Copyright©2004 Cathy Cakebread Oracle Receivables and Sarbanes-Oxley Cathy Cakebread - Consultant...

Copyright©2004 Cathy Cakebread

Oracle Receivables and Sarbanes-Oxley

Cathy Cakebread - ConsultantNorthern California OAUG

July 2004


Agenda What Is Sarbanes-Oxley? Who Is Impacted? Which Are the Main Sections That Impact

Us? How are Your Internal Controls? Assess Risks and Controls Document Policies and Procedures Close and Reconcile the Period Control Revenue Recognition Sarbanes-Oxley Links


Sarbanes-Oxley Act Public Company Accounting Reform and Investor

Protection Act of 2002 - Enacted by Congress – Signed July 2002

Major Concepts: Executive Accountability CEO and CFO Certify Accuracy of Financial

Reports Document and Audit Internal Controls and

Procedures Document Risks and Mediation Real Time Disclosure of ‘Material Events’ Proper Retention of Records


Who Is Impacted? Organizations

Publicly Traded Candidate for Merger or IPO International Company with Stock Traded in US Basically - Everyone

Personal Responsibility CEO, CFO, President, Board? CIO?

Internal Impact Finance, IT, Manufacturing, Sales … Whole Company!


Section 302 – Corporate Responsibility for Financial Reports

CFO, CEO Certify Financial Report Accuracy

Document and Disclose Internal Controls and Procedures

Identify Deficiencies, Weaknesses and Potential Fraud with Remedies


Section 404 - Management Assessment of Internal Controls

Establish and Maintain Proper Internal Controls and Procedures

Assess Effectiveness of Internal Controls

Insure That Company Transactions Are Properly Reported and Controlled

Utilize a Controls Based Approach Perform Periodic Review of Controls


How Are Your Internal Controls?

Do you Have Proper Separation of Duties? Take advantage of Custom Responsibilities and

Functional Security Have You Documented Your Processes, Policies,

Procedures? Up to Date? Actually Used?

What Controls Are in Place? Your Close Procedures Invoice Forms Cash Handling…

Do You Use Spreadsheets for Critical Reporting?


And… How Confident are You of the

Accuracy of Your Data? Do You Control Manipulation of

Your Data (e.g., By IT) Are You Using Approvals?

For Adjustments? For Credit Memos? Are Your Customizations Still

Controlled?


Assess Risks and Controls Think About and Document How

Someone Could Cheat Using the System?

How Do You Prevent It? How Do You Know When It Happens

(If It Can’t Be Prevented?) What Are You Doing to ‘Get Around’

the System and it’s Controls?


User Controls Do You Utilize Unique Usernames and

Passwords? Have You Defined Appropriate Limited Access?

Frequent Review Of Responsibilities Define View Only Access As Needed Who Has Update Capabilities?

Controls to Restrict Based on Need Watch Out For Customers and Who Can Perform

Which Tasks Do You Check Record History?

Who and When for Adds and Updates


IT Controls Have You Controlled Data Correction?

You May Have No Choice – Then How Controlled? Do You Avoid Shared Usernames and

Passwords? – User and Database Do You Restrict Access to Data?

View Only Limit What Can Be Viewed

Update Strictly Controlled

If Changes are Made, Document What, Why, How, When, and By Whom Include Patches and Upgrades


Identify ‘Major Events’ How Do You Define These? How Will You Know When They Occur? How Will You Inform Your Executives?

Who? When? How? Examples:

Loss or Bankruptcy of Major Customer Major Payment Is Late Invoice/Order Over $X Major Write-offs Sales Expected to be Below Projection Major Project is Behind Schedule


DocumentPolicies and Procedures

Document Policies Review and Document Procedures/Processes

Utilizing Best Practices Identify Risks and Controls For Each Procedure

What Are They? How to Avoid Risks? How Will You Know When Exceptions Occur?

Actual Use of Policies and Procedures Validate Effectiveness

Internally Auditors


Key Processes Customer Maintenance

Who Can Add, Change, Inactivate? Who Controls Credit Limits? Who Can Change Names? What Are Your Controls for Adding New

Customers? Addresses? Inactivating? Invoices/Debit Memos/Credit Memos

Do You Use Separation of Duties? Are the Actual Forms Locked up? Have All Interfaced Items Made It?

