CORPORATE COMPLIANCE AUDIT PROGRAMS AND CHECKLISTS

CORPORATE COMPLIANCE AUDIT PROGRAMS AND CHECKLISTS

By John Kyriazoglou* (author’s credentials at the end of this document)

The following audit program and checklists are designed to be used my managers, auditors and compliance staff in the process of establishing, controlling, reviewing, assessing and auditing the corporate compliance area and its particular components (compliance policies and procedures, corporate policies and procedures, ethics aspects, etc.).

The following audit programs and checklists, as detailed in the following paragraphs, should reviewed and customized before they are used in any corporate environment:

1. Corporate governance and internal controls systems audit program,

2. Assessment of the compliance controls framework,

3. Corporate policies and procedures checklist,

4. Records management system checklist,

5. Financial management system checklist,

6. Corporate fraud management system checklist,

7. Internal audit checklist, and

8. Ethics management checklist

1 Corporate governance and internal controls system audit program

1. Assess Board and senior executive management responsibility for the oversight and monitoring of corporate governance and internal controls.

Consider: Board and senior management should ensure that policies, procedures and systems are current and well documented. Management should establish an effective system of internal controls. Corporate, compliance, risk management and internal controls should cover the IT environment as well as the other business functions. Board and senior management should adopt and enforce appropriate policies and procedures to manage compliance, all risks (enterprise, IT, investments, etc.), and should re-evaluate and improve these controls every year or two.

2. Assess senior executive management practices.

Consider: Reporting effectiveness to the Board of Directors. Periodic review and updating of policies, standards, procedures and practices. Instituting controls to ensure that management information and detailed data are reliable and the reporting cycle is adequate, and that operating procedures are efficient and effective. Regular review of compliance issues, risks, segregation of duties, personnel controls, information security, software development and acquisition, outsourcing, insurance issues, internal and external audit results, service level agreements and performance measurements including issues and corrective action plans, ensuring that procedures are in effect to assure continuity of business, etc.

3. Does the internal controls framework identify all the required control components?

Consider: Control environment, risk assessment control activities information and communication monitoring.

4. Do the key functions of internal controls relate to all critical elements of governance?

Consider: Definition and establishment of objectives, standards and procedures. Definition of management responsibilities. Measurement of inputs, outputs and performance in relation to objectives. Critical review of the whole process. Reporting of both financial and non-financial results, compliance and performance. Taking corrective action, as necessary.

5. Do internal controls contain all types of controls?

Consider: Preventive controls (e.g. division of duties, authorization levels), detective controls (e.g. stock verification, bank reconciliation), directive controls (e.g. policies, procedures, training).

6. Are there adequate and effective financial controls in place at the detailed level, as required?

7. Are there adequate and effective customer service controls in place at the detailed level, as required?

8. Are there adequate and effective production/manufacturing controls in place at the detailed level, as required?

9. Are there adequate and effective information and communications controls in place at the detailed level, as required?

10. Are there adequate and effective asset management controls in place at the detailed level, as required?

11. Are there adequate and effective sales management controls in place at the detailed level, as required?

12. Are there adequate and effective management reporting controls in place at the detailed level, as required?

13. Are there adequate and effective internal audit controls in place at the detailed level, as required?

14. Are there adequate and effective human resource management controls in place at the detailed level, as required?

15. Are there adequate and effective research and innovation controls in place at the detailed level, as required?

16. Is there a formal and well-established performance management system for all functions of the organization?

Consider: The performance management system should promote and accelerate the rate of successful changes, increase the predictive and early warning capabilities to management, provide a holistic perspective to the management of the organization, link to the reward and other incentive systems of the organization, link and align on an integrated mode to the objectives and measures of the other corporate levels of the organization, such as: division, department, business unit, process, function, project, teams, etc.

17. Are critical performance data shared across all levels of the organization?

18. Are strategic performance data reviewed at the appropriate levels of the organization, and actions taken as necessary?

19. Are the approved personnel empowered to have access to whatever critical performance data is required to make balanced decisions?

20. Is the accountability and follow-through process based on critical performance data?

21. Is the psychological resistance of staff (management, line staff, etc.) managed and resolved accordingly?

22. Is there an active audit committee in place?

23. Is there an internal audit function in place?

24. Is there a compliance function in place with all its constituent components (compliance officer, compliance committee, policies, procedures, action plan, etc.)?

