8/11/2019 2010 05 20 Presentation
1/91
1) Writing and ImplementingProcedures for your Department
and 2) Segregation of Duties andDelegation of Authority
Presented by: Chris Doxey, CAPP, CCSA, CICAVP, Business DevelopmentBusiness Strategy, Inc.Office: 540-882-3247Cell: [email protected]
BUSINESS STRATEGY INC.
mailto:[email protected]:[email protected]8/11/2019 2010 05 20 Presentation
2/91
BUSINESS STRATEGY INC.
Writing and Implementing
Procedures for your Department
8/11/2019 2010 05 20 Presentation
3/91
8/11/2019 2010 05 20 Presentation
4/91
Course Content Map
BUSINESS STRATEGY INC.
Overview, Introduction, and Definitions
Writing Effective Procedures
Communication, Training, and Mentoring
Business Process Improvement
Sample Procedure
Statistics, Metrics, and Quality Tools
How Procedures Add ValueCHE
CKLI
STS
DISCUSSI
ON
8/11/2019 2010 05 20 Presentation
5/91
BUSINESS STRATEGY INC.
Introduction and Overview
8/11/2019 2010 05 20 Presentation
6/91
Overview
BUSINESS STRATEGY INC.
Policies and procedures are often required at the Company Level.Examples are:
Human Resources Code of Conduct Business Ethics Security
Delegation of Authority Corporate Finance
Policies and Procedures are also applicable at the Operating or Process Level.Examples are:
Procurement Accounts Payable Accounts Receivable Payroll
8/11/2019 2010 05 20 Presentation
7/91
Example of a Corporate PolicyFramework
BUSINESS STRATEGY INC.
8/11/2019 2010 05 20 Presentation
8/91
Definitions
BUSINESS STRATEGY INC.
8/11/2019 2010 05 20 Presentation
9/91
Definitions
This section will focus on the definitions of: Policies Procedures
Work Instructions Process Flows
All are key components of the documentationrequired to establish Standards of InternalControl.
BUSINESS STRATEGY INC.
8/11/2019 2010 05 20 Presentation
10/91
PoliciesWhat is a policy?
Basic concepts, assumptions, policies, methods, and practicesused by a company.As an example accounting policies ensure the adherence toaccounting principles and summarization into financialstatements as prescribed by GAAP.A policy can be described as what needs to happen to ensurethat accounting cycles are working within boundaries of internalcontrol high level approach. Other policies will be referenced ifapplicable.
Examples:1) All purchases must be approved in accordance with signatory
levels.
2) All purchases must utilize the approved vendor listing.
BUSINESS STRATEGY INC.
8/11/2019 2010 05 20 Presentation
11/91
ProcedureWhat is an accounting procedure?
The routine steps in processing accounting data during an accounting period.In sequence, 1) occurrence of the transaction, 2) classification of eachtransaction in chronological order (journalizing), 3) recording the classifieddata in ledger accounts (posting), 4) preparation of financial statements and5) closing of nominal accounts.A procedure ensures that a policy is properly executed and explains how.Other procedures or policies will be referenced if applicable.
Examples:1) Signatory levels will be validated for purchases by utilizing appropriate
systems and processes within the procurement department by the assignedprocurement personnel.
2) Direct and Indirect procurement orders will be reviewed by the procurementdepartment to ensure that vendors are on the approved vendor list. Depending
on the system, this will be completed either manually or systematically.
BUSINESS STRATEGY INC.
8/11/2019 2010 05 20 Presentation
12/91
Work InstructionsWhat is a work instruction?
A work instruction is a step by step document that depicts the stepsneeded to complete an activity at the transaction level.This is a detailed document that may include key stroke information.This is a very detailed how to document.
Example:1) Step 1: Log onto the signatory authorization system by accessing the
systems. Step 2: Log into the system using the assigned user ID andpassword. Step 3: Validate that the individual that has approved thepurchase has the appropriate signature authorization level. Step 4: Rejector move to processing.
2) Step 1: Validate all purchases with the vendor master listing . Step 2:Reject or move to processing.
BUSINESS STRATEGY INC.
8/11/2019 2010 05 20 Presentation
13/91
Process FlowsWhat is a process flow?
A process flow communicates the actual process currently inplace.It is a picture of the flow and sequence of work steps, tasks, oractivitiesA process flow will include: The flow or sequence of steps throughout the process. The person responsible for each task.
Key decision points and their impact on the flow of work. Major inputs/outputs from/to entities outside the scope of thediagram. Example: Systems Flows.
