Professional Documents
Culture Documents
P# Process (Backbone Procedures v 3.1) Total controls per cycle SC IC Related Accounts Inherent Risk Low Low High Low High High Low High Med Low High High High High High High High Low High Med High Low Med Low Med Med Med Med Med High Controls / Process Complexity CLCs PY Errors PY Control Deficiencies PY Overall Risk assessment Overall Level of Risk assessment Other comments
Indep.
Indep.
Indep.
P01 Payroll P1b Payroll Outsourced P02 Inventory Management P03 Purchasing and Assets Management P04 Cash Management P05 Debt Management P06 Prepayment P07 Taxes P08 P09 P10 P11 P12 P13 P14 P15 P16 P17 P18 P19 P20 P21 P22 P23 P24 P25 P26 P27 P28 P29 Assets Impairment Bad debts Contract Management Commitment and Contingencies Financial Statements Close IT General Controls Procedure Network General Controls Procedure Bill and Collect for Interconnect/other operators Bill and Collect for Sales (Roaming) Bill and Collect for Sales (Postpaid) Bill and Collect for Sales (Prepaid) Bill and Collect for Sales (wireless) Adjustments Recording of Subscribers Numbers Intercompany Accounting for Financial Assets other than pledge deposits Indefeasible Rights of Use (IRU) Managing Programming Costs Bill and Collect for Sales (Cable TV) Hedging Tower Lease Back Technology General Controls Procedure Total Controls (TLC) Average (Critical) Controls per Cycle
13 14 21 33 18 6 2 10 1 4 4 7 12 46 34 14 28 32 34 17 8 4 3 2 9 6 22 15 404 17
3 3 10 22 9 2 1 3 1 4 1 7 12 31 23 9 19 16 20 6 3 1 1 9 5 11 232 10 -
10 11 11 11 9 4 1 7
Low Low Med High Low Low Low Med High Low Low Med Med Med High Med Med Med High Med Med Low Low Med Med Med Med Med Med Med
Indirect Indirect Indirect Indirect Indirect Indirect Indirect Indirect Indirect Indirect Indirect Indirect Indirect Indirect Indirect Indirect Indirect Indirect Indirect Indirect Indirect Indirect Indirect Indirect Indirect Indirect Indirect Indirect Indirect Indirect
None None Limited Limited Limited None None Limited None None None None Limited Multiple Multiple None None Limited Multiple None None None None None None None Limited Limited Limited Multiple
Low Low Low High Med High Low High High Low Low Med High High High High Med Med High Med Med Low Low Low Med Med Med
Low Low Low High High Med Low High Med Low Low Med High High High High Low Med High Low Med Low Low Low Low Med Med
No material mistatement idenfied. However, covering several FS captions - complex process Overall assessment remains high. No deficiencies identified but considered as high risk considering the risk of Fraud. Mistatement identified in Colombia was compensated by procedures held at HQ.
6 2 1 2
Significant intangible assets in Honduras, Amnet and Colombia. However, monitored at the HQ.
1 1 2 4 2 1 1 1 1 1 1 4 13 10 2 5 5 8 2 1 1 1 1 2 4 34 13 84 -
2 2 8 12 5
10 11 11 11 9 4 1 7 3 15 11 5 9 16 14 11 5 4 2 1 1 11 -
6 3 1 2 1 5 4 4 2 1 8 1 1 4 43 -
1 2 2 7 2 1 1 1 1 1 1 2 13 9 1 5 7 5 2 1 1 1 1 2 -
2 1 8 9 4
10 11 11 11 9 4 1 7 3 15 11 5 9 16 14 11 5 4 2 1 1 11 -
6 2 1 2 1 2 6 7 5 2 2 6 1 2 2 1 7 55 -
2 2 3 9 3 1 1 1 2 1 2 4 14 8 4 10 6 8 2 -
1 1 7 7 4
10 11 11 11 9 4 1 7 3 15 11 5 9 16 14 11 5 4 2 1 1 11 -
1 3 5 5 14 10 6 14 8 7 6 1
3 15 11 5 9 16 14 11 5 4 2 1 1 11 15 187 8
3 5 5 14 11 6 14 10 7 6 1
2 3 2 10 10 3 9 8 6 4 2
High risk considering significant importance of process for consolidation process. Adjustments recorded in 2010 were considered unusual and considered as part of the Country allocation to buckets. Deficiencies identified in various countries leading to nil maximum exposure. Deficiencies identified in various countries leading to nil maximum exposure.