25. Are corrective and improvement measures taken when performance issues and compliance breaches occur?

2. Assessment of the compliance controls framework

Assess the organizational structure to ensure that it is neither so simple that it cannot adequately monitor the entity’s activities nor so complex that it inhibits the flow of necessary information.

1. Does the compliance monitoring system of the organization cover all business functions?

2. What is the management’s attitude towards compliance with laws and regulations?

3. Does the management of the organization specify the level of competence needed for particular jobs, and translate the desired levels of competence into requisite knowledge, cultural characteristics and skills?

4. Does the Board or governing council provide an effective oversight function to ensure that the management of the organization does not override system controls?

5. Is the philosophy and operating style of management compliance-related?

6. Does the assignment of responsibility, delegation of authority and establishment of related policies and procedures provide a basis for effective accountability and control?

7. Are human resources policies the basis for recruiting and retaining competent people to enable the plans of the organization to be carried out and its goals and objectives to be achieved?

8. Does the Board, the senior executives and the management of the organization have a clear understanding of all strategic components, and convey the message that integrity and ethical values of the organization cannot and should not be compromised by anyone?

Consider: Clear understanding of the values, mission and vision, and performance targets of the organization. Full understanding of the general goals and specific objectives of the organization and how they fit in the framework of corporate strategy. Provision of adequate information for risk identification and resolution. Clear understanding of the role played by policies and procedures in achieving effective controls and compliance.

3. Corporate policies and procedures checklist

1. Have compliance rules, guidelines, policies and procedures been formally established and communicated to all levels and functions of the organization?

2. Is there an approved performance policy, system and evaluation process in place?

3. Is there an approved human resources management policy, set of procedures, a system and an evaluation process in place?

4. Is there an approved financial and cost management policy, and a set of related procedures in place?

5. Is there an approved asset management, disposition and protection system in place?

6. Is there an approved IT policy and a set of related procedures covering all areas, such as strategy, security, contingency planning and disaster recovery, information systems development and operation, database and data privacy protection, web services, etc.?

7. Is there an approved research and innovation system in place?

8. Is there a Management Reporting System (MRS) in place?

9. Is there a quality management system in place?

10. Is there a risk management system in operation?

11. Is there an ethics code and policy in place?

12. Is there a compliance policy in place?

13. Is there a corporate social responsibility policy in place?

14. Is there an anti-fraud policy in place?

4. Records management system Checklist

1. Have operational guidelines and manuals been formally established, communicated to all levels and functions of the organization, and used in every-day work by all personnel?

2. Does the record-keeping system (for both manual and computerized files, media and data) of the organization produce complete and accurate results?

3. Is there an adequate documentation and effective audit trail for all transactions and activities?

4. Is there an approved segregation of duties policy, and a set of related procedures in operation?

5. Is there an approved employee rotation policy for critical jobs/tasks in operation?

6. Have levels of authorization been defined for all levels of management and all transactions and activities?

7. Are adequate asset protection and disposition controls in operation?

8. Are effective financial and cost management controls in operation?

9. Is there an active security committee, policy and procedures (for all elements: data, plants, installations, offices, infrastructure, systems, records, files, etc.) in operation at all levels?

10. Is there an active performance and compliance management, measurement and exception reporting system in place?

5. Financial management system checklist

1. Does the organization have a system for recording and tracking commitments, obligations and expenditures, and reconciling financial data?

2. Does the organization have controls that prevent incurring obligations in excess of funds available within a budget cost category?

3. Does the organization have a mechanism to ensure that periodic audits of the financial management area are undertaken?

4. Does the organization adjust financial plans in the light of the actual operating budget?

5. Does the organization monitor the reliability and confidentiality of financial data used in mission critical budgetary decisions?

6. Does the organization guard against breaches in confidentiality and loss of budget data integrity?

7. Does the organization use an operating budget to control project funds?

8. Does the organization link strategic goals, objectives and operational performance targets to budget performance activities?