BUSINESS STRATEGY INC.
8/11/2019 2010 05 20 Presentation
14/91
Process Flows
BUSINESS STRATEGY INC.
How is a process flow created?
A process flow is created by diagramming the business or cycle flow using the symbolsbelow. Note: A tool such as Visio, or PowerPoint can be used.
8/11/2019 2010 05 20 Presentation
15/91
BUSINESS STRATEGY INC.
What are the Key Differences Between
Policies, Procedures,Work Instructions, and Flow Charts?
8/11/2019 2010 05 20 Presentation
16/91
Definitions - Checklist
Have you defined your Audience for theprocedure?
Does the procedure support a Corporate Policy?
Are additional Work Instructions needed tosupport the Procedure?
Can you leverage Existing Documentation?
BUSINESS STRATEGY INC.
8/11/2019 2010 05 20 Presentation
17/91
How Do Procedures Add Value?
BUSINESS STRATEGY INC.
8/11/2019 2010 05 20 Presentation
18/91
Procedures Add Value in theFollowing Ways:
Establish Standards of Internal ControlProvide the Supporting Document for SOX 404and Controls Self-Assessment Programs
Identify Areas for Potential ProcessImprovementsSupport Change Management Initiatives
BUSINESS STRATEGY INC.
8/11/2019 2010 05 20 Presentation
19/91
Standards of Internal Control
What are Standards of Internal Control?Standards of Internal Control ensure that basic andconsistent internal controls are in place across allactivities and entities across the company at theCorporate, Operating, and Process Level.Standards of Internal Control set the foundation for acontrol environment and establish the controlobjectives for the company and provide a mechanismfor risk mitigation.
BUSINESS STRATEGY INC.
8/11/2019 2010 05 20 Presentation
20/91
Other Benefits of Procedures
Procedures reduce human error.Document the most efficient way to perform atask.
Provide a training document.Support internal controls.Support quality initiatives.
Document an end to end process such asProcure to Pay.Document linkages with systems.
BUSINESS STRATEGY INC.
8/11/2019 2010 05 20 Presentation
21/91
Additional Benefits of
ProceduresProcedures add controls since they mayinclude check-points, or sign-off steps thatdesignate completion or approval of a task.
Procedures provide an audit trail for theprocess.Procedures support end to end process stepswithin an accounting cycle, or operationalcycle.
BUSINESS STRATEGY INC.
8/11/2019 2010 05 20 Presentation
22/91
Adding Value - ChecklistDoes the procedure support your InternalControls Program?
Can the procedure be used to support a
Controls Self Assessment Process?Does the procedure support a Quality Program?Can the procedures be Leveraged by otherdepartments?
BUSINESS STRATEGY INC.
8/11/2019 2010 05 20 Presentation
23/91
BUSINESS STRATEGY INC.
Writing Effective Procedures
8/11/2019 2010 05 20 Presentation
24/91
Writing Effective ProceduresProcedures can be simple or complex depending uponthe process steps or tasks being documented.In the Getting Started Phase, remember thatprocedures provide the following:
Information that is needed to perform a task. A representation of the collective knowledge of a group of
experts regarding the way a task is performed.
A representation of institutional memory of the way a taskshould be performed.
BUSINESS STRATEGY INC.
8/11/2019 2010 05 20 Presentation
25/91
Steps to Follow
BUSINESS STRATEGY INC.
InvestigateOrganizeWriteReviseValidate, Verify, Approve
Investigate Organize Write ReviseValidate,Verify,
Approve
8/11/2019 2010 05 20 Presentation
26/91
InvestigatePerform preliminary research to develop ideasabout the content.Review existing source documentation.
Interview subject matter experts.Ensure you understand the content.
BUSINESS STRATEGY INC.
8/11/2019 2010 05 20 Presentation
27/91
OrganizePrepare an outline.Identify Subject Matter Expert(s).Identify a Supervisor or Manager that will beheld accountable for the procedure. (Oftenreferred to as the Process Owner)Organize the content.Chart a flow chart for the content.
BUSINESS STRATEGY INC.
8/11/2019 2010 05 20 Presentation
28/91
WritingCreate a draft of the procedure.Write the procedure so that it is auditable.
Use a step by step format.
Define responsibilities. Refer to types of documents that can be selected
for an audit sample. (e.g. Purchase Requests,
Purchase Orders, Invoices)
BUSINESS STRATEGY INC.
