Introduction to Oracle Internal Controls Manager

Oracle Internal Controls Manager is a comprehensive tool for executives, controllers, internal audit departments, and public accounting firms to document and test internal controls and monitor ongoing compliance. It is based on COSO (Committee of Sponsoring Organizations) standards.

In many countries, governmental regulations apply to the testing and reporting of corporate internal controls. For example, in the United States, the Sarbanes-Oxley Act of 2002 makes reporting on a company's internal control mandatory for both management and external auditors.

This chapter provides an introduction to corporate governance and the Oracle Internal Controls Manager.

Corporate Governance

The following diagram provides a high level overview of a generic corporate governance business flow:

As shown in the above figure, corporate governance generally includes a series of tasks that must be performed in any organization.

Establish a Program Office

The program office is typically authorized by the most senior executives in the enterprise. The program office establishes internal and external oversight responsibility and sets the parameters under which other offices will operate. These parameters will include the dates and milestones by when internal controls need to be in place as well as the personnel in the organization whose involvement is critical for compliance. Specific audit projects can be undertaken either as a scheduled activity or as the result of trigger events.

A critical task of the program office is to establish a framework that will be used to assess and manage the entity's risk as well as the controls mitigating that risk. The COSO framework is the most prevalent framework for assessing the effectiveness of an organization's internal controls.

Establish Enterprise Structure

Establish an organization structure that allows segregation of duties and alerts management of possible infringements. This exercise will also result in identifying specific departments that must be analyzed for compliance.

Document Business Processes

Identify and analyze all the business processes that are specific to a particular entity within the enterprise. A review of the entity's procedure manuals, interviews, and replicating existing procedures will often highlight the business processes involved. These processes must also be mapped to key financial accounts to provide reasonable assurance regarding the reliability of financial statements.

Establish a Risk and Controls Library

Create a library of all the recurring risks to which business process within the entity are exposed. To create this risk library auditors must take factors such as the business structure and control environment into consideration. Though some financial, operational, and disclosure risks are specific to an entity, a business process is typically subject to the following types of risk:

• Recorded transactions are valid. For example, sales are for shipments made to non fictitious customers.
• Transactions are authorized. For example, payments are made for approved orders.
• Transactions are correctly valued. For example, sales are recorded for the correct amount of goods shipped.
• Transactions are properly classified. For example sales transactions are included in the correct accounts and properly summarized.
• Transactions are recorded at the proper time. For example, sales are recorded on a timely basis.
• Transaction are free from omissions and mistakes. For example, all sales that have taken place are recorded.

The library also consists of internal controls set up to mitigate process risk. Analyze the internal controls of the entity that are currently in place and add them to the controls library.

Control procedures generally fall into the following five categories:

• Adequate separation of duties
• Maintaining an audit trail through adequate documents and records
• Procedures for authorization
• Control over assets and records
• Independent checks on performance

Auditors often create a matrix that links an entity's financial, operational, and disclosure risk to the internal controls currently in place. Where necessary, propose new internal controls or modify existing controls to mitigate risk.

Conduct Assessments

Once an auditor has obtained an overview of the design and operation of the internal control structure (through an investigation of processes, risks, and controls), an assessment of control risk must be made. This assessment will determine the extent of audit work that must be performed to test internal controls.

The assessment of control risk is usually conducted by detailed control objective for each major type of transaction. This will include collecting data for key processes such as:

• Acquisition and payment
• Sales and collection
• Production & inventory
• Processes related to employees
• Capital acquisition, depreciation, and repayment
• Processes related to debt and investment portfolios

While making assessments, it is also critical that you monitor issues from whistle blowers. These can be suppliers, customers & employees. Periodically, a survey can be conducted for concerned stakeholders to obtain their opinion on the adequacy of internal controls.

Finally, document the results of your assessment evaluations.

Scope Audit Projects

Identify the nature of the audit project, the scope of testing, and the resources required.

Test Internal Controls

As a prerequisite to testing, it is important to define key metrics for evaluating internal controls. Audit procedures can then be designed to test whether internal controls are effective and operating as designed. Ensure that the internal controls are being tested on a sample that is representative of the population.

Document Results and Provide Audit Opinions and Reports

Document all audit procedures and their results. Based on these results, auditors issue opinions and reports. It is useful to integrate results and alerts into the disclosure and reporting cycle.

Evaluations and results must be communicated to the audit committee and independent auditor regarding issues such as the following:

• Control Deficiencies
• Fraud
• Material Weaknesses

Implement Changes

Based on the audit results, you can propose new internal controls or modify existing controls to improve their effectiveness in mitigating risk.