6. Corporate fraud management system checklist

1. Does the organization have, within the corporate ethics policy, a statement with respect to fraud?

Consider: fraud definition, fraud hot-line, applicability to all employees, management, Board members, external contractors, media communications procedure for a disciplinary interview, employee services termination procedure, obligations of employees during notice periods and upon termination of employment, complaints procedure, conflict resolution, insurance claims, police contacting issues, investigation of fraud and corruption, theft and threats policy, obligations of external contractors, investigating procedure by the use of external approved investigators or expert internal audit personnel, and the protection procedure for the information sources.

2. Who is responsible for the issue of this statement?

3. Has this policy statement been approved and ratified by the Board or other top management committee?

4. Is this statement widely publicized in the organization?

5. Is this statement reviewed and improved annually?

6. Is the policy statement linked to internal controls?

7. Who (manager, function, etc.) is responsible for ownership and administration of the fraud policy?

8. How are fraud risks monitored, e.g. through risk registers?

9. Is there a budget for investigative costs on potential fraud issues?

10. Does the organization specify roles and responsibilities within the fraud policy (e.g. for the audit committee, the Board, the HR function, a Fraud Liaison Officer, etc.)?

11. What is the procedure for reporting suspicions of fraud?

12. What guidance is provided on dealing with incoming mail (such as anonymous letters, e-mails, etc.)?

13. Who are the first points of contact for reporting suspected dishonesty?

14. Does the organization have a whistle-blowing policy, which sets out the principles for protection of employees when reporting suspicions?

15. Does the organization keep a register of fraud?

16. Who is responsible for maintenance of this register (e.g. a Fraud Officer)?

17. What are the access rights to the fraud register?

18. Is the fraud register held securely?

19. Who is responsible for the investigation (e.g. internal audit)?

20. Who oversees the investigation?

21. Do written reports have to be submitted and to whom?

22. Are employees suspended from work pending an investigation?

23. Are all reasonable means of recovering any identified loss pursued?

7. Internal audit checklist

1. Is there an internal audit department?

Consider: terms of reference, organization chart, independence, expertise in IT.

2. Is there an internal IT audit function?

Consider: IT audit plan, adequacy of resources, suitability of resources, including qualifications, experience, technical competence and training.

3. Is there an internal audit policy document?

Consider: standards regarding review objectives, work plan, documentation, conclusions, report format, manager review.

4. Are all compliance issues subject to independent review by an internal audit function?

Consider: involvement in reviewing system developments, existing systems, computer operations, security and control issues use of audit software, etc.

8. Ethics management checklist

1. Does a code of ethics exist for all personnel, including IT?

2. Has an anti-fraud policy and associated procedures been put into operation for the organization?

3. Are confidentiality statements signed by all IT personnel and all critical users?

4. Do explicit corporate rules cover issues, such as:

Personal use of computer services,

proprietary rights to computer programs,

proprietary rights to data,

confidentiality of passwords,

physical access to restricted areas,

management of visitors,

use of terminals,

personal use of media and supplies,

disclosure of privileged information,

maintenance of professional relationships,

reporting mechanism for conflict situations,

penalties and rewards for violators,

clear assignments of accountability,

controls over data and files,

Data Protection Act,

data classification system?

5. Is there a centralized ethics control function?

6. Are proper international ethics standards used in the design and implementation of the code of ethics of the organization?

7. Is there an ethics program and appointed staff in implementation or operation?

8. Have all staff undertaken, or are there schedules for, ethics training?

*Author’s Credentials

John Kyriazoglou, CICA, M.S.,B.A(Hon), is an International IT and Management Consultant, author of the book ‘IT STRATEGIC & OPERATIONAL CONTROLS’ (published in 2010 by www.itgovernance.co.uk), and co-author of the book CORPORATE CONTROLS’ ( to be published in 2/2012 by www.theiic.org), with Dr. F. Nasuti and Dr. C. Kyriazoglou.