8/11/2019 2010 05 20 Presentation
29/91
ReviseCheck details of the procedure.Check spelling and grammar.Make revisions after a Subject Matter Expert,Supervisor, or Manager reviews the content.
BUSINESS STRATEGY INC.
8/11/2019 2010 05 20 Presentation
30/91
Validate, Verify, and ApproveReview the content with the subject matterexpert.Verify that the procedure is clearly documented.
Verify the accuracy of the procedure.Verify that the level of detail is appropriate.
Ensure that the procedure is approved by aSubject Matter Expert, Supervisor, or Manager.
BUSINESS STRATEGY INC.
8/11/2019 2010 05 20 Presentation
31/91
Writing Tips
BUSINESS STRATEGY INC.
8/11/2019 2010 05 20 Presentation
32/91
Writing TipsDevelop consistent syntax.Use clear vocabulary.Use useful headings.
Use the correct level of detail.How to specify numerical information.
Use consistent format.Hints for cross-references.
BUSINESS STRATEGY INC.
8/11/2019 2010 05 20 Presentation
33/91
Consistent SyntaxUse short sentences in process steps.
Break long sentences into shorter sentences.Write steps that are concise and can bevalidated by internal controls testing.Write action instructions in the active voice.Write steps as positive commands.Avoid negative statements.Provide examples or cross references.
Review and reference source documents. BUSINESS STRATEGY INC.
8/11/2019 2010 05 20 Presentation
34/91
8/11/2019 2010 05 20 Presentation
35/91
Clear VocabularyUse words consistently within the procedure.Use short, simple words that are common instandard American English.
Avoid words that may be misunderstood.Provide definitions if applicable.
Restrict the use of abbreviations andacronyms.
BUSINESS STRATEGY INC.
8/11/2019 2010 05 20 Presentation
36/91
Use Consistent HeadingsMake sure that the headings summarize the
information discussed within a section.Repeat the subject in the first sentence of theparagraph following a heading.
Headings should identify key points and serve astransitions between subject matter.
Headings show the overall structure of thedocument.Headings identify specific sections for selective
reading. BUSINESS STRATEGY INC.
8/11/2019 2010 05 20 Presentation
37/91
Level of DetailWrite procedures at an appropriate level of detail,
presenting the correct amount of information.The appropriate level of detail will vary according to thetype of procedure, the frequency with which the
procedure is performed, and the experience level of theusers.Feedback is an important step throughout the writing
process.Avoid assumed knowledge.Ensure that the audience for the procedure is properly
analyzed. BUSINESS STRATEGY INC.
8/11/2019 2010 05 20 Presentation
38/91
Numerical InformationProcedures should use Arabic numbers (e.g.0,1,2,3) rather than spelled-out numbers orRoman numerals.
Account numbers should be defined (e.g. GRIRClearing Account 0001223344)
BUSINESS STRATEGY INC.
8/11/2019 2010 05 20 Presentation
39/91
FormatUse a consistent type size and font.
Use place keeping aids, such as blank lines or boxes todesignate process steps.Use emphasis to let the reader know what is important.
Emphasis techniques should be used consistently.Examples are:
Bolding Italicizing Underling ALL CAPITALS (Brackets) Quotation Marks
BUSINESS STRATEGY INC.
8/11/2019 2010 05 20 Presentation
40/91
Cross ReferencesExplicit cross-references direct the user to referto another procedure or another part of thesame procedure.
Key words should be used to indicate each typeof cross reference. (e.g. invoice or purchaseorder)
BUSINESS STRATEGY INC.
8/11/2019 2010 05 20 Presentation
41/91
ChecklistIs the procedure written in a Step by Step
format?Is the format Consistent?Has the System supporting the BusinessProcess been considered?Are Key Controls documented?
Can the procedure be Audited ?Is the procedure written in Plain English ?
Can it be used as a Training Document ? BUSINESS STRATEGY INC.
8/11/2019 2010 05 20 Presentation
42/91
BUSINESS STRATEGY INC.
Tackling RoadblocksCommunication, Training, and Mentoring
8/11/2019 2010 05 20 Presentation
43/91
Communication Defined1. An exchange of information2. An act or instance of transforming information3. A verbal or written message
4. A technique for expressing ideas effectively
BUSINESS STRATEGY INC.
8/11/2019 2010 05 20 Presentation
44/91
Factors Affecting
Communication1. The receiver hearing what he/she wants to
hear2. The sender and receiver having different
perceptions3. The receiver evaluating the message before
accepting it4. Words meaning different things to different
people
BUSINESS STRATEGY INC.