3 4 2 1 1 5 1 1
Deficiencies identified in various countries leading to $nil exposure. Deficiencies identified in various countries leading to $low amount exposure.
8 3 8 14 145
8 3 8 -
1 1 3 1 3
4 2 7 -
2011 new process - very limited transactions - coordinated from HQ 2011 new process
High
High
15 187
13 83
14 137
15 187
14 106
10 102
15 187
The testing strategy was taylored based on the risk assessment and the maturity of control environmen in each operation. We have defined 3 buckets for which a different testing approach was defined. Bucket 1 represents mature countries which demonstrated an history of ICFR low number of deficiencies, strong CSA Peer review team and low level of exposure for remaining deficiencies. Bucket 2 represents improving countries which demonstrated an history of ICFR reasonable number of deficiencies, strong CSA Peer review team and reasonable level of exposure for remaining deficiencies. Bucket 3 represents developing countries which demonstrated an history of ICFR inconsistent number of deficiencies, good CSA Peer review team and some level of exposure for remaining deficiencies. Bucket 1 Bolivia Paraguay El Salvador Bucket 2 Colombia Guatemala Tanzania Ghana Bucket 3 Amnet operations Honduras Senegal DRC Chad
Testing (color scheme used in sheet "Test Strategy"): Independent testing - PwC to independently test control based on testing strategy defined in worksheet "Test Strategy" Reperformance of management testing - PwC to obtain management's testing support for management's sample and reperform test of control Rely / Observation/Walkthrough - PwC to independently observe if the control is being performed with the Control Owner, and to confirm the result Criteria used for: Low risk: Not Pervasive; Routine; Low degree of judgement involved; ok for objective testing; low potential for mgt override Medium/High risk: More complex IT Application Controls (ITACs); Higher risk; highly judgemental or complex controls; potential for mgt override SoX controls are allocated in 3 buckets (High, Medium, Low) depending on risk rating. !!! change !!! compared to 2010: Controls risk rating has been aligned with overall risk assessment by process. PY SoX results Test Results 06: Significant deficiencies were noted in the controls surrounding taxes/deferred taxation, fixed assets/CWIP and the Financial Statement Preparation (IFRS) process. No material weaknesses were identified. No SUD or SAAD items identifed. Test Results 07: No significant deficiencies or material weaknesses were identified. No SUD or SAAD items identifed. Test Results 08: No significant deficiencies or material weaknesses were identified. No SUD item identifed. 1 SAAD item recorded (Tax accrual in Tanzania). Test Results 09: Two significant deficiencies, Consolidation Close process at the HQ and Prepaid revenue in Chad Test Results 10: No significant deficiencies or materlal weaknesses were identified. No SUM item identifed. 4 SAM items recorded. Group environment: Backbone V3.1: rationalisation of controls based on local management comments. Mainly clarification of controls responsible and testing procedures. Management testing will use V3.1 as from Q1_2011. => Assessment of Management testing to perform based on Q2_2011 CSA Peer review results.
Risk Assessment @ SoX control level High 63 29% Med. 116 53% Low 41 19% Indep.
62 28%
2011 - Bucket 3
113 49% -3 -4% 113 49% -3 -4% 113 49% -3 -4% 1392 53% 1356 43% -36 -10%
98 42% 57 24% 98 42% 57 24% 98 42% 57 24% 492 19% 1176 37% 684 19%
55 24% -7 -4% 43 19% -19 -10% 34 15% -28 -14% 744 28% 549 17% -195 -11%
106 46% 29 11% 83 36% 6 1% 84 36% 7 1% 924 35% 1114 35% 190 0%
Variance
2011 - Bucket 2
Variance
2011- Bucket 1
Variance
2010 Total
2011 Total
Variance
SC Indep. 50 79% High Reperf. 13 21% Rely 0 0% Indep. 12 10% Med. Reperf. 60 52% Low Rely 44 38% Reperf. 4 10%
102 44% 21 7% 137 59% 56 22% 145 63% 64 26% 972 37% 1493 47% 521 10%
187
61 54% 1 2% 46 41% -14 -11% 48 42% -12 -9% 720 52% 633 47% -87 -5%
34 30% -10 -8% 53 47% 9 9% 55 49% 11 11% 528 38% 547 40% 19 2%
33 34% 29 24% 21 21% 17 12% 17 17% 13 8% 48 10% 300 26% 252 16%
187
187
65 66% 28 -24% 77 79% 40 -12% 81 83% 44 -8% 444 90% 876 74% 432 -16%
187
187
187
Med. Rely
Indep. Reperf.