E-Mail: jkyriazoglou@hotmail.com

Profiles

http://www.linkedin.com/pub/john-kyriazoglou/0/9b/919

http://www.authorsden.com/jkyriazoglou

http://www.icttf.org/profile/johnkyriazoglou

http://www.blogger.com/profile/15482029934015594259

Blogs

Articles, Opinions, etc.: http://corporatecontrols.blogspot.com/

Publications: http://johnkyriazoglou-works.blogspot.com/

INFORMATION SENSITIVITY POLICY

INFORMATION SENSITIVITY POLICY

By John Kyriazoglou* (author’s credentials at the end of this document)

The primary objective of the Information Sensitivity Policy is to provide guidelines for the data classification issues of information collected and processed by information systems activities of an organization. This example may be used for educational purposes only and it should be amended to suit the particular organization’s legal and regulatory requirements and operating conditions, before it is put to effective use and is implemented in a real environment. The author assumes no responsibility whatsoever for the contents, suitability and accuracy of this policy.

An example of such a policy is described next.

  Company ‘XYZ-Fictitious Enterprise Corporation’ Information Sensitivity Policy

1. Purpose

The Information Sensitivity Policy of ‘XYZ-Fictitious Enterprise Corporation’ (referred to as Company, from now on), is intended to help management and staff of a corporate entity determine what information can be disclosed to non-employees, as well as the relative sensitivity of information that should not be disclosed outside of <Company Name> without proper authorization.

2. Coverage

The information covered in these guidelines includes, but is not limited to, information that is either stored or shared via any means. This includes: electronic information, information on paper, and information shared orally or visually (such as telephone and video conferencing).

3. Classification Definitions

All <Company> information is categorized into three main classifications: <Company> Public, or <Company> Confidential, or <Company> Restricted.

<Company> Public information is information that has been declared public knowledge by someone with the authority to do so, and can freely be given to anyone without any possible damage to < Company>.

<Company> Confidential contains all other information that is not public or restricted such as information stored in computer files and network servers, telephone directories, general corporate information, personnel information, etc., which is, however, critical to the every-day activities of the company.  

<Company> Restricted contains information that is more sensitive than other information, and should be protected in a more secure manner. This information includes: trade secrets, development programs, patents, copyrighted material, potential acquisition targets, and other information integral to the success of the company.

This classification, for all digital and non-digital information of the organization, should be carried out initially and reviewed and improved periodically by a management mechanism that includes: (a) Information Owners, (b) Information Systems Managers, and (c) Security Manager, with the support and advice of other corporate officers, such as data privacy officer, compliance officer, etc.

4. Encryption of Information

All <Company> Confidential and <Company> Restricted information should be encrypted in accordance with the Acceptable Encryption Policy. International issues regarding encryption are complex. Corporate guidelines on export controls on cryptography should be followed. For more details consult your manager and/or corporate legal services for further guidance.

5. Sensitivity Guidelines

The Sensitivity Guidelines below provide details on how to protect information at varying sensitivity levels.

5.1. <Company> Public: This relates to general corporate information, some personnel and technical information of a generalized nature.

Access: This information should be allowed to <Company> employees, contractors, and people with a business need to know. All accesses to this type of information should be authorized and recorded.

Distribution: Internal distribution of this information within <Company> should be carried out by standard inter-office mail, approved electronic mail and electronic file transmission methods. Distribution of this information outside of <Company’s> internal mail should be carried out by national mail and other public or private carriers, approved electronic mail and electronic file transmission methods. If this information is distributed in an electronic way, it should be sent to only approved recipients.

Storage: This information should be protected from loss. All electronic transmissions should have individual access controls where possible and appropriate.

Disposal/Destruction: Special disposal bins should be used for outdated paper information. Electronic data should be expunged, cleared and erased with specialized devices. Media should be physically destroyed.

5.2. <Company> Confidential: Business, financial, technical, and most personnel information.

Access: This information should be allowed to <Company> employees, contractors, and people with signed non-disclosure agreements who have a business need to know. All accesses to this type of information should be authorized and recorded.

Distribution: Internal distribution of this information within <Company> should be carried out by standard inter-office mail, approved electronic mail and electronic file transmission methods. Distribution of this information outside of <Company’s> internal mail should be carried out by national mail and other public or private carriers, approved electronic mail and electronic file transmission methods. If this information is distributed in an electronic way, it should be sent to only approved recipients.

Storage: This information should be protected from loss. All electronic transmissions should have individual access controls.

Disposal/Destruction: Special disposal bins should be used for outdated paper information. Electronic data should be expunged, cleared and erased with specialized devices. Media should be physically destroyed. All these actions should be authorized, recorded and reported.