8/11/2019 2010 05 20 Presentation
45/91
Benefits of Effective
CommunicationDeliver Consistent Information and UpdatesGain Commitment Inform People
Involve People Open Feedback Motivate People
BUSINESS STRATEGY INC.
8/11/2019 2010 05 20 Presentation
46/91
Communication MethodsHard Copy PrintPresentationsElectronicIntranetEmails
PostersBulletin BoardsBrochures/PamphletsTrainingTeam MeetingsFocus GroupsTown MeetingsConference Calls
BUSINESS STRATEGY INC.
8/11/2019 2010 05 20 Presentation
47/91
Communication Methods for
New Procure to Pay Procedures
BUSINESS STRATEGY INC.
Printed
ProceduresTraining
New Forms
Posters
Focus Groups
Emails
Pamphlets
Newsletter
8/11/2019 2010 05 20 Presentation
48/91
Training MethodsLectures/ClassroomWeb BasedInteractive Web Based
WorkshopsDepartment MeetingsStructured On-The-Job-Training
Multimedia TrainingComputer BasedComputer Assisted Network Discussion Groups
BUSINESS STRATEGY INC.
8/11/2019 2010 05 20 Presentation
49/91
Communications, Training, and
Mentoring - ChecklistHave you defined a Communication Strategy and aTraining Strategy for rolling out procedures?Are the procedures New or Updates?What is the Impact Company Wide, Divisional,Regional, or Department Specific?Have you identified Communication and TrainingMethodologies?
What about Timing?Have Mentors or Subject Matter Experts been enlisted?
BUSINESS STRATEGY INC.
8/11/2019 2010 05 20 Presentation
50/91
BUSINESS STRATEGY INC.
How Well Are Your Procedures
Working?
Statistics, Metrics, and Quality Tools
8/11/2019 2010 05 20 Presentation
51/91
Tips for Implementing a
Statistics and Metrics ProcessMetrics need to be consistently defined.Data should be easily gathered (automated).Data needs to be correct.Trends need to be analyzed.Communicate linkages with performance.
Identify your audience Executive Operational
Define frequency of reporting.Prepare a commentary or narrative.Focus on highlights.Provide graphics.Be prepared to implement an action plan.
BUSINESS STRATEGY INC.
8/11/2019 2010 05 20 Presentation
52/91
Sample Procure to Pay Metrics
BUSINESS STRATEGY INC.
Cost Per InvoiceDays Payable Outstanding (DPO)
Vendor Payment With ErrorsDuplicate PaymentsNumber of Payments Made Per MonthPercentage Use of Electronic InvoicingPercentage Use of Electronic Payments
Invoices Paid Within Specified TermsPolicies for Taking Vendor DiscountsNumber of PaymentsReduction of Number of PaymentsProcessor Productivity
Percentage of Electronic Invoice ProcessingPercentage of Electronic PaymentProcessingInvoice > Payment Cycle TimeOn Time Payments
Monthly Invoices
Number of voided checksNumber & $ of invoices paid > 60 days,POs created after the factInvoices matched to PO 1st timeNumber of new vendors addedNumber of duplicate vendors and remitscorrectedStratification of non- electronic invoices
Vendor website hits and hot line call stats% of wires and checks.
8/11/2019 2010 05 20 Presentation
53/91
Metrics - ChecklistUse Common Sense and Organizational Sensitivity.Provide regular Feedback.Set clear Goals with Supporting Metrics.
Potential problem areas should not be consideredNegative.Do not focus on Just One Metric.
Define Actionable Plans.Communicate Results.
BUSINESS STRATEGY INC.
8/11/2019 2010 05 20 Presentation
54/91
BUSINESS STRATEGY INC.
How Can Procedures Improve aDepartment?
Business Process Improvement
8/11/2019 2010 05 20 Presentation
55/91
Business Process
Improvements
BUSINESS STRATEGY INC.
1. Establish the difference between perception, intuition and reality.2. Gather all the facts.
3. Identify and verify potential problem areas.4. Validate the process and determine if performance is the issue.5. Document the issue and develop an action plan.6. Provide a baseline for performance improvement.7. Track improvements.8. Decide if a process is stable or predictable
Metrics create a common language to identify areas forBusiness Process Improvements.
8/11/2019 2010 05 20 Presentation
56/91
Business Process Improvement
- ChecklistDetermine if there is a Communication Issuerather than a Business Process Improvementopportunity.