How do You Know? Who is Responsible?


Corrections Credit Memos

What Controls Do You Have? Who Can Create Credit Memos? What is Your Monitoring Mechanism?

Especially if Over $x Adjustments

Do You Really Use Limits? And Varying Levels of Limits?

Check For Multiple Adjustments on Single Item?


Receipts Payments Received

Utilize External Lockbox? Control Cash Received in House? Handling of Non-AR Cash?

Credit Card Processing Prevent Fraud? Pre-Authorize? Protect Customer’s Credit Card Information? How do You Deal with ‘Stuck’ Items?


Visibility Collections

Restrictions on Who Can See What? On What Collectors Can Do?

Reporting of Doubtful Accounts and Bankruptcies? Disputes?

Reporting Who Can View Key Reports? Who Can Run Key Reports?


Close Process Make Faster and More Efficient Insure Proper Controls in Place Perform Reconciliation with Aging Verify Reconciliation with GL Create Month End Packet

Retain as Needed See www.cathycakebread.com for Close

Checklist and Paper on Improving Close Process


Control Revenue Recognition SAB 101 –

SEC – Staff Accounting Bulletin SOP 97, 98 –

AICPA – Statement of Position

Hot Topic! Lots of Scrutiny and Visibility!


Key Concepts Persuasive Evidence of an

Arrangement Exists, Delivery Has Occurred or Services

Have Been Rendered, The Seller’s Price to the Buyer Is Fixed

or Determinable, And Collectibility Is Reasonably

Assured


Sensitive Areas Deferred Revenue

Maintenance/Support/Subscriptions/Service Items Where Acceptance Is Required Where You Can’t Start Recognition Until

Another Event Occurs And

Sales of Future Items Arrangements (Related Sales) Standard Terms and Exceptions Return/Refund Policies


Revenue Recognition Questions to Ask Do You Have Items Where Revenue Can’t

Be Recognized Upon Shipment? Does the Person Entering the Order

Know When the Revenue Should Be Recognized?

When Do You Know? How? What Determines When Revenue May Be

Recognized? Do You Have Standard Payment Terms?

Do You Ever Have Exceptions?


And Do You Have a Return Policy? E.G., Full

Money Back in 30 Days? Do You Use ‘Arrangements’ With Your

Customers (Where the Revenue for One Invoice May Not Be Recognized Until the Subsequent Items Ship)?

How Do You Deal With the Revenue for Invoices Where You Don’t Expect to Receive Payment?


And Do You Use Standard Pricing?

How Do You Deal With Variable Pricing and Revenue Recognition?

How Do You Handle Discounts With Bundled Products?

Do You Sell ‘Beta Products’? Or ‘Future’ Products

How Does This Process Impact Your Reporting of Cost of Goods Sold?


Conclusion This Is a Positive Thing! Potential Results:

Better Run Department (Best Practices) Detailed User Documentation and Training

Materials Confidence With Accuracy of Data Assurance That Proper Controls Are in Place Risks Are Mitigated


Links for Sarbanes-Oxley The Actual Act – in a PDF

http://news.findlaw.com/hdocs/docs/gwbush/sarbanesoxley072302.pdf

American Institute of Certified Public Accountantshttp://www.aicpa.org/sarbanes/index.asp http://www.aicpa.org/info/sarbanes_oxley_summary.htm

Securities Exchange Commission FAQshttp://www.sec.gov/divisions/corpfin/faqs/soxact2002.htm

Price Waterhouse Coopers Site on Sarbanes Oxleyhttp://www.pwcglobal.com/Extweb/NewCoAtWork.nsf/docid/D0D7F79003C6D64485256CF30074D66C

Nice Synopsis With Effective Dateshttp://www.cfodirect.com/cfopublic.nsf?opendatabase&content=http://www.cfodirect.com/cfopublic.nsf/vContent/MSRA-5QJQ6C?open


Contact Information Cathy Cakebread

(650) 562-1167 www.cathycakebread.com [email protected]

AR List Server [email protected]

Copyright©2004 Cathy Cakebread Oracle Receivables and Sarbanes-Oxley Cathy Cakebread - Consultant...

Documents

Transcript of Copyright©2004 Cathy Cakebread Oracle Receivables and Sarbanes-Oxley Cathy Cakebread - Consultant...