Overview of Oracle Internal Controls Manager

As a key module of Oracle's Internal Control Applications, Oracle Internal Control Manager is a comprehensive audit tool that offers web based risk and audit management features. The module can be used by executives, controllers, internal audit departments, and public accounting firms to document and test internal controls and monitor ongoing compliance.

With Oracle Internal Controls Manager, your company can increase internal control testing efficiency, improve risk assessment confidence, and lower external audit verification costs. Use the application's intuitive workbench to organize, execute, and manage audit activities like the following:

   Define standard business processes and map them to an organization structure


   Set up risks to which processes are exposed


   Set up controls that can mitigate process risk


   Record your assessment of the organization's compliance with established controls and regulations


   Create audit procedures to verify controls


   Review the compliance of your business processes/systems and record audit results.

Setup of Oracle Internal Controls Manager

The following section provides a brief overview of the tasks that must be undertaken to set up and execute audits using the Oracle Internal Controls Manager application.

Set up Auditable Units

The entire setup of Oracle Internal Controls Manager is done within the context of "Auditable Units." An Auditable Unit is a special category of an Oracle organization.

Define Standard Business Processes and Map them to an Organization Structure

Use Oracle Internal Controls Manager to create processes that accurately reflect your enterprise's business flows. Processes can be authored using Oracle Tutor (preferred) or Oracle Workflow, both of which integrate with Oracle Internal Controls Manager.

Set Up a Risk and Controls Library

The risk library consists of processes and risks, as well as the policies, procedures, and activities that allow an organization to address those risks.

Risks:

Use Oracle Internal Controls Manager to create and maintain a library of reusable risks that can then be associated with business process in the organization.

Controls:

Set up controls that can mitigate process risk.

Risk libraries can consist of content from external sources. If you decide to implement a partner's library, Oracle Internal Controls Manager includes a spreadsheet interface that allows third party content to be imported.

To maintain the integrity of information within the risk library, creation or modification of library items in Oracle Internal Controls Manager is controlled by an approval process.

Record Your Assessment of the Organization's Compliance with Established Controls and Regulations

With respect to testing controls, as well as other tests like tests of details of balances, the amount of procedural work performed in an audit depends to a large extent on an auditor's assessment of the organization's internal control structure and compliance with established controls and regulations.

Oracle Internal Controls Manager enables you to incorporate an assessment of the organization regarding its internal control structure and compliance. The assessment is made with respect to:

• Predefined components affecting the organization's audit environment
• A particular organizational context

Create Audit Procedures to Verify Controls

Audit procedures provide detailed steps to be performed during audit fieldwork. They are designed to achieve specific audit objectives by validating the effectiveness of controls, in terms of their design, as well as their operation. In Oracle Internal Controls Manager, you can create audit procedures and associate them with the controls that the procedures are supposed to verify.

Set up Audit Projects to Manage Audit Assignments

Internal audits in organizations are usually managed as projects and audit procedures typically translate into tasks within these projects. Once you have reviewed compliance and completed the audit, Oracle Internal Controls Manager enables you to record your evaluations and audit opinions.

Test for Segregation of Duties Violations

Oracle Internal Controls Manager enables you to identify any combination of tasks in an enterprise as incompatible. Access to more than one task from a set of such tasks allows a user the opportunity for misconduct. An individual in the enterprise with access to more than one of these tasks is therefore in violation of a segregation of duties standard.

The application enables the proactive monitoring of incompatible tasks and reports those occurrences where a single person has access to them.

Set up Process Variations and Exceptions

A primary task in setting up Oracle Internal Controls Manager is to create processes that accurately reflect the business flows of the enterprise. It is advantageous for an enterprise to work with standardized business processes.

For a variety of reasons however, one or more organizational units within an enterprise may be running modified forms or "derivatives" of the standard process. To handle such process alterations, Oracle Internal Controls Manager allows you to create process variations and process exceptions.

Business Process Certification

Process certification requires process owners to provide assurance that their organization's processes are in compliance with the standard(s) utilized as the basis of the firm's management system. It includes a series of rigorous audits and other activities to provide assurance that the organization's processes are adequate and effective.

Successful completion of an audit and any related follow-up activities which may be required results in the process being "certified." The certification attests to the process meeting the requirements of the applicable standard. External auditors seek objective evidence of such a system being established and effectively implemented prior to issuance of financial statements.

Oracle Internal Controls Manager provides an elaborate mechanism to certify your business processes. You can use the results of audit projects executed in the application as a basis for the certification.