Low Rely
Reperf.
Rely
IC non-key Walkthr.
P01 Payroll P1b Payroll Outsourced P02 Inventory Management P03 Purchasing and Assets Management P04 P05 P06 P07 P08 P09 P10 P11 P12 P13 P14 P15 P16 P17 P18 P19 P20 P21 P22 P23 P24 P25 P26 P27 P28 P29 Cash Management Debt Management Prepayment Taxes Assets Impairment Bad debts Contract Management Commitment and Contingencies Financial Statements Close IT General Controls Procedure Network General Controls Procedure Bill and Collect for Interconnect/other operators Bill and Collect for Sales (Roaming) Bill and Collect for Sales (Postpaid) Bill and Collect for Sales (Prepaid) Bill and Collect for Sales (wireless) Adjustments Recording of Subscribers Numbers Intercompany Accounting for Financial Assets other than pledge deposits Indefeasible Rights of Use (IRU) Managing Programming Costs Bill and Collect for Sales (Cable TV) Hedging Tower Lease Back Technology General Controls Procedure Total Controls (TLC) Average (Critical) Controls per Cycle This testing strategy is applicable for ICFR developing countries:
13 14 21 33 18 6 2 10 1 4 4 7 12 46 34 14 28 32 34 17 8 4 3 2 9 6 22 46 404 17
3 3 10 22 9 2 1 3 1 4 1 7 12 31 23 9 19 16 20 6 3 1 1 9 5 11 31 263 11 -
10 11 11 11 9 4 1 7
7 3 2 7 9 7 2 6 9 52
1 1 4 10 4 2 1 1 1 1 4 3 14 10 3 8 8 9 1 1 1 4 4 3 14 113
2 2 6 5 2 1 3 3 2 8 6 4 11 8 5 5 2 1 5 1 8 8 98
6 2 1 2 1 3 4 2 1 1 5 1 1 4 34 15% -
1 1 2 4 2 1 1 1 1 1 1 4 13 10 2 5 5 8 2 1 1 1 1 2 -
2 2 8 12 5 1 3 5 5 14 11 6 14 10 7 6 1 -
10 11 11 11 9 4 1 7
P1 P1b P2 P3 P4 P5 P6 P7 P8 P9 P10 P11 P12 P13 P14 P15 P16 P17 P18 P19 P20 P21 P22 P23 P24 P25 P26 P27 P28 P29
3 2 2 2 4 2 1 4 4 24
2 1 3 4 2 1 2 4 19
2 2 1 3 1 9
3 1 1 1 1 1 1 1 10 -
1 1 1 2 1 1 1 1 1 1 1 1 7 7 1 4 4 1 1 1 1 1
3 5 3 2 1 7 3 3 7 3 4 1 3 2 1 -
1 2 1 1 4 1 2 1 1 1 7 55 2 17 -
2 2 5 5 2 1 3 3 2 6 5 3 7 7 3 5 1 -
10 11 11 11 9 4 1 7
3 15 11 5 9 16 14 11 5 4 2 1 1 11 15 187 8
15 11 5 9 16 14 11 5 4 2 1 1 11 -
15 11 5 9 16 14 11 5 4 2 1 1 11 -
8 3 8 -
5 1 7
13 84 38%
14 145 66%
15 187
7 48
6 81
15 187
46%
37%
17%
9%
42%
Testing (color scheme used in sheet "Test Strategy"): Independent testing - PwC to independently test control based on testing strategy defined in worksheet "Test Strategy" Reperformance of management testing - PwC to obtain management's testing support for management's sample and reperform test of control Rely / Observation/Walkthrough - PwC to independently observe if the control is being performed with the Control Owner, and to confirm the result Criteria used for: Low risk: Not Pervasive; Routine; Low degree of judgement involved; ok for objective testing; low potential for mgt override Medium/High risk: More complex IT Application Controls (ITACs); Higher risk; highly judgemental or complex controls; potential for mgt override SoX controls are allocated in 3 buckets (High, Medium, Low) depending on risk rating. !!! change !!! compared to 2010: Controls risk rating has been aligned with overall risk assessment by process. PY SoX results Test Results 06: Significant deficiencies were noted in the controls surrounding taxes/deferred taxation, fixed assets/CWIP and the Financial Statement Preparation (IFRS) process. No material weaknesses were identified. No SUD or SAAD items identifed. Test Results 07: No significant deficiencies or material weaknesses were identified. No SUD or SAAD items identifed. Test Results 08: No significant deficiencies or material weaknesses were identified. No SUD item identifed. 1 SAAD item recorded (Tax accrual in Tanzania). Test Results 09: Two significant deficiencies, Consolidation Close process at the HQ and Prepaid revenue in Chad Test Results 10: No significant deficiencies or materlal weaknesses were identified. No SUM item identifed. 4 SAM items recorded. Group environment: Backbone V3.1: rationalisation of controls based on local management comments. Mainly clarification of controls responsible and testing procedures. Management testing will use V3.1 as from Q1_2011. => Assessment of Management testing to perform based on Q2_2011 CSA Peer review results.