Determine if an Old Form or Procedure is stillbeing used.Is there a Control Issue?Is there need to deliver additional Training?Was the procedure Poorly Written?
BUSINESS STRATEGY INC.
8/11/2019 2010 05 20 Presentation
57/91
In Closing, Procedures Can:1. Improve Customer Satisfaction
2. Improve Business Processes3. Reduce Cost and Cycle Time4. Improve Service Levels and Response Times
5. Enhance Quality and Flexibility6. Improve Employee Productivity and Morale7. Standardize and Streamline Business Processes8. Avoid Duplication of Efforts9. Identify Automation Opportunities10. Support Internal Controls and Controls Self Assessment
Initiatives
BUSINESS STRATEGY INC.
8/11/2019 2010 05 20 Presentation
58/91
BUSINESS STRATEGY INC.
A Sample Procedure
8/11/2019 2010 05 20 Presentation
59/91
Sample Procedure FormatPurposeRevision HistoryPersons Affected (Scope)
PolicyDefinitions
ResponsibilitiesProcedures
BUSINESS STRATEGY INC.
8/11/2019 2010 05 20 Presentation
60/91
Sample Procedure
BUSINESS STRATEGY INC.
Document Number:Effective Date:Revision Date:Revision Number:Page Number:
Title of Procedure
Approval:
1.0 Purpose : Describes objectives for writing a policy or procedure.
2.0 Revision History : Shows a list of changes to this document.
3.0 Persons Affected : Identifies the user of this document.
4.0 Policy: Indicates the Corporate Policy supported.
5.0 Definitions: Defines forms, key words, and technical terms.
6.0 Responsibilities: Summarize the roles and responsibilities of all individuals supporting the
process represented by the procedure.
7.0 Procedure: Defines and outlines the rules, regulations, methods, timing, place, andpersonnel responsible for accomplishing the policy as stated in the Policy section above.
8/11/2019 2010 05 20 Presentation
61/91
8/11/2019 2010 05 20 Presentation
62/91
8/11/2019 2010 05 20 Presentation
63/91
Sample Procedure (3 of 9)
BUSINESS STRATEGY INC.
Document Number: 1000Effective Date: 8/1/05Revision Date:Revision Number: 1.0Page Number: 3 of 9
Ordering Maintenance, Repair, andOperating (MRO) Supplies
Approval: Penny Procurement
Defini tions: (Continued)
5.3 Request for Quotation (RFQ)
Process used by the procurement department to request bids from supplier. Arequest for quotation is a means of inviting bids from prospective suppliers. The RFQis the buyers first official contact with suppliers. The quality and content of the RFQcan determine the outcome of the bidding process because it sets the stage fordiscussions and negotiations.
5.4 Purcha se Order (PO)
A systematic or manual form used by the procurement department to establish alegal contract between the Company and a supplier. The PO is written evidence of acontract between the buyer and supplier for the purchase of supplies and services atan agreed upon price and delivery date. The issuance of the PO is based on formalor informal bids and proposals. The PO should contain general instructions, standardterms and conditions, description of the agreement, and the approval of anauthorized procurement agent.
5.5 Receiver
A manual or systematic form that is used to create a receiving document from anissued PO. The receiver serves as proof of delivery and is the document that recordsthe inspection, acceptance, of goods and services, and the approval for payment.
8/11/2019 2010 05 20 Presentation
64/91
Sample Procedure (4 of 9)
BUSINESS STRATEGY INC.
Docum ent Number: 1000Effective Date: 8/1/05Revision Date:Revision Number: 1.0Page Number: 4 of 9
Ordering Maintenance, Repair, andOperating (MRO) Su pplies
Approval: Penny Procu rem ent
Definit ion s: (Continue d)
5.6 Packin g Sh eet (PS) A form a s uppli er use d to acc ompa ny the orde r to theCompany. N ormally, a PS is a two-part, pre-num ber ed form used by a supplier whenfilling the order. This form shoul d accompa ny any items being shipp ed to thecompany from a supplier. All packing she ets must m ake reference to an a uthorizedand issued PO number.
5 Responsibil i t ies:
6.1 The procurement department executive shall ensure compliance to this procedure.
6.2 Requestors are expected to select the most current PR a nd adhere to the guidelinesof this proced ure when reques ting MRO supplies . Requestors will obtain thenecessary approvals.
