Internal Control Management

Recent corporate financial scandals involving many companies have damaged investor and employee confidence. As a result, Corporate Governance has moved to the forefront of business agendas. There is an increasing focus on corporate accountability and compliance with regulators holding top executives personally responsible for misrepresentation of company performance. Oracle® Internal Controls Manager is a comprehensive tool for CXO’s, controllers, internal audit departments and public accounting firms to use to document and test internal controls and monitor ongoing compliance. With Oracle Internal Controls Manager, your company can increase internal control testing efficiency, improve risk assessment confidence, and lower external audit verification costs. Oracle Internal Controls Manager is part of the Oracle E-Business Suite, an integrated set of applications that are engineered to work together.

Benefits:

Oracle Internal Control Management provides the following benefits:

Comprehensive Policy and Compliance Management Solution

Oracle Internal Controls Manager assembles the components necessary to document, test, and monitor internal controls and compliance. It provides users with an easy-to-use workbench from which you can organize, execute, and manage the audit work, including the following activities:

  • Defining the business processes of the enterprise
  • Managing process documentation
  • Managing the process risk library
  • Ensuring/Testing the segregation of duties
  • Mapping the organization structure
  • Managing business process variations
  • Managing the audit process and projects
  • Submitting audit findings
  • Issuing audit reports
  • Surveying management assessment of internal controls
  • Providing employee and stakeholder feedback
  • Reviewing compliance status of financial statements
  • Reviewing the reconciliation status of all subsystems
  • Reviewing the overall compliance status
  • Reviewing policy compliance

Process Authoring Through Oracle Workflow

The internal audit department needs an understanding of the business processes within the application. Oracle E-Business Suite comes with an embedded process-modeling tool, Oracle Workflow. This tool is not only a drafting tool for the designer of the business process but also the database of business processes and process activities. Thus, Oracle Workflow is the active work management tool used by the applications suite.
The processes within each of the applications are shown in the navigator, which allow you to navigate to the processes and invoke the functions that they relate to in the applications. These processes can be any level deep, right through the way from managing the enterprise to routing of a document. Since Oracle Internal Controls Manager uses the processes that are defined by Oracle Workflow, you automatically ensure that the process is really executed in the way that you documented it. Oracle Internal Controls Manager allows you to enrich the definition of the process by identifying the process owner, process category, risk category, approval status, etc. A graphic image of the process flow is also displayed to help visualize the process.

Managing Process Documentation

As part of the internal audit function, the internal auditor needs to develop a picture of the processes of the company, similar to the library needed for ISO 9000 compliance audit. This process documentation becomes the basis of the compliance checking performed by auditors later on. Oracle Tutor provides an out of the box procedures manual that can be changed to represent your business processes better in Oracle E-Business Suite. Oracle Tutor is integrated with Oracle iLearning, which allows your managers to verify that their employees have studied the procedures required to perform the job. Once the procedures are developed using Oracle Tutor, you can associate the procedures to the applicable processes and access the procedures from the process details.

Managing Process Certification

Before implementing a process, you can request that the process be certified for implementation. This initiates a notification to all process owners of all subsidiary processes to certify that their processes have adequate internal controls. Process owners of higher-level processes can review the certification status of subsidiary processes as part of their own certification process. The attribute Certification Status indicates the certification status of a process. This can be “Requested”, “Certified” by the manager of the process or “Attested” (verified) by an auditor.

Financial Statement Item Risks

Part of the responsibilities of the internal audit function is keeping the relationship between a business process and the key accounts that it impacts. Oracle Internal Controls Manager allows you to associate each process with multiple financial statement items, establishing the link between financial statements and the risks to which they are exposed. For example, the risk “customer default” would impact the financial statement item “Revenue” through the “Order-To-Cash” process.

Identifying and Defining Risks

Managers conduct their business taking risks. Each business process within an organization contains numerous risks. In the interest of protecting shareholder value, the management of each company is required to identify the risks associated with each business processes and the possible effect that it might have on the business process. Oracle Internal Controls Manager enables you to maintain a library of reusable risks that can then be associated with each business process within an organization. Each risk is classified for its probability and impact. For example, the probability of a loss-making order being accepted may be a low probability that has a high impact. The risk that a salesperson may accept a kickback from a distributor for not negotiating hard for the company may be a high probability and low impact. You can associate an existing risk to the process or you can add a new risk and create the association at the same time.