5.3. <Company> Restricted: Trade secrets & marketing, operational, personnel, financial, source program code, & technical information integral to the success of <Company Name>.

Access: This information should be allowed to <Company> staff with signed non-disclosure agreements who have a specific board authorization. All accesses to this type of information should be recorded and reported.

Distribution within <Company>: This information should be delivered directly to the approved recipient upon their signatures. All envelopes should be stamped confidential. Electronic file transmissions should not be allowed.

Distribution outside of <Company> internal mail:  This information should be delivered directly, by approved private carriers, to the approved recipient upon their signatures. All envelopes should be stamped confidential. Electronic file transmissions should not be allowed.

Storage: Individual access controls to this information should be enforced for electronic information. Appropriate physical security measures should be used, and information should be encrypted and stored in a physically secured computer.

Disposal/Destruction: This information should be physically destroyed by paper shredders, and other specialized digital crunching devices. Digital media should be cleared and erased before disposal. All these actions should be authorized, recorded and reported.

6. Business Connections

Access to <Company> computers and information systems by business partners, competitors and unauthorized external personnel must be restricted so that, in the event of an attempt to access <Company> corporate information, the amount of information at risk is minimized. Connections may be set up to allow others (business partners, etc.) to see only what they need to see only when specifically authorized by the board. Unauthorized personnel should only have access to information classified as <Company> Public, upon recording their details and their needs for accessing this information. This involves setting up both applications and network configurations to allow access to only what is necessary. All these actions should be recorded and reported.

7. Penalties

The penalty for deliberate or inadvertent disclosure of any information by any staff member (management, board, professional staff, line employee, etc.) found to have violated this policy may include disciplinary action, up to and including termination of employment, possible civil and/or criminal prosecution to the full extent of the law.

8. Responsibility of management  

All <Company> personnel should use these guidelines in securing <Company> Restricted and <Company> Confidential information to the proper extent possible. All department heads are responsible to supervise the classification activities of all the information managed by their function. A register of such files should be maintained and reported to the senior management of the company. If a manager is not certain of the classification to be applied, he or she should contact a higher level of authority (such as CEO, Ethics Committee, Compliance Committee, Compliance Officer, Legal Department, etc.), as specified by the internal controls policy and practices of the company. 

9. Responsibility of staff  

If an employee is uncertain of the sensitivity of a particular piece of information, he/she should contact their manager. If an employee feels that their manager is not following these guidelines, he or she should contact a higher level of authority (such as CEO, Compliance Committee, Ethics Office, Compliance Officer, Legal Department, etc.), as specified by the internal controls policy and practices of the company. 

10. Responsibility of Compliance Officer  

It is the responsibility of the compliance officer to provide guidance to all personnel on the use of these guidelines, and ensure that these guidelines are complied with. The compliance officer should also report to both the compliance committee and the board, on the basis of the company’s reporting standards, all compliance related activities.

*Author’s Credentials

John Kyriazoglou, CICA, M.S.,B.A(Hon), is an International IT and Management Consultant, author of the book ‘IT STRATEGIC & OPERATIONAL CONTROLS’ (published in 2010 by www.itgovernance.co.uk), and co-author of the book CORPORATE CONTROLS’ ( to be published in 2/2012 by www.theiic.org), with Dr. F. Nasuti and Dr. C. Kyriazoglou.

E-Mail: jkyriazoglou@hotmail.com

Profiles

http://www.linkedin.com/pub/john-kyriazoglou/0/9b/919

http://www.authorsden.com/jkyriazoglou

http://www.icttf.org/profile/johnkyriazoglou

http://www.blogger.com/profile/15482029934015594259

Blogs

Articles, Opinions, etc.: http://corporatecontrols.blogspot.com/

Publications: http://johnkyriazoglou-works.blogspot.com/

PRIVACY OF INFORMATION POLICY

PRIVACY OF INFORMATION POLICY

By John Kyriazoglou* (author’s credentials at the end of this document)

The primary objective of this Privacy of Information Policy is to provide general guidelines for the privacy issues of information activities (collection, use, disclosure, monitoring, etc.) of an organization. This example may be used for educational purposes only and it should be amended to suit the particular organization’s legal and regulatory requirements and operating conditions, before it is put to effective use and is implemented in a real environment. The author assumes no responsibility whatsoever for the contents, suitability and accuracy of this policy.

