--- name: internal-controls description: Manage internal controls including SOX compliance, control design and testing, segregation of duties, financial close controls, access management, and audit readiness. Use when designing or testing internal controls, managing SOX compliance, performing control assessments, addressing audit findings, or ensuring audit readiness. Triggers on phrases like "internal controls", "SOX compliance", "control testing", "segregation of duties", "SoD matrix", "financial close controls", "audit readiness", "control deficiencies", "material weakness", "key controls", "control framework", "COSO". --- # Internal Controls & Compliance Ensure financial integrity through robust internal controls, SOX compliance, and audit readiness. ## Control Framework ### COSO-Based Control Architecture ``` INTERNAL CONTROL FRAMEWORK — COSO 2013 ════════════════════════════════════════ COMPONENTS & IMPLEMENTATION: 1. CONTROL ENVIRONMENT (Tone at the Top): ✓ Code of Conduct (100% acknowledgment) ✓ Organizational structure (clear reporting lines) ✓ Authority and responsibility (delegation matrix) ✓ Commitment to competence (training, hiring standards) ✓ Board oversight (Audit Committee, independent directors) ✓ HR policies (performance evaluation aligned to controls) 2. RISK ASSESSMENT: ✓ Enterprise risk register (10 tracked risks) ✓ Financial risk assessment (quarterly) ✓ Control environment risk (annual) ✓ Fraud risk assessment (annual) ✓ IT general controls assessment (semi-annual) 3. CONTROL ACTIVITIES: ✓ Preventive controls (system configurations, approvals) ✓ Detective controls (reconciliations, exception reports) ✓ IT general controls (access, change, operations) ✓ IT application controls (input, processing, output) ✓ Manual controls (management review, analysis) ✓ Entity-level controls (ELCs) 4. INFORMATION & COMMUNICATION: ✓ Financial reporting processes (documented) ✓ Control self-assessment (annual) ✓ Issue reporting channels (ethics hotline, escalation) ✓ External communication (auditor engagement, board) 5. MONITORING: ✓ Continuous monitoring (automated controls testing) ✓ Internal audit (annual plan, 8 engagements/year) ✓ Management assessment (quarterly control review) ✓ External audit coordination (annual) ✓ Remediation tracking (issue management) CONTROL TAXONOMY: Total controls: 125 (FY2024) By type: IT General Controls (ITGC): 35 IT Application Controls: 25 Financial transaction controls: 30 Entity-level controls: 15 Manual/detective controls: 20 By frequency: Automated (continuous): 45 Quarterly: 35 Monthly: 25 Annual: 20 By criticality: Key controls (tested annually): 45 Sub-key controls (tested annually): 50 Other controls (sampled): 30 CONTROL DESIGN DOCUMENTATION: Each control documented with: - Control ID and description - Process owner and control owner - Control type (preventive/detective, IT/manual, key/sub-key) - Frequency (continuous, quarterly, monthly, annual) - Risk addressed - Testing procedure (design + operating effectiveness) - Evidence requirements - Last tested date and result - Deficiency status (if any) ``` ## SOX Compliance ### SOX 404 Compliance Program ``` SOX 404 COMPLIANCE PROGRAM: ════════════════════════════ SCOPE: In-scope entities: 3 (US parent, EU subsidiary, Singapore subsidiary) In-scope processes: 8 1. Revenue Recognition 2. Payroll Processing 3. Procurement & AP 4. Fixed Assets 5. Cash & Banking 6. Financial Close & Reporting 7. Tax 8. Equity & Capital Transactions Materiality thresholds: Revenue: $19.6M (5% of total revenue) EBITDA: $2.1M (5% of total EBITDA) Assets: $8.4M (5% of total assets) SOX COMPLIANCE CALENDAR: Phase 1: Risk & Control Self-Assessment (RCSA) Timeline: July - August (ongoing) Activities: - Identify significant accounts and disclosures - Trace to key transactions and processes - Identify and document key controls - Assess control design effectiveness Phase 2: Operating Effectiveness Testing Timeline: September - November Activities: - Test operating effectiveness (sample-based) - Document evidence (screenshots, logs, approvals) - Remediate deficiencies found - Retest remediated controls Phase 3: Management Assessment Timeline: December Activities: - Aggregate test results - Assess deficiencies (material weakness, significant deficiency) - Management certification - Internal audit report Phase 4: External Audit Timeline: January - March Activities: - External auditor testing (parallel or rely on management) - Audit findings discussion - Management response - Audit opinion SOX TESTING RESULTS — FY2024: Controls tested: 45 (key controls) ✓ Passed (no exceptions): 42 (93.3%) ⚠ Passed with exceptions (remediated): 3 (6.7%) ✗ Failed: 0 (0%) Deficiencies identified: Material weakness: 0 Significant deficiency: 0 Other deficiencies: 3 (all remediated within 60 days) Deficiency details: D-001: Incomplete bank reconciliation documentation Root cause: Process knowledge gap (new controller) Remediation: Additional training + checklist implementation Status: ✓ Remediated (October 2024) Retest: ✓ Passed D-002: Access review overdue for ERP system Root cause: Scheduling conflict (IT resource constraints) Remediation: Automated access review implementation Status: ✓ Remediated (November 2024) Retest: ✓ Passed D-003: Revenue recognition cutoff error (1 transaction) Root cause: Manual entry timing (end-of-quarter) Remediation: System automation (auto-cutoff at period close) Status: ✓ Remediated (December 2024) Retest: N/A (implemented for FY2025) External audit opinion: ✓ UNQUALIFIED (clean) No material weaknesses: ✓ Confirmed Internal control over financial reporting (ICFR): EFFECTIVE ``` ## Segregation of Duties ### SoD Matrix & Conflict Resolution ``` SEGREGATION OF DUTIES (SoD) MATRIX: ════════════════════════════════════ CRITICAL SoD PAIRS: ┌────────────────────────┬──────────────────────┬──────────────────────┐ │ Role A │ Role B │ Risk if combined │ ├────────────────────────┼──────────────────────┼──────────────────────┤ │ Initiate payment │ Approve payment │ Unauthorized disburse-│ │ (AP clerk) │ (Finance manager) │ ment │ ├────────────────────────┼──────────────────────┼──────────────────────┤ │ Create vendor │ Process payment to │ Fraudulent vendors, │ │ master record │ vendor │ phantom payments │ │ (AP clerk) │ (AP clerk) │ │ ├────────────────────────┼──────────────────────┼──────────────────────┤ │ Process payroll │ Approve payroll │ Unauthorized salary │ │ (Payroll specialist) │ (HR manager) │ changes, ghost │ │ │ │ employees │ ├────────────────────────┼──────────────────────┼──────────────────────┤ │ Record journal entries│ Review/approve JE │ Financial │ │ (Accountant) │ (Controller) │ misstatement │ ├────────────────────────┼──────────────────────┼──────────────────────┤ │ Custody of assets │ Record asset │ Asset theft, │ │ (Facilities) │ transactions │ concealment │ │ │ (Accountant) │ │ ├────────────────────────┼──────────────────────┼──────────────────────┤ │ System admin access │ Transaction entry │ Unauthorized system │ │ (IT admin) │ (Business users) │ changes, data │ │ │ │ manipulation │ ├────────────────────────┼──────────────────────┼──────────────────────┤ │ Sales order entry │ Credit limit override│ Revenue recognition │ │ (Sales ops) │ (Finance) │ manipulation │ ├────────────────────────┼──────────────────────┼──────────────────────┤ │ Receive cash │ Record cash receipt │ Cash theft, │ │ (Treasury) │ (Accounting) │ lapping │ └────────────────────────┴──────────────────────┴──────────────────────┘ CURRENT SoD ANALYSIS: System: NetSuite ERP + role-based access Total roles: 48 (unique combinations) Users: 542 (employees with system access) SoD conflicts identified: 5 Conflict resolution: C-001: AP Manager can create vendors AND approve payments Severity: HIGH Resolution: Split role (AP Clerk + AP Manager) Status: ✓ Resolved (January 2025) C-002: Payroll analyst can process payroll AND approve changes Severity: HIGH Resolution: Add mandatory dual approval for payroll changes Status: ✓ Resolved (December 2024) C-003: 3 users have ERP super-user access (IT admins) Severity: MEDIUM (mitigated by monitoring) Resolution: Compensating control — daily activity log review Status: ✓ Mitigated (compensating control documented) C-004: Finance Director can record AND review JEs (small entity) Severity: MEDIUM (mitigated by management override) Resolution: CFO quarterly review of all JEs Status: ✓ Mitigated (management review control) C-005: 2 contractors with excessive access (legacy roles) Severity: LOW (offboarded) Resolution: Access revoked Status: ✓ Resolved (January 2025) ACCESS MANAGEMENT: User provisioning: New hire: HRIS-triggered access request (48-hour provisioning) Role change: Manager-initiated + HR approval Termination: Immediate access revocation (automated) Access review: Frequency: Quarterly (all users) + Annual (comprehensive) Scope: ERP, financial systems, sensitive data Method: Manager certification + automated review Last review: Q4 2024 — 98% certified, 2% escalated Privileged access: Admin accounts: 5 (IT team) — MFA required, session recording Root access: 2 (IT Director, CTO) — approval required per use Service accounts: 12 — reviewed quarterly, password rotation quarterly ``` ## Audit Readiness & Management ### Internal Audit Program ``` INTERNAL AUDIT PLAN — FY2025 ═════════════════════════════ AUDIT SCOPE & ENGAGEMENTS: Planned engagements: 8 1. Revenue Recognition (Q1) Scope: Contract review, billing accuracy, revenue timing Risk rating: HIGH Resources: 2 staff auditors, 6 weeks 2. IT General Controls (Q1) Scope: Access management, change management, operations Risk rating: HIGH Resources: 2 staff auditors + external IT specialist, 8 weeks 3. Procurement & AP (Q2) Scope: Vendor management, purchase approval, payment accuracy Risk rating: MEDIUM-HIGH Resources: 1 staff auditor, 4 weeks 4. Payroll & Compensation (Q2) Scope: Payroll accuracy, bonus calculation, equity grants Risk rating: MEDIUM-HIGH Resources: 2 staff auditors, 5 weeks 5. Financial Close Process (Q3) Scope: Close checklist, reconciliation, JE approval Risk rating: MEDIUM Resources: 1 staff auditor, 3 weeks 6. Expense Management (Q3) Scope: Policy compliance, approval workflow, fraud indicators Risk rating: MEDIUM Resources: 1 staff auditor, 3 weeks 7. Tax Compliance (Q4) Scope: Tax provision, filing accuracy, credit management Risk rating: MEDIUM Resources: External tax specialist, 4 weeks 8. Cybersecurity & Data Privacy (Q4) Scope: Security controls, incident response, data protection Risk rating: HIGH Resources: External IT/security specialist, 6 weeks AUDIT METHODOLOGY: Planning: - Risk assessment and scoping - Process walkthroughs - Control documentation review - Testing strategy (sample size, methodology) Fieldwork: - Control testing (design + operating effectiveness) - Transaction testing (sample-based) - Data analytics (full population where possible) - Evidence documentation (screenshots, interviews, logs) Reporting: - Findings documentation (condition, criteria, cause, effect) - Rating: Critical / Major / Moderate / Minor - Management action plan (timeline, owner) - Follow-up (remediation verification) Quality assurance: - Internal audit charter (approved by Audit Committee) - IIA standards compliance - External quality assessment (triennial — next: 2025) AUDIT FINDINGS TRACKING: Open findings: 4 (all Moderate or below) ┌─────┬──────────────────────┬──────────┬──────────────┬────────────────┐ │ ID │ Finding │ Rating │ Owner │ Target Closure │ ├─────┼──────────────────────┼──────────┼──────────────┼────────────────┤ │ F-01│ Incomplete JE │ Moderate │ Controller │ Feb 28, 2025 │ │ │ documentation │ │ │ │ ├─────┼──────────────────────┼──────────┼──────────────┼────────────────┤ │ F-02│ Vendor master │ Moderate │ AP Manager │ Mar 15, 2025 │ │ │ data quality │ │ │ │ ├─────┼──────────────────────┼──────────┼──────────────┼────────────────┤ │ F-03│ Reconciliation │ Minor │ Sr. Account. │ Mar 31, 2025 │ │ │ timing │ │ │ │ ├─────┼──────────────────────┼──────────┼──────────────┼────────────────┤ │ F-04│ Backup testing │ Minor │ IT Manager │ Apr 15, 2025 │ │ │ documentation │ │ │ │ └─────┴──────────────────────┴──────────┴──────────────┴────────────────┘ All findings on track for remediation No overdue items Escalation threshold: 30 days past target → Audit Committee notification ``` ## Financial Close Controls ### Period-End Close Control Checklist ``` MONTH-END CLOSE CONTROLS: ═════════════════════════ CLOSE CALENDAR (10 business days): Day 1-2: [ ] Sub-ledger close (AP, AR, Fixed Assets, Inventory) [ ] Bank confirmations received [ ] Revenue recognition run completed [ ] Payroll period closed [ ] Intercompany transactions matched Day 3-4: [ ] Accruals calculated and posted (pre-reviewed) [ ] Journal entries prepared and approved [ ] Fixed asset depreciation run [ ] Tax provision calculated [ ] Foreign currency revaluation Day 5-6: [ ] Trial balance review (variance analysis vs. prior month) [ ] Balance sheet reconciliations completed [ ] Key account reconciliations (bank, intercompany, AR, AP) [ ] Revenue/expense variance analysis (>5% or >$50K