Financial Statement Certification

The financial audit is conducted to determine whether a firm's financial statements are in compliance with specified criteria, typically generally accepted accounting principles. Oracle Internal Controls Manager enables you to use audit evaluations and process certifications to certify your financial statements.

Findings

During the audit process, non-conformities to established standards are often discovered and these anomalies are identified as "Findings." They are typically items of material concern that violate sound accounting practice and accountability.

A certification cannot be issued until all Findings are effectively addressed and remedied. Oracle Internal Controls Manager allows you to record and track Findings that come to light during the execution of your audit projects.

Reporting

The application provides seven predefined risk library reports that enable you to periodically verify the accuracy and integrity of the processes and objects that are present in your risk library.

Integration with E-Business Suite Applications

Oracle Internal Controls Manager is independent of the applications that it tests and validates and can be successfully deployed in any environment (Oracle or non Oracle). However, integration with other modules in the Oracle E-Business suite provides additional benefits as described below.

Oracle Tutor:

Oracle Tutor is a powerful application for mapping and documenting your business processes and workflows. It offers procedure authoring, automatic flowcharting, and role based publishing. Oracle Tutor also contains predefined business models and flows.

Business processes authored in Tutor can be uploaded into Oracle Internal Controls Manager. The import automatically creates the same processes in Oracle Internal Controls Manager along with a visual diagram of the process flow. Oracle Tutor is the preferred tool for procedure authoring and documentation.

Oracle Workflow:

Oracle Workflow charts your processes through the E-Business suite, controlling and enforcing the flows that work for your business. It is an active work management tool and serves as the database of business processes and process activities.

Business workflows defined in the Oracle Workflow Builder can be made available as processes in Oracle Internal Controls Manager. You therefore ensure that the process is executed in the way that you set it up.

Oracle Files:

Oracle Files is a document management tool. Help files and process documentation developed using Oracle Tutor or any other tool can be associated with procedures and applicable processes. Process documentation often becomes the basis for compliance checking performed by auditors.

Oracle Files provides you with document version control, check in, check out, and storage in an Oracle Database.

Oracle Scripting:

Oracle Scripting is a powerful tool for quickly building questionnaires, easily identifying survey participants, deploying the surveys via e-mail, and allowing respondents to fill out questionnaires via the internet.

By obtaining employee and stakeholder feedback on processes and internal controls, Oracle Scripting helps you to provide an effective control environment and perform high level risk assessments. Use the survey results to help in assessing the extent of audit work to be performed.

Once seeded, survey scripts can be deployed and used with minimal changes. You can review a seeded survey, make organization specific changes, and then redeploy them to collect information from survey participants.

Oracle Corporate Performance Management:

Enterprise performance management encompasses activities like:

• Strategic goal setting and alignment
• Planning, budgeting, forecasting and modeling
• Operational analytics and reporting

Several Oracle products make up the Corporate Performance Management framework. These include applications like Oracle Financial Analyzer, Sales Analyzer and Performance Analyzer, Oracle Activity Based Management, Oracle Balanced Scorecard, and Oracle Daily Business Intelligence.

By setting process control limits within these applications, the performance management framework allows you to constantly monitor your business processes and notify you of exceptions that may warrant audit work.

Oracle Project Applications:

By creating your audit procedures as projects set up in Oracle Projects, you get all the benefits of the Oracle Projects family of applications. These applications include

• Oracle Project Management
• Oracle Project Costing
• Oracle Project Resource Management
• Oracle Project Collaboration
• Oracle Project Intelligence

Oracle Approvals Management:

The integration with Oracle Approvals Management enables a formal approval of risks, controls, and audit procedures. Approval is required for the creation and modification of these risk library objects. There is no requirement to customize any application code.

These rules are setup in Oracle Approvals Management and determine who must approve a risk library object before it can be used. Approvers can be one or more individuals in a hierarchy.

Other Oracle E-Business Suite modules:

If your environment includes Oracle E-Business suite applications like Oracle Payables, Oracle Receivables, etc., several internal controls in those modules are made available to Oracle Internal Controls Manager by Oracle development.

Responsibilities in Oracle Internal Controls Manager

The Oracle Internal Controls Manager is pre-seeded with several responsibilities that are used to access the application. The following tables provide more details on these responsibilities.

The table below lists the Oracle Internal Controls Manager responsibilities along with their contextual details and relevant chapters:

The following table displays a matrix of responsibilities and menu items in Oracle Internal

Controls Manager: