Finance AI Skill
Internal Controls
Manage internal controls including SOX compliance, control design and testing, segregation of duties, financial close controls, access management, and audit readiness. Use when designing or testing internal controls, managing SOX compliance, performing cont...
Internal Controls & Compliance
Ensure financial integrity through robust internal controls, SOX compliance, and audit readiness.
Control Framework
COSO-Based Control Architecture
INTERNAL CONTROL FRAMEWORK — COSO 2013
════════════════════════════════════════
COMPONENTS & IMPLEMENTATION:
1. CONTROL ENVIRONMENT (Tone at the Top):
✓ Code of Conduct (100% acknowledgment)
✓ Organizational structure (clear reporting lines)
✓ Authority and responsibility (delegation matrix)
✓ Commitment to competence (training, hiring standards)
✓ Board oversight (Audit Committee, independent directors)
✓ HR policies (performance evaluation aligned to controls)
2. RISK ASSESSMENT:
✓ Enterprise risk register (10 tracked risks)
✓ Financial risk assessment (quarterly)
✓ Control environment risk (annual)
✓ Fraud risk assessment (annual)
✓ IT general controls assessment (semi-annual)
3. CONTROL ACTIVITIES:
✓ Preventive controls (system configurations, approvals)
✓ Detective controls (reconciliations, exception reports)
✓ IT general controls (access, change, operations)
✓ IT application controls (input, processing, output)
✓ Manual controls (management review, analysis)
✓ Entity-level controls (ELCs)
4. INFORMATION & COMMUNICATION:
✓ Financial reporting processes (documented)
✓ Control self-assessment (annual)
✓ Issue reporting channels (ethics hotline, escalation)
✓ External communication (auditor engagement, board)
5. MONITORING:
✓ Continuous monitoring (automated controls testing)
✓ Internal audit (annual plan, 8 engagements/year)
✓ Management assessment (quarterly control review)
✓ External audit coordination (annual)
✓ Remediation tracking (issue management)
CONTROL TAXONOMY:
Total controls: 125 (FY2024)
By type:
IT General Controls (ITGC): 35
IT Application Controls: 25
Financial transaction controls: 30
Entity-level controls: 15
Manual/detective controls: 20
By frequency:
Automated (continuous): 45
Quarterly: 35
Monthly: 25
Annual: 20
By criticality:
Key controls (tested annually): 45
Sub-key controls (tested annually): 50
Other controls (sampled): 30
CONTROL DESIGN DOCUMENTATION:
Each control documented with:
- Control ID and description
- Process owner and control owner
- Control type (preventive/detective, IT/manual, key/sub-key)
- Frequency (continuous, quarterly, monthly, annual)
- Risk addressed
- Testing procedure (design + operating effectiveness)
- Evidence requirements
- Last tested date and result
- Deficiency status (if any)SOX Compliance
SOX 404 Compliance Program
SOX 404 COMPLIANCE PROGRAM:
════════════════════════════
SCOPE:
In-scope entities: 3 (US parent, EU subsidiary, Singapore subsidiary)
In-scope processes: 8
1. Revenue Recognition
2. Payroll Processing
3. Procurement & AP
4. Fixed Assets
5. Cash & Banking
6. Financial Close & Reporting
7. Tax
8. Equity & Capital Transactions
Materiality thresholds:
Revenue: $19.6M (5% of total revenue)
EBITDA: $2.1M (5% of total EBITDA)
Assets: $8.4M (5% of total assets)
SOX COMPLIANCE CALENDAR:
Phase 1: Risk & Control Self-Assessment (RCSA)
Timeline: July - August (ongoing)
Activities:
- Identify significant accounts and disclosures
- Trace to key transactions and processes
- Identify and document key controls
- Assess control design effectiveness
Phase 2: Operating Effectiveness Testing
Timeline: September - November
Activities:
- Test operating effectiveness (sample-based)
- Document evidence (screenshots, logs, approvals)
- Remediate deficiencies found
- Retest remediated controls
Phase 3: Management Assessment
Timeline: December
Activities:
- Aggregate test results
- Assess deficiencies (material weakness, significant deficiency)
- Management certification
- Internal audit report
Phase 4: External Audit
Timeline: January - March
Activities:
- External auditor testing (parallel or rely on management)
- Audit findings discussion
- Management response
- Audit opinion
SOX TESTING RESULTS — FY2024:
Controls tested: 45 (key controls)
✓ Passed (no exceptions): 42 (93.3%)