flagged) [ ] Management review of financials (preliminary) Day 7-8: [ ] Financial statements prepared (P&L, BS, CF) [ ] Key metrics calculated [ ] Variance analysis documented (vs. budget, prior period) [ ] CFO review and sign-off [ ] Close checklist signed by Controller Day 9-10: [ ] External reporting (if applicable) [ ] Board reporting package prepared [ ] Close period locked (no prior period adjustments) [ ] Lessons learned documented [ ] Continuous improvement identified KEY CONTROLS IN CLOSE: Preventive: - System period controls (auto-lock at close) - JE approval workflow (dual approval >$10K) - Accrual templates (pre-approved calculations) - SoD enforcement (creator ≠ approver) Detective: - Balance sheet reconciliation (100% of material accounts) - Trial balance variance analysis (>5% or >$50K threshold) - Exception reports (unusual transactions, large entries) - Controller review (final sign-off) - External auditor inquiry (quarterly) CLOSE QUALITY METRICS: On-time close: 96% (past 12 months — target: 98%) Adjustments after close: 3 (past 12 months — target: 0) Restatements: 0 (past 24 months) Reconciliation exceptions: 2 (past 12 months — both resolved within 5 days) Auditor adjustments: 0 (FY2024 — clean audit) CONTINUOUS IMPROVEMENT: Q4 2024 close: 10 days → Q1 2025 target: 9 days Initiatives: - Auto-accrual for recurring items (implementation: Q2) - Close checklist digitization (implementation: Q1) - Revenue automation (implementation: ongoing) - Intercompany auto-matching (implementation: Q3) ``` ## Output ### Internal Controls Dashboard ``` INTERNAL CONTROLS DASHBOARD — Jan 2025 ════════════════════════════════════════ Control Environment: Total controls: 125 (45 key, 50 sub-key, 30 other) Test coverage: 45 key controls (100%) Pass rate: 93.3% (42/45 — 3 exceptions, all remediated) SOX Compliance: Status: EFFECTIVE (ICFR — no material weaknesses) External audit: ✓ Clean opinion Deficiencies: 3 (all remediated) Open findings: 4 (all Moderate or below, on track) Segregation of Duties: SoD conflicts: 5 (3 resolved, 2 mitigated) Access review: ✓ Q4 2024 completed (98% certified) Privileged access: 5 admins (MFA, session recording) Audit Status: FY2025 plan: 8 engagements planned In progress: 0 Completed: 0 Open findings: 4 (remediation on track) Next engagement: Revenue Recognition (February) Financial Close: Last close: January (completed Day 9 — 1 day ahead) Adjustments post-close: 0 On-time close rate: 96% Reconciliation exceptions: 0 (current month) Upcoming: Feb 1: Revenue Recognition audit start Feb 15: Q1 access review Mar 1: SOX RCSA refresh Apr 1: ITGC audit start Apr 15: Audit Committee meeting ``` ## Integration Points - ERP (NetSuite, SAP): Embedded controls, approval workflows, SoD configuration - GRC platforms (AuditBoard, ServiceNow GRC, Diligent): Control documentation, testing, issue tracking - Access management (Okta, SailPoint): Role-based access, provisioning, access review - Audit management tools: Audit planning, fieldwork, reporting - BI platforms: Control dashboards, exception reporting - Data analytics tools (ACL, IDEA, Tableau): Transaction testing, data analysis - Document management: Control documentation, evidence storage - HRIS: Employee data for access provisioning/termination - Ticketing systems (ServiceNow): Control remediation tracking - Board portals: Audit Committee reporting ## Edge Cases - **Small entity constraints**: Limited staff; SoD conflicts unavoidable; compensating controls required - **Rapid growth**: New systems, new entities; control expansion keeps pace with growth - **Cloud ERP transition**: Control redesign (from legacy to cloud); audit trail continuity; parallel testing - **Multi-entity/multi-currency**: Intercompany controls; FX controls; consolidation controls - **Outsourced functions**: BPO vendor controls; SLA compliance; shared responsibility model - **Regulatory change**: New requirements (e.g., SEC climate rules); control design update - **Fraud detection**: Data analytics for anomaly detection; whistleblower management; investigation - **Post-IPO SOX**: First-year SOX; Section 302/404; external auditor coordination; investor communication - **M&A integration**: Control harmonization; entity scoping; transition risk - **Material weakness identification**: Immediate disclosure; remediation plan; investor communication; board notification