Designing Controls to Mitigate Risks

Controls are designed to mitigate one or more risks. A control type defines how a particular control is implemented in the application. The following five control types are provided by Oracle Internal

Controls Manager, with the appropriate control sources:

  • KPIs of the Organization
  • Registered Workflow Activities in the Application
  • Profile Options and Registered application parameters.
  • Applications Reports

You can define multiple objectives for control. These control objectives can be verified both for their design effectiveness and their operational effectiveness. You can also define a set of assertions for each control. Once controls are designed, you can associate them to the appropriate risks. You can also review and associate the controls that apply to each risk in the library.

Library Change Control

Oracle Internal Controls Manager allows you to manage changes to library objects such as risks, controls and audit procedures with the level of control that is required within your company. When any object is changed, the change is not visible to other users until all required approvers approve the change. This way, you can ensure the integrity of your risk library.

Integrity Reports

Oracle Internal Controls Manager provides the various reports that enable you to periodically verify the accuracy and integrity of the objects that are present in your library. The following is a list of reports that Oracle Internal Controls Manager provides:

  • Risks that are not mitigated by any control
  • Controls that are not verified by any audit procedure
  • Controls that do not mitigate any risk
  • Risk-Control matrix
  • Business process audit status

Risk Assessment

The Scripting Survey component is a powerful tool for quickly building questionnaires, easily identifying survey participants, deploying the surveys via email, and allowing respondents to fill out questionnaires via the internet. Oracle iSurvey enables you to provide an effective control environment and perform macro-level risk assessments.
A number of surveys that help in assessing the need for the various internal control activities throughout the enterprise are available out of the box with the Script Author. These surveys can be deployed and used with minimal changes. You can open these surveys, set up new enterprise specific logos, and then re-deploy the survey to collect information from the survey participants.

Confidential Feedback Mechanism

Oracle Scripting/iSurvey also enables you to effectively monitor operations by providing a confidential feedback mechanism. Section 301 of the Sarbanes-Oxley Act requires each audit committee of a public company to establish procedures for the receipt of confidential and anonymous submissions by employees regarding questionable accounting or auditing matters. This “whistleblower” provision now requires employers to provide all employees with a safe way to give anonymous feedback. You can also create and deploy such surveys, where employee confidentiality is of prime importance.

Audit Procedures

Audit procedures allow you to verify the design effectiveness or operational effectiveness of one or more controls. When you create an audit procedure, you can identify if the audit procedure is intended to verify design effectiveness or operational effectiveness. You can associate all the controls that this procedure is supposed to verify to each audit procedure. You can also verify the details of all the past results for each audit procedure.

Audit Results

Oracle Internal Controls Manager allows you to verify both the design effectiveness and operational effectiveness of controls. You can record your overall opinion as to whether all the controls audited by the procedure were effective or not. Optionally, you can also record your opinion at each control that was covered by that audit procedure, as to whether that control is effective or not.

Compliance Workbench

The compliance workbench allows you to check the effectiveness of mitigating controls on each risk, as verified by the audit procedures. If a risk is mitigated by say five controls, the compliance workbench allows you to see the audit results of those five controls and assess the extent to which the corporation is exposed to that risk. Once you perform this assessment at the risk level, the compliance workbench allows you to assess the risk level from the perspective of business processes, organizations, and financial statement items.

Oracle E-Business Suite—The Complete Solution

Oracle E-Business Suite enables companies to efficiently manage customer processes, manufacture products, ship orders, collect payments, and more—all from applications that are built on unified information architecture. This information architecture provides a single definition of your customers, suppliers, employees, products—all aspects of your business. Whether you implement one module or the entire Suite, Oracle E-Business Suite enables you to share unified information across the enterprise so you can make smarter decisions with better information.

Key Features

  • Change notifications are sent to all concerned personnel (ex. process owners) and recipients of these notifications can review the modified processes prior to giving their approval.
  • The application maintains a detailed revision history for all processes (including nonstandard processes) in the entity. Auditors, therefore, have the ability to view a complete audit trail of changes taking place in the organization and the risk library.
  • Before approving a process change, you can compare the revised process with its prior version to determine whether the change is acceptable. This comparison is crucial in determining the impact of changes/deviations on associated processes. Through a hierarchy viewer, you can also see which associated business processes are impacted by the change.