠ RTC-07 DE/OE 60 60 0 — OPERATING ✓ RTC-08 DE/OE 12 12 0 — OPERATING ✓ RTC-09 DE/OE 4 4 0 — OPERATING ✓ RTC-10 DE/OE 12 11 1 8.3% DEFICIENT ⚠ DEFICIENCY ASSESSMENT: ═══════════════════════════════════════ RTC-02 (Credit limit check): → 2 exceptions: Orders processed without credit check (system override) → Root cause: Emergency orders bypassed credit check without proper approval → Assessment: SIGNIFICANT DEFICIENCY (not material weakness) → Remediation: System enhancement to prevent bypass (Q1 2025) RTC-06 (AR aging review): → 2 exceptions: Aging reviews not performed for 2 months → Root cause: Collections manager leave without coverage → Assessment: CONTROL DEFICIENCY → Remediation: Backup coverage process established (complete) RTC-10 (Journal entry approval): → 1 exception: $75K adjustment approved by same person who created → Root cause: Controller approved own entry (SoD conflict) → Assessment: SIGNIFICANT DEFICIENCY → Remediation: System SoD rule implemented (Q1 2025) ``` ### 4. Deficiency Classification & Remediation ``` DEFICIENCY CLASSIFICATION FRAMEWORK ═══════════════════════════════════════ Level Definition Action Required ─────────────────────────────────────────────────────────────────────────────── Control Deficiency Control does not operate as designed Remediate; report to management Significant Deficiency (or combination) that merits Remediate; report Deficiency (SD) attention by those responsible for to audit committee; ICFR disclose if needed Material Weakness Reasonable possibility that material Remediate urgently; (MW) misstatement will not be prevented/ disclose in proxy detected; audit opinion impacted and 10-K; restatement possible REMEDIATION PLAN: ═══════════════════════════════════════ Deficiency: RTC-02 (Credit check system override) Classification: Significant Deficiency Target remediation date: March 31, 2025 Remediation Steps: ═══════════════════════════════════════ Step Action Owner Target Date Status ───────────────────────────────────────────────────────────────────────────── 1 Identify root cause IT/Finance Nov 15, 2024 COMPLETE ✓ 2 Design system enhancement IT Dec 15, 2024 IN PROGRESS 3 Develop system fix IT Dev Jan 15, 2025 PLANNED 4 Test enhancement (UAT) QA Feb 15, 2025 PLANNED 5 Deploy to production IT Ops Mar 1, 2025 PLANNED 6 Operational testing (1 month) Process Ow Mar 31, 2025 PLANNED 7 Management attestation Controller Apr 15, 2025 PLANNED MONITORING: → Weekly status updates during remediation → Monthly reporting to audit committee → Interim testing at Step 6 to confirm operating effectiveness ``` ### 5. Internal Audit & Governance Reporting ``` INTERNAL AUDIT PLAN — FY 2025 ═══════════════════════════════════════ Risk-Based Audit Plan: ═══════════════════════════════════════ Audit Area Risk FY2025 Scope Timeline Resources Rating Priority ───────────────────────────────────────────────────────────────────────────────── Revenue Recognition HIGH 1 ASC 606 compliance Q1 2 staff × 6 weeks Journal Entry Controls HIGH 2 JE testing, SoD Q1 1 staff × 4 weeks IT General Controls HIGH 3 Access, change, ops Q2 2 staff × 8 weeks Financial Close Process MEDIUM 4 Close timeline, rev Q2 1 staff × 4 weeks Expense Management MEDIUM 5 Policy compliance Q3 1 staff × 3 weeks Fixed Assets LOW 6 Physical inventory Q3 1 staff × 2 weeks Tax Compliance HIGH 7 Transfer pricing Q4 2 staff × 6 weeks Cybersecurity HIGH 8 SOC 2, access Q4 1 staff × 4 weeks AUDIT COMMITTEE REPORTING: ═══════════════════════════════════════ Quarterly Report Contents: ═══════════════════════════════════════ 1. ICFR Status → Controls tested: 150 of 180 (83%) → Controls operating effectively: 142 (94.7%) → Deficiencies identified: 8 (5.3%) ■ Material weaknesses: 0 ■ Significant deficiencies: 3 ■ Control deficiencies: 5 2. Remediation Progress → Open deficiencies: 8 → Remediation on track: 6 → Remediation at risk: 2 → Expected closure: 100% by Q2 2025 3. Audit Plan Progress → Audits completed: 3 of 8 → Findings: 12 (2 high, 5 medium, 5 low) → Management acceptance rate: 100% 4. External Audit Coordination → External audit scope: Confirmed → SOX testing overlap: 40% of controls → Draft management letter findings: Under review ``` ## Edge Cases - **Sarbanes-Oxley section 404**: Requires management assessment AND auditor attestation - **Smaller reporting companies**: May use reduced scope (targeted approach) - **Non-U.S. companies**: May use COZO, ISO 31000, or local frameworks - **Emerging companies (pre-SOX)**: Implement controls in preparation for IPO - **Acquired companies**: Integrate into control framework; assess inherited deficiencies ## Integration Points - **GRC platforms**: AuditBoard, MetricStream, SAI360 (control management) - **ERP**: Oracle, SAP (embedded controls, workflow approvals) - **ITGC systems**: ServiceNow, Archer (access management, change management) - **Audit management**: Workiva, TeamMate (audit planning, testing) - **Reporting**: SEC EDGAR, board portals (disclosure) - **HR systems**: Access provisioning, termination workflows ## Output ### Controls Summary ``` INTERNAL CONTROLS REPORT — Q4 2024 ═══════════════════════════════════════ Overall ICFR status: EFFECTIVE (no material weaknesses) Controls tested: 150/180 (83%) Operating effectively: 142/150 (94.7%) Open deficiencies: 8 → Material weaknesses: 0 → Significant deficiencies: 3 (remediation by Q2 2025) → Control deficiencies: 5 (remediation in progress) Next steps: → Complete system enhancements for RTC-02 and RTC-10 → Deploy IT SoD rules (Q1 2025) → Conduct interim testing before year-end ```