|
Component
|
Risk definition
|
|---|
|
Developing
|
Intermediate
|
Mature
|
Advanced
|
|---|
|
Policies and procedures
|
- Month- and year‑end reporting policies and procedures are not documented
- Reconciliations are not performed
- Reporting is on a cash basis
|
- Month- and year‑end reporting policies and procedures are updated regularly
- Reconciliations are performed for some accounts, including all material accounts
- Estimates and accruals are used for some accounts
|
- Month- and year‑end reporting policies and procedures are reviewed in a two‑year cycle
- Manual reconciliations are prepared for all accounts
- Estimates and accruals are used every reporting end
|
- Month- and year‑end reporting policies, processes and procedures are annually reviewed and updated with extensive consultation and are well understood
- Automated / partially automated reconciliations are performed for all accounts
- Estimates and accruals are used every reporting end and adjusted periodically where appropriate
|
|
People and organisation
|
- Roles and responsibilities are broad / not clear or not defined
- Staff always work overtime during reporting end
- No training exists
|
- Roles and responsibilities are assigned but some confusion and overlap exists
- Staff sometimes work overtime during reporting end
- Informal training / on‑the-job training exists
|
- Roles and responsibilities are clear and well understood
- Occasional overtime is required
- Training is provided as part of the onboarding process
|
- Roles and responsibilities are clearly understood and well documented
- Overtime is rare
- Training is provided as part of the onboarding process, with a formal training program in place to aid with staff development
|
|
Data and technology
|
- Sub-ledger is manually uploaded to the general ledge with adjustments to entries required
- Financial statements are manually prepared
- Statutory entity reporting and management reporting are two separate processes
|
- Sub-ledger data is interfaced with the general ledger, with manual intervention and reconciliations required to ensure accuracy
- Financial statement preparation is automated, with manual adjustments required
- Statutory entity reporting and management reporting are two separate processes, with a formal reconciliation process
|
- Sub-ledger is electronically transferred to the general ledger, with few adjustments required
- Financial statement preparation is mostly automated
- Statutory entity and management reporting have been made consistent, with manual intervention required
|
- Sub-ledger data automatically interfaces with the general ledger and is balanced daily
- All financial statement preparation is automated
- Statutory entity and management reporting is consistent
|
|
Internal controls over financial reporting
|
- Controls are mostly manual
- Controls are reviewed by management on an ad hoc basis
- Key accounts are included in the financial statement risk assessment, but this process is not documented
|
- Controls are typically system based and integrated with core financial applications
- Controls are routinely monitored by management
- Key accounts are included in the financial statement risk assessment based on a predetermined assessment
|
- Majority of controls are automated and managed electronically
- Controls are effectively monitored against process effectiveness
- A formal risk assessment has been completed where key accounts are reviewed more frequently than others
|
- Controls are highly automated and managed through core financial application roles
- Controls are monitored against defined criteria and balanced against process effectiveness
- A formal risk assessment has been completed where key accounts are reviewed monthly; all accounts are reviewed at least once annually
|