An example of such a policy is described next.      

  Company ‘XYZ-Fictitious Enterprise Corporation’ Privacy of Information Policy 

1. Purpose of this policy

This policy explains how ‘XYZ-Fictitious Enterprise Corporation’ (hereby termed the company) may collect information about customers and use it in order to satisfy particular customer and regulatory requirements. It also outlines some of the security measures that the company is taking in order to protect data privacy and provide certain assurances on things that the company will not do.

2. Commitment

The Company considers the protection of the privacy of customer data to be of utmost importance and is committed to providing all customers with a personalized service that meets the requirements of the specific customers in a way that safeguards their privacy.

3. Opportunity to decline

When the company obtains personal information from you, or when you take a new service from the company, we will give you the opportunity to indicate if you do or do not (as applicable) wish to receive information from the company about other services or products.
Normally this will be done by way of a tick box on an application form or contract. You may revise the choice that you have made at any time by writing to the company informing us of the change.

4. Personal information collection

Some of the personal information the company holds about you may be sensitive personal data within the meaning of the Data Protection Act and other relevant laws. The company may collect personal information about you from a number of sources, including: (a) from you when you agree to take a service from us in which case this may include your personal and/or business contact details, (b) from you when you contact the company with an enquiry or in response to a communication from the company, in which case this may tell us something about your preferences, and (c) from publicly available sources.

5. Use of information

Information you provide to the company or the company holds about you may be used by the company to: (a) identify you when you make enquiries, (b) help administer, and contact you about improved administration of, any accounts, services and products provided by the company previously, now or in the future, (c) carry out marketing analysis and customer profiling and create statistical and testing information, (d) help the company to prevent and detect fraud or loss, and (e) contact you by any means (including mail, email, telephone, etc.) about other services and products offered by the company, and authorized selected partners.

6. Credit reference checks

The company, in some circumstances, may do certain credit checks with licensed credit reference agencies when you apply to take a service or product. If this is applicable, then it will be stated in the terms and conditions of doing business between you and the company.

7. Disclosure of information

The company may disclose information only where legitimately requested for legal or regulatory purposes, as part of legal proceedings or prospective legal proceedings.

8. Protection of information

The company maintains strict security measures and controls in order to protect personal information. This includes following certain administrative and security policies, procedures, and practices to check your identity when you telephone us, encrypting data on our websites, backing up data to offsite locations, etc., in order to ensure compliance with all applicable legal requirements.

9. Internet access

If you communicate with the company via the internet then we may occasionally use e-mail to contact you about our services and products. Please be aware that communications over the Internet, such as emails, are not secure unless they have been encrypted. The company cannot accept responsibility for any unauthorized access or loss of personal information that is beyond the company’s control. We may use "cookies" to monitor website user traffic patterns and site usage. You can normally alter the settings of your browser to prevent acceptance of cookies. However, rejecting cookies may affect your ability to use some of the products and/or services at the company’s web site.

10. Monitoring of communications

All Company communications with you (including phone conversations, emails, etc.) may be monitored and recorded by the company for security, quality assurance, legal, regulatory and training purposes.

 *Author’s Credentials

John Kyriazoglou, CICA, M.S.,B.A(Hon), is an International IT and Management Consultant, author of the book ‘IT STRATEGIC & OPERATIONAL CONTROLS’ (published in 2010 by www.itgovernance.co.uk), and co-author of the book CORPORATE CONTROLS’ ( to be published in 2/2012 by www.theiic.org), with Dr. F. Nasuti and Dr. C. Kyriazoglou.

E-Mail: jkyriazoglou@hotmail.com

Profiles
http://www.linkedin.com/pub/john-kyriazoglou/0/9b/919
http://www.authorsden.com/jkyriazoglou
http://www.icttf.org/profile/johnkyriazoglou
http://www.blogger.com/profile/15482029934015594259

Blogs

Articles, Opinions, etc.: http://corporatecontrols.blogspot.com/
Publications: http://johnkyriazoglou-works.blogspot.com/