⚠ Passed with exceptions (remediated): 3 (6.7%)
✗ Failed: 0 (0%)
Deficiencies identified:
Material weakness: 0
Significant deficiency: 0
Other deficiencies: 3 (all remediated within 60 days)
Deficiency details:
D-001: Incomplete bank reconciliation documentation
Root cause: Process knowledge gap (new controller)
Remediation: Additional training + checklist implementation
Status: ✓ Remediated (October 2024)
Retest: ✓ Passed
D-002: Access review overdue for ERP system
Root cause: Scheduling conflict (IT resource constraints)
Remediation: Automated access review implementation
Status: ✓ Remediated (November 2024)
Retest: ✓ Passed
D-003: Revenue recognition cutoff error (1 transaction)
Root cause: Manual entry timing (end-of-quarter)
Remediation: System automation (auto-cutoff at period close)
Status: ✓ Remediated (December 2024)
Retest: N/A (implemented for FY2025)
External audit opinion: ✓ UNQUALIFIED (clean)
No material weaknesses: ✓ Confirmed
Internal control over financial reporting (ICFR): EFFECTIVESegregation of Duties
SoD Matrix & Conflict Resolution
SEGREGATION OF DUTIES (SoD) MATRIX:
════════════════════════════════════
CRITICAL SoD PAIRS:
┌────────────────────────┬──────────────────────┬──────────────────────┐
│ Role A │ Role B │ Risk if combined │
├────────────────────────┼──────────────────────┼──────────────────────┤
│ Initiate payment │ Approve payment │ Unauthorized disburse-│
│ (AP clerk) │ (Finance manager) │ ment │
├────────────────────────┼──────────────────────┼──────────────────────┤
│ Create vendor │ Process payment to │ Fraudulent vendors, │
│ master record │ vendor │ phantom payments │
│ (AP clerk) │ (AP clerk) │ │
├────────────────────────┼──────────────────────┼──────────────────────┤
│ Process payroll │ Approve payroll │ Unauthorized salary │
│ (Payroll specialist) │ (HR manager) │ changes, ghost │
│ │ │ employees │
├────────────────────────┼──────────────────────┼──────────────────────┤
│ Record journal entries│ Review/approve JE │ Financial │
│ (Accountant) │ (Controller) │ misstatement │
├────────────────────────┼──────────────────────┼──────────────────────┤
│ Custody of assets │ Record asset │ Asset theft, │
│ (Facilities) │ transactions │ concealment │
│ │ (Accountant) │ │
├────────────────────────┼──────────────────────┼──────────────────────┤
│ System admin access │ Transaction entry │ Unauthorized system │
│ (IT admin) │ (Business users) │ changes, data │
│ │ │ manipulation │
├────────────────────────┼──────────────────────┼──────────────────────┤
│ Sales order entry │ Credit limit override│ Revenue recognition │
│ (Sales ops) │ (Finance) │ manipulation │
├────────────────────────┼──────────────────────┼──────────────────────┤
│ Receive cash │ Record cash receipt │ Cash theft, │
│ (Treasury) │ (Accounting) │ lapping │
└────────────────────────┴──────────────────────┴──────────────────────┘
CURRENT SoD ANALYSIS:
System: NetSuite ERP + role-based access
Total roles: 48 (unique combinations)
Users: 542 (employees with system access)
SoD conflicts identified: 5
Conflict resolution:
C-001: AP Manager can create vendors AND approve payments
Severity: HIGH
Resolution: Split role (AP Clerk + AP Manager)
Status: ✓ Resolved (January 2025)
C-002: Payroll analyst can process payroll AND approve changes
Severity: HIGH
Resolution: Add mandatory dual approval for payroll changes
Status: ✓ Resolved (December 2024)
C-003: 3 users have ERP super-user access (IT admins)
Severity: MEDIUM (mitigated by monitoring)
Resolution: Compensating control — daily activity log review
Status: ✓ Mitigated (compensating control documented)
C-004: Finance Director can record AND review JEs (small entity)
Severity: MEDIUM (mitigated by management override)
Resolution: CFO quarterly review of all JEs
Status: ✓ Mitigated (management review control)
C-005: 2 contractors with excessive access (legacy roles)
Severity: LOW (offboarded)
Resolution: Access revoked
Status: ✓ Resolved (January 2025)
ACCESS MANAGEMENT:
User provisioning:
New hire: HRIS-triggered access request (48-hour provisioning)
Role change: Manager-initiated + HR approval
Termination: Immediate access revocation (automated)
Access review:
Frequency: Quarterly (all users) + Annual (comprehensive)
Scope: ERP, financial systems, sensitive data
Method: Manager certification + automated review
Last review: Q4 2024 — 98% certified, 2% escalated
Privileged access:
Admin accounts: 5 (IT team) — MFA required, session recording
Root access: 2 (IT Director, CTO) — approval required per use
Service accounts: 12 — reviewed quarterly, password rotation quarterlyAudit Readiness & Management
Internal Audit Program
INTERNAL AUDIT PLAN — FY2025
═════════════════════════════
AUDIT SCOPE & ENGAGEMENTS:
Planned engagements: 8
1. Revenue Recognition (Q1)
Scope: Contract review, billing accuracy, revenue timing
Risk rating: HIGH
Resources: 2 staff auditors, 6 weeks
2. IT General Controls (Q1)
Scope: Access management, change management, operations
Risk rating: HIGH
Resources: 2 staff auditors + external IT specialist, 8 weeks
3. Procurement & AP (Q2)
Scope: Vendor management, purchase approval, payment accuracy
Risk rating: MEDIUM-HIGH
Resources: 1 staff auditor, 4 weeks
4. Payroll & Compensation (Q2)
Scope: Payroll accuracy, bonus calculation, equity grants
Risk rating: MEDIUM-HIGH
Resources: 2 staff auditors, 5 weeks
5. Financial Close Process (Q3)
Scope: Close checklist, reconciliation, JE approval
Risk rating: MEDIUM
Resources: 1 staff auditor, 3 weeks
6. Expense Management (Q3)
Scope: Policy compliance, approval workflow, fraud indicators
Risk rating: MEDIUM
Resources: 1 staff auditor, 3 weeks
7. Tax Compliance (Q4)
Scope: Tax provision, filing accuracy, credit management
Risk rating: MEDIUM
Resources: External tax specialist, 4 weeks
8. Cybersecurity & Data Privacy (Q4)
Scope: Security controls, incident response, data protection
Risk rating: HIGH
Resources: External IT/security specialist, 6 weeks
AUDIT METHODOLOGY:
Planning:
- Risk assessment and scoping
- Process walkthroughs
- Control documentation review
- Testing strategy (sample size, methodology)
Fieldwork:
- Control testing (design + operating effectiveness)
- Transaction testing (sample-based)
- Data analytics (full population where possible)
- Evidence documentation (screenshots, interviews, logs)
Reporting:
- Findings documentation (condition, criteria, cause, effect)
- Rating: Critical / Major / Moderate / Minor
- Management action plan (timeline, owner)
- Follow-up (remediation verification)
Quality assurance:
- Internal audit charter (approved by Audit Committee)
- IIA standards compliance
- External quality assessment (triennial — next: 2025)
AUDIT FINDINGS TRACKING:
Open findings: 4 (all Moderate or below)
┌─────┬──────────────────────┬──────────┬──────────────┬────────────────┐
│ ID │ Finding │ Rating │ Owner │ Target Closure │
├─────┼──────────────────────┼──────────┼──────────────┼────────────────┤
│ F-01│ Incomplete JE │ Moderate │ Controller │ Feb 28, 2025 │
│ │ documentation │ │ │ │
├─────┼──────────────────────┼──────────┼──────────────┼────────────────┤
│ F-02│ Vendor master │ Moderate │ AP Manager │ Mar 15, 2025 │
│ │ data quality │ │ │ │
├─────┼──────────────────────┼──────────┼──────────────┼────────────────┤
│ F-03│ Reconciliation │ Minor │ Sr. Account. │ Mar 31, 2025 │
│ │ timing │ │ │ │
├─────┼──────────────────────┼──────────┼──────────────┼────────────────┤
│ F-04│ Backup testing │ Minor │ IT Manager │ Apr 15, 2025 │
│ │ documentation │ │ │ │
└─────┴──────────────────────┴──────────┴──────────────┴────────────────┘
All findings on track for remediation
No overdue items
Escalation threshold: 30 days past target → Audit Committee notificationFinancial Close Controls
Period-End Close Control Checklist
MONTH-END CLOSE CONTROLS:
═════════════════════════
CLOSE CALENDAR (10 business days):
Day 1-2:
[ ] Sub-ledger close (AP, AR, Fixed Assets, Inventory)
[ ] Bank confirmations received
[ ] Revenue recognition run completed
[ ] Payroll period closed
[ ] Intercompany transactions matched
Day 3-4:
[ ] Accruals calculated and posted (pre-reviewed)
[ ] Journal entries prepared and approved
[ ] Fixed asset depreciation run
[ ] Tax provision calculated
[ ] Foreign currency revaluation
Day 5-6:
[ ] Trial balance review (variance analysis vs. prior month)
[ ] Balance sheet reconciliations completed
[ ] Key account reconciliations (bank, intercompany, AR, AP)
[ ] Revenue/expense variance analysis (>5% or >$50K flagged)
[ ] Management review of financials (preliminary)
