Financial Controls Monitoring Use Case Design

Process Narratives document major financial flows and processes. The Process Narratives application manages these records and includes Narrative step records to provide more granular detail. These narratives are documented and reviewed for SOX 302 certification. They are subject to a Change Control process to ensure that changes are reviewed and approved before being implemented.

The Provided By Client (PBC) Documentation Requests application manages PBC Requests that are filed for documenting and reviewing PBC lists. PBC lists are frequently requested during the audit preparation phase. They are regularly updated during the audit process and include requested supporting documents that auditors need from clients, such as policies, reports, and so on. Auditors use the PBC lists to begin fieldwork tests and understand the controls and processes within scope. Auditors can add new requests to the PBC list as needed for the audit.

The G/L Accounts application serves as a repository of general ledger accounts for each business unit. Records within this application are used to determine if a specified account is in or out of scope, thereby requiring testing.

The Operating Effectiveness Testing Package application provides a workflow for operating assessment tests. Reviewers use the same application to approve test results. The application tracks the results by using records in the Operating Test Results application. The results of the operating tests group with related Control Procedures record to complete 302 Certification questionnaires.

The Roles and Responsibilities application defines the critical and noncritical roles in the SOX program, including the ownership of the various Process Narratives.

The PMO uses the 302 Certification questionnaire to conduct 302 certification to stay in compliance with SOX regulation. The 302 certification asserts corporate responsibility to the SEC for internal controls and the accuracy of financial reports.

The PMO uses the Process Narrative Walkthrough questionnaire to file a walkthrough of an approved process narrative. The walkthrough functions as a full review of the entire process to evaluate for weaknesses. The Risk and Compliance Specialist completes it and the SOX PMO approves it. This questionnaire is part of the SOX 302 certification process.

The General Ledger Risk Assessment questionnaire is used to assess the risk that is related to general ledger accounts. For existing customers, this questionnaire upgrades the Account Scoping questionnaire.

This questionnaire is based off guidance that the Sarbanes-Oxley Section 302 provides. The principal executive officers and principal financial officers must provide several certifications in association with each annual or quarterly report that is filed with the SEC. The statements that are provided in this questionnaire are intended to address various and similar certification requirements. This questionnaire is targeted at the Company application, allowing organizations to certify financial results at the highest level of the organization.

The PCO updates controls, completes control 302 certifications, creates and validates process narratives, and provides evidence and documentation for PBC requests in the Financial Controls Monitoring use case.

The RCS assists the PMO and PCO with all SOX requirements in the Financial Controls Monitoring use case, such as creating process narratives, reviewing PBC requests, completing process narrative walkthroughs, and so on.

The PMO manages the company’s SOX compliance program in the Financial Controls Monitoring use case. PMO tasks include reviewing process narratives, walkthrough assessments, quarterly financial certifications, and G/L Accounts. The PMO also creates and reviews control 302 certifications, assesses design tests and operating effectiveness tests, and creates new compliance engagements.

The External Audit Resource evaluates the accuracy of financial statements, controls, procedures, and operating effectiveness in the Financial Controls Monitoring use case. The external audit firm that is assigned this role creates a PBC request for items that are required from the client prior to the commencement of an audit. The audit committee and the board of directors engages an external audit firm to review the work of Internal Audit.

Executives complete quarterly financial certifications at the company level and have read access rights to all Financial Controls Monitoring applications.

The Tester performs design tests and operating effectiveness tests. The tester submits the results to the Reviewer or PMO.

This dashboard provides iViews that help Executives in monitoring the financial controls compliance of the organization.

For existing customers: Compliance Monitoring Portal has been renamed to Financial Controls Monitoring Executive Dashboard.

This dashboard provides iViews that assists the SOX PMO in monitoring financial controls.

This dashboard provides iViews that assists the Process and Control Owner in monitoring financial controls.

This dashboard provides iViews that assists the Risk and Compliance Specialist in monitoring financial controls.

Moves Control Procedure records to the Primary Controls application. This data feed should be run once to populate Primary Controls. This data feed brings the top level of the Authoritative Sources (Source) and associates it to the Primary Control where applicable.

Moves the second level of the Authoritative Sources content (Topic) to the Primary Controls application, and associates it to the newly created Primary Control, where applicable.

Moves the third level of the Authoritative Sources content (Section) to the Primary Controls application, and associates it to the newly created Primary Control, where applicable.

Moves the fourth level of the Authoritative Sources content (Sub-Section) to the Primary Controls application, and associates it to the newly created Primary Control, where applicable.

Runs against the Control Procedures application for any Control Procedures that have been queued for snapshot creation. This data feed creates a record in the Control Snapshots application using data selected from Control Procedures for historical reporting purposes and associates the record back to the Control Procedure so that users can look at point-in-time snapshots of their controls.

Runs against the Control Generator application. Users identify Primary Controls to be instantiated as Control Procedures and queue the Control Generator record for Control Procedure creation. This data feed generates Control Procedures using the selected variables in the Control Generator record.

Runs against records being checked out in the Evidence Repository application. This data feed has 2 main functions. First, this data feed moves the user checking out the record into a special record permission field in order to allow only that user to edit the record. Second, this data feed creates a sub-form record in the Version History section of the Evidence Repository application and associates the current document, version date, and version with the sub-form record. This ensures that if a new document is uploaded during checkout, users have a historical version record where they can view previous versions of the document.

Creates Control Self Assessments, Design Test Results, Operating Test Results and Control 302 Certifications using variables selected in the Compliance Engagement record. This data feed always uses every Control Procedure identified in the Scope tab of the Compliance Engagement application record.

Creates Control Self Assessments, Design Test Results, Operating Test Results and Control 302 Certifications using variables selected in the Compliance Engagement record. This data feed runs when Partial Scope is selected within a Compliance Engagement and utilizes Controls that are In Scope from the Partial Scope Selection section to generate assessments.

Uses identified Compliance Scope records and associates related data to the Compliance Engagement Record. Control Procedures, Primary Controls, Business Processes, Applications, Devices, Storage Devices, Facilities, and Information Assets related to the Compliance Scope record are linked to the Compliance Engagement record. The data feed creates a Scoping Unit record for each Control Procedure associated to the Compliance Engagement.

Uses identified Compliance Scope records and associates related data to the Compliance Engagement Record. Control Procedures, Primary Controls, Business Processes, Applications, Devices, Storage Devices, Facilities, and Information Assets related to the Compliance Scope record are linked to the Compliance Engagement record. The data feed creates a Scoping Unit record for each Control Procedure associated to the Compliance Engagement.

Uses identified Control Set values within Control Procedures records to identify Control Procedures matching the selected criteria and associates related data to the Compliance Engagement Record. Business Processes, Facilities, Primary Controls, and Applications linked to Control Procedures. Information Assets, Storage Devices, and Devices linked to Applications. The data feed creates a Scoping Unit record for each Control Procedure associated to the Compliance Engagement.

Uses identified Business Process records and associates related data to the Compliance Scope Record. Control Procedures linked to Business Processes. Facilities, Primary Controls and Applications linked to Control Procedures. Information Assets, Storage Devices, and Devices linked to Applications.

Uses identified Control Procedures records and associates related data to the Compliance Scope Record. Business Processes, Facilities, Primary Controls, and Applications linked to Control Procedures. Information Assets, Storage Devices, and Devices linked to Applications.