Rumours about why they fail compliance 726

  • A person in my company told me a few days ago that she’d heared that for 60% of the companies that fail, horrible IT contols are the reasons.%0AI cannot find anything about this topic on the internet to confirm or deny this statement.%0ACan anyone help?%0AInformation about IT controls, and companies that fail because of them, is especially interesting.

  • My opinion: %0APersonnel-related issues, typically related to poor segregation of duties, inadequate staffing, or related training or supervision problems.%0AWeaknesses related to documentation.%0A From Compliance Week: %0AProblems with financial systems and procedures remain the most common types of weaknesses and deficiencies disclosed. %0A From PricewaterhouseCoopers: %0AThe most frequently cited area requiring internal control remediation efforts was in this category of financial process improvements. Computer and security controls also ranked high on the PwC remediation priority. %0A From IIA Enterprise Risk Management and Control Self-Assessment Conference. September 9, 2004: %0AFrequently cited categories of internal control weaknesses%0AStaffing/Personnel 32%%0ADocumentation 19%%0AGAAP Misapplication 16%%0ASegregation of duties 12%

  • Some frequently reported internal control disclosures:

    Roles and responsibilities of finance and accounting personnel not adequately defined
    Employees lack of understanding of company policies and procedures
    Inconsistent application of company policy among business units and segments
    Skill set inadequate to meet the needs
    High turnover in the accounting and finance function and other functions
    Inadequate staffing and supervision
    Lack of systematic documentation
    No documentation showing that customer credit check was performed
    Improper capitalization of manufacturing costs

    Lack of segregation of duties (within the branches, with regard to certain personnel within inventory accounting, between payroll and other accounting personnel, between certain transaction recording and related asset accountability functions, related to check disbursement for loan processing and cash receipts etc.)
    Overriding of internal controls by the CEO and CFO without proper documentation

    Poor oversight by the Board and Audit Committee

    Misrepresentation of certain facts by the management to auditors
    User access to IT systems not changed when a user’s status changed
    Inactive accounts

    Lack of IT system maintenance policies and procedures

    Lack of policies and procedures to address overall IT security
    Lack of a separate test environment from the production environment.

Log in to reply