5.3 The procureme nt assistant will review all incoming PRs to ensure that the PRs arecompleted in accordance with current procureme nt policies and proced ures. Any
discrepancies will be coordinated with the requestor. The procurement assistantforwards all app roved PRs to the procurem ent mana ger for review a nd election of abuyer.
5.4 A procureme nt manager will review the PRs and as sign the approp riate buyer.
5.5 The buyer will revie w the requisition, select at least three sources (supplie rs), solicitbids, review bid packages, s elect a supplier, issue a PO, and mo nitor the receipt o fthe supplies.
8/11/2019 2010 05 20 Presentation
65/91
8/11/2019 2010 05 20 Presentation
66/91
Sample Procedure (6 of 9)
BUSINESS STRATEGY INC.
Document Number: 1000Effective Date: 8/1/05Revision Date:Revision Number: 1.0Page Number: 6 of 9
Ordering Maintenance, Repair, andOperating (MRO) Supplies
Approval: Penny Procurement
Procedures: (Continued)
Establishing Need: (Continued)
7.1.1 Upon receipt of the appropriate approval, the requestor will forward thePR to the finance department for review of the budget and for approval.
7.1.2 If approved, the requestor will forward the PR to the procurementdepartment systematically.
7.2 Procurement Department Activi ties:
7.2.1 A procurement assistant will review all incoming PRs to ensurecompliance with this procedure. The PR will be reviewed to ensure that
the information in required fields is correct and appropriate approvalshave been obtained.
7.2.2 A procurement manager reviewed PRs and assigned them to theappropriate buyer responsible for the purchase of MRO supplies. Themanager will approve the PR and assign a buyer.
8/11/2019 2010 05 20 Presentation
67/91
Sample Procedure (7 of 9)
BUSINESS STRATEGY INC.
Document Number: 1000Effective Date: 8/1/05Revision Date:Revision Number: 1.0Page Number: 7 of 9
Ordering Maintenance, Repair, andOperating (MRO) Supplies
Approval: Penny Procurement
Procedures: (Continued)
Procurement Department Activities: (Continued)
7.1.1 The buyer will review the PR and begin the necessary negotiations withselected supplier to find the most competitive bid.
7.1.1.1 At least three suppliers are selected to participate in the biddingprocess. The buyer allows two to three weeks for the supplier tosubmit the bid package.
7.1.1.2 The buyer reviews the submitted bid packages and makes aselection. In some cases, the suppliers will be contacted forfurther discussions about price and services offered.
7.1.1.3 The buyer selects the most appropriate bid based on objectivecriteria. Note: The RFQ or bid process is not necessary for allPRs.
8/11/2019 2010 05 20 Presentation
68/91
BUSINESS STRATEGY INC.
Sample Procedure (8 of 9)Document Number: 1000Effective Date: 8/1/0 5Revision Date:Revision Number: 1.0Page Number: 8 of 9
Ordering Maintenance, Repair, andOperat ing (MRO) Sup pl ies
Approval: Penny Procu rem ent
Procedures : (Cont inued)
Procurem ent Depar tment Act iv i t ies : (Cont inue d)
7.1.1 A PO is awarded to the selected supplier. The PO is provided to thesupplier, accounts payables, and the receiving department.
7.1.1.1 The supplier will review the order and acknowledg e receipt to thebuyer.
7.1.1.2 The buyer will re vie w changes recom mende d by the supplier.7.2 Receiving Depar tment Process :
7.2.1 Upon receipt of the PO, the receiving department shall create a receivingdocument or receiver based on the iss ued PO.
7.2.2 Upon receipt of the order from the supplier, the receiving departmentcompares the mate rial received to the packing sheet and the receiver.The receiving information is recorded and any discrepancies are not ed.
7.2.2.1 The buyer receives a manual or system atic copy of the receiver.
7.2.2.2 The accou nts payable department receives a manu al orsystematic copy of the receiver.
7.2.2.3 The receiving departme nt retains a manual or systematic copy ofthe receiver.
8/11/2019 2010 05 20 Presentation
69/91
BUSINESS STRATEGY INC.
Sample Procedure (9 of 9)Document Number: 1000Effecti ve Date: 8/1/05Revision Date:
Revision Number: 1.0Page Number: 9 of 9Ordering Maintenance, Repair, andOperating (MRO) Supplies
Approval: Penny Procu rement
Procedures: (Continued )
7.1 Account s Payabl e Process:
7.1.1 The accounts payable department will perform a three-way match of thePO, receiver, and invoice. If the three-way match is successful, thepayment process is initiated.