Day 7-8:
[ ] Financial statements prepared (P&L, BS, CF)
[ ] Key metrics calculated
[ ] Variance analysis documented (vs. budget, prior period)
[ ] CFO review and sign-off
[ ] Close checklist signed by Controller
Day 9-10:
[ ] External reporting (if applicable)
[ ] Board reporting package prepared
[ ] Close period locked (no prior period adjustments)
[ ] Lessons learned documented
[ ] Continuous improvement identified
KEY CONTROLS IN CLOSE:
Preventive:
- System period controls (auto-lock at close)
- JE approval workflow (dual approval >$10K)
- Accrual templates (pre-approved calculations)
- SoD enforcement (creator ≠ approver)
Detective:
- Balance sheet reconciliation (100% of material accounts)
- Trial balance variance analysis (>5% or >$50K threshold)
- Exception reports (unusual transactions, large entries)
- Controller review (final sign-off)
- External auditor inquiry (quarterly)
CLOSE QUALITY METRICS:
On-time close: 96% (past 12 months — target: 98%)
Adjustments after close: 3 (past 12 months — target: 0)
Restatements: 0 (past 24 months)
Reconciliation exceptions: 2 (past 12 months — both resolved within 5 days)
Auditor adjustments: 0 (FY2024 — clean audit)
CONTINUOUS IMPROVEMENT:
Q4 2024 close: 10 days → Q1 2025 target: 9 days
Initiatives:
- Auto-accrual for recurring items (implementation: Q2)
- Close checklist digitization (implementation: Q1)
- Revenue automation (implementation: ongoing)
- Intercompany auto-matching (implementation: Q3)Output
Internal Controls Dashboard
INTERNAL CONTROLS DASHBOARD — Jan 2025
════════════════════════════════════════
Control Environment:
Total controls: 125 (45 key, 50 sub-key, 30 other)
Test coverage: 45 key controls (100%)
Pass rate: 93.3% (42/45 — 3 exceptions, all remediated)
SOX Compliance:
Status: EFFECTIVE (ICFR — no material weaknesses)
External audit: ✓ Clean opinion
Deficiencies: 3 (all remediated)
Open findings: 4 (all Moderate or below, on track)
Segregation of Duties:
SoD conflicts: 5 (3 resolved, 2 mitigated)
Access review: ✓ Q4 2024 completed (98% certified)
Privileged access: 5 admins (MFA, session recording)
Audit Status:
FY2025 plan: 8 engagements planned
In progress: 0
Completed: 0
Open findings: 4 (remediation on track)
Next engagement: Revenue Recognition (February)
Financial Close:
Last close: January (completed Day 9 — 1 day ahead)
Adjustments post-close: 0
On-time close rate: 96%
Reconciliation exceptions: 0 (current month)
Upcoming:
Feb 1: Revenue Recognition audit start
Feb 15: Q1 access review
Mar 1: SOX RCSA refresh
Apr 1: ITGC audit start
Apr 15: Audit Committee meetingIntegration Points
- ERP (NetSuite, SAP): Embedded controls, approval workflows, SoD configuration
- GRC platforms (AuditBoard, ServiceNow GRC, Diligent): Control documentation, testing, issue tracking
- Access management (Okta, SailPoint): Role-based access, provisioning, access review
- Audit management tools: Audit planning, fieldwork, reporting
- BI platforms: Control dashboards, exception reporting
- Data analytics tools (ACL, IDEA, Tableau): Transaction testing, data analysis
- Document management: Control documentation, evidence storage
- HRIS: Employee data for access provisioning/termination
- Ticketing systems (ServiceNow): Control remediation tracking
- Board portals: Audit Committee reporting
Edge Cases
- Small entity constraints: Limited staff; SoD conflicts unavoidable; compensating controls required
- Rapid growth: New systems, new entities; control expansion keeps pace with growth
- Cloud ERP transition: Control redesign (from legacy to cloud); audit trail continuity; parallel testing
- Multi-entity/multi-currency: Intercompany controls; FX controls; consolidation controls
- Outsourced functions: BPO vendor controls; SLA compliance; shared responsibility model
- Regulatory change: New requirements (e.g., SEC climate rules); control design update
- Fraud detection: Data analytics for anomaly detection; whistleblower management; investigation
- Post-IPO SOX: First-year SOX; Section 302/404; external auditor coordination; investor communication
- M&A integration: Control harmonization; entity scoping; transition risk
- Material weakness identification: Immediate disclosure; remediation plan; investor communication; board notification