7.1.2 The payment is provided to the supplier following the terms andconditions of the PO.
7.1.3 Payment information is recorded on the PO.
7.1.4 The accounts payable department ensures that the correct generalledger accounts are recorded.
8/11/2019 2010 05 20 Presentation
70/91
BUSINESS STRATEGY INC.
How Did We Do?Overview, Introduction, and Definitions
Writing Effective Procedures
Communication, Training, and Mentoring
Business Process Improvement
Sample Procedure
Statistics, Metrics, and Quality Tools
How Procedures Add Value CHEC
KLISTS
DISCUSSI
ON
8/11/2019 2010 05 20 Presentation
71/91
BUSINESS STRATEGY INC.
Questions?
8/11/2019 2010 05 20 Presentation
72/91
BUSINESS STRATEGY INC.
Referenceswww.group.slac.stanford.edu
www.coso.orgwww.sec.gov7 Steps to Better Written Policies and Procedures by Stephen Page,Process Improvement Publishing, Westerville, Ohio, 2004.
Achieving 100 Compliance of Policies and Procedures by Stephen Page,Process Improvement Publishing, Westerville, Ohio, 2004.Best Practices in Policies and Procedures by Stephen Page, ProcessImprovement Publishing, Westerville, Ohio, 2002.
Procedure Writing Principles and Practices by Douglas Wieringa,Christopher Moore, and Valerie Barnes, Battelle Press, Columbus, Ohio,1998.
http://www.group.slac.stanford.edu/http://www.coso.org/http://www.sec.gov/http://www.sec.gov/http://www.coso.org/http://www.group.slac.stanford.edu/8/11/2019 2010 05 20 Presentation
73/91
BUSINESS STRATEGY INC.
Segregation of Duties and
Delegation of Authority
8/11/2019 2010 05 20 Presentation
74/91
BUSINESS STRATEGY INC.
Contents
Types of ControlsSegregation of Duties (SoD) Example SoD Policy
Delegation of Authority (DoA)Linkage to Ethics and Tone at the Top
Objectives To Be Addressed
8/11/2019 2010 05 20 Presentation
75/91
5/20/2010
1. What are the most important Control Objectives within theAccounts Payable Cycle?
2. Are your Internal Controls robust enough to detect andprevent disbursement fraud?
Object ves o e dd essed
Today
8/11/2019 2010 05 20 Presentation
76/91
5/20/2010
Types of Controls
Risk ManagementObjective
Control Measure Type of Control
Segregation/ Authorization
Physical and logical access control Audit trails
Preventive Detective
Accuracy Automatic validation Data verification Application change control Audit trails
Preventive Detective or
Corrective Preventive
DetectiveCompleteness Application change control
Record counts Cross-totals Audit trails
preventive detective detective detective
Confidentiality Physical and logical access control Audit trails
Preventive Detective
Audibility Only access production datathrough authorized programs
Audit trails
Preventive
Detective
Continuity/Recovery Backups and recovery plans Corrective
Example of an Accounts Payable
8/11/2019 2010 05 20 Presentation
77/91
5/20/2010
Example of an Accounts Payable
Control Objective and Control Activity
For example, a control objective for an accounts payablefunction might be: Payments are only made to authorizedvendors for goods or services received.
A typical control activity designed to achieve this objectiveis: The accounts payable system compares the purchaseorder, receiving record, and vendor invoice prior to
authorizing payment.
8/11/2019 2010 05 20 Presentation
78/91
5/20/2010
The Key Controls Within the AP Cycle
1) Segregation of Duties (SoD)2) Delegation of Authority (DoA)
Segregation of Duties
8/11/2019 2010 05 20 Presentation
79/91
5/20/2010
Segregation of Duties
(SoD)Concepts
Authorization
Reviewing and Approving transactions
Reconciliation
Assurance that transactions are proper
Record Keeping
Creating and Maintaining records
Asset Custody
Access to and/or control of assets
Examples of SoD Conflicts
Authorizing purchases and receiving goods purchasedfrom the transaction
Ability to modify an evaluated-receipts contract andreceive against a PO
Setting up a vendor in A/P and executing the payments
More Segregation of Duties
8/11/2019 2010 05 20 Presentation
80/91
5/20/2010
g g
(SoD) ConceptsConflict Types
In the context of information systems security, there are two types of SoD conflicts. We examined both typesof conflicts during our review. These are:
Conflicts that arise from a security object (profile/role/class/etc.) being defined with excessive,conflicting privileges (intra-conflicts)
Conflicts that arise from multiple security profiles/roles/classes being assigned to a user account suchthat the cumulative privileges of the user are excessive and conflicting (extra-conflicts)
Intra-Conflicts Extra-Conflicts
User SecurityObject
Privilege
PrivilegeUser
SecurityObject Privilege
SecurityObject Privilege
The conflicting privileges introduce risk whenassigned to a user through a single security
object .
The conflicting privileges introduce risk whenassigned to a user through multiple securityobjects.
8/11/2019 2010 05 20 Presentation
81/91
More on Delegation of
8/11/2019 2010 05 20 Presentation
82/91
5/20/2010
More on Delegation of
Authority (DoA)Certain types and levels of expenditures will require BOD approval.
Example: M&A, CAPEX >$25M
BoD approvals are documented in BoD meeting minutes.
Out of office delegations should be maintained systemically via email or bythe appropriate delegation form.
Important: Always maintain an audit trail.
Permanent authority is often granted to the next level down within anorganization.
More on Delegation of
8/11/2019 2010 05 20 Presentation
83/91
5/20/2010
More on Delegation of
Authority (DoA)The delegation of authority control is a company wide policy
that establishes signing authorities by level or position withinthe organization. The best way to implement this control issystematically. Officers and employees who delegate theirauthority remain responsible for monitoring and reviewingthe actions of those to whom authority has been granted.Utmost care should be exercised in the selection ofdesignees and the documentation, notification, and timelyrescission of authority. Officers and employees are usuallypermitted to delegate their responsibilities and authorities toemployees who report directly to them.
More on Delegation of
8/11/2019 2010 05 20 Presentation
84/91
5/20/2010
More on Delegation of
Authority (DoA)Delegation of authority is an excellent preventative controlfor internal, external, and conspiracy or collusion fraud sinceproper signing authorization process should be in place.
In fact, some organizations have taken the delegation ofauthority control a step further and have incorporatedsegregation of duties controls. Having a finance manager
approve an expenditure of a certain dollar amount with theoperational manager evidences this process. The process isreferred to as the double key method.
Societe General Case Study
8/11/2019 2010 05 20 Presentation
85/91
5/20/2010
Societe General Case Study
$7.1BThe fraud, perpetrated by a 31-year-old trader, was not a simple case ofcomputer security fraud. Though the perpetrator, Jerome Kerviel, didmanage to manipulate the banks computer systems to conceal hisfraudulent trades, his crimes were not , as some early reports suggested,the product of hacking or other system breach. Rather, according to thebank itself, Kerviel stole computer passwords and faked documents togain access to the computer trading system for which he lackedauthorization.
More importantly, to prevent his supervisors from detecting his high-stakes trades, he systematically erased them before the compliancechecks took place and simply created new ones immediately afterwards.
Ho Does Ethics Impact An Internal
8/11/2019 2010 05 20 Presentation
86/91
5/20/2010
Ethics and Code of Conduct set the foundation for aninternal Controls Program.
The Integrity of a company is established by the Tone atthe Top.
Tone at the Top directs how Employees, Shareholders,
and Stakeholders of a Company will behave.
How Does Ethics Impact An Internal
Controls Program?
The Definition of Tone at the
8/11/2019 2010 05 20 Presentation
87/91
5/20/2010
The values and principles that define the organizationsculture are a direct product of its leaders.
In other words, setting the tone of the companys cultureis how top management conveys to the entire workforcethe level of integrity it expects from everyone.
The Definition of Tone at the
Top..
What happens when Tone at the Top
8/11/2019 2010 05 20 Presentation
88/91
5/20/2010
Insider or related-party dealings, override of internal controls,and favorable key-employee treatment are just three examplesof management looking out for managementwhereby the
ethical tone of the companys culture is set at a dismally lowlevel.
is not working?
Business Strategy, Inc.
8/11/2019 2010 05 20 Presentation
89/91
5/20/2010
Business Strategy, Inc.
Partnerships
http://www.fujitsu.com/us/http://www.kofax.com/http://www.microsoft.com/en/us/default.aspx/http://www.onbase.com/http://www.premierinc.com/http://www.amerinet-gpo1.com/amerinet.aspxhttp://www.vha.com/portal/server.pthttp://www.dmainc.com/8/11/2019 2010 05 20 Presentation
90/91
BUSINESS STRATEGY INC.
Questions?
8/11/2019 2010 05 20 Presentation
91/91