Controls Description
P# Procedure C# Control Name Control Description Responsible Type Category Frequency Control Formalization
P10
Contract Management
IC01
Contract is reviewed by legal department in order to ensure adequacy of the general terms and conditions.
Preventive
Each contract
P10
Contract Management
IC02
Signed contract is reviewed by the legal team in order to ensure that the contract has been signed by the other party and according to the authorized signatory as per the approved authority matrix.
Preventive
P10
Contract Management
IC03
Contract summary form is prepared by the requesting department and reviewed by Legal Responsible who includes a sequential contract reference number.
Preventive
Each contract
P10
Contract Management Accounting Treatment Complying management Significant agreements Dealers comission Renting Contact Center service Contracts
SC04
Based on the contract and contract summary form, the accounting team determines the appropriate accounting treatment (as per MIC Accounting Policy Manual) and details any required calculation (pre-requisites for the journal entries booking). Final analysis is reviewed by Accounting Responsible (CFO-1).
Manual
Preventive
Each contract
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Professional judgement
- From the contracts database, obtain the list of all new contracts / agreements issued during the period under review. - Select in this list the samples to be tested and obtain the related contracts. - Verify for each sample selected that the legal responsible has ensured that the contract was properly signed by both parties. - In particular, ensure that the contract was signed according to the company approved authority matrix.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Professional judgement
- Based on the samples selected for IC2, obtain the approved contract summary form. - Reconcile the information contained in the contract summary form with the contract to ensure data accuracy. - Verify that it has been reviewed and formally approved by the legal department. - Ensure it is sequentially numbered.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Professional judgement
- Based on the samples selected for IC2, obtain the approved "calculation sheet". - Reconcile the information contained in the calculation sheet with the contract summary form and the contract to ensure data accuracy. - Ensure that all accounting treatments comply with the MIC accounting policy - Ensure the arithmetical accuracy of any calculation - Verify that the calculation sheet has been reviewed and formally approved by the accounting responsible
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Med.
Reperformance
- if estimated population > 50 --> select 10% of available population, up to 25 - if estimated population < 50 --> select all population available, up to 5
Professional judgement
Med. Rely
Indep. Reperf.
Low Rely
Reperf.
Rely
IC non-key Walkthr.
P01 Payroll P1b Payroll Outsourced P02 Inventory Management P03 Purchasing and Assets Management P04 P05 P06 P07 P08 P09 P10 P11 P12 P13 P14 P15 P16 P17 P18 P19 P20 P21 P22 P23 P24 P25 P26 P27 P28 P29 Cash Management Debt Management Prepayment Taxes Assets Impairment Bad debts Contract Management Commitment and Contingencies Financial Statements Close IT General Controls Procedure Network General Controls Procedure Bill and Collect for Interconnect/other operators Bill and Collect for Sales (Roaming) Bill and Collect for Sales (Postpaid) Bill and Collect for Sales (Prepaid) Bill and Collect for Sales (wireless) Adjustments Recording of Subscribers Numbers Intercompany Accounting for Financial Assets other than pledge deposits Indefeasible Rights of Use (IRU) Managing Programming Costs Bill and Collect for Sales (Cable TV) Hedging Tower Lease Back Technology General Controls Procedure Total Controls (TLC) Average (Critical) Controls per Cycle This testing strategy is applicable for ICFR developing countries:
13 14 21 33 18 6 2 10 1 4 4 7 12 46 34 14 28 32 34 17 8 4 3 2 9 6 22 46 404 17
3 3 10 22 9 2 1 3 1 4 1 7 12 31 23 9 19 16 20 6 3 1 1 9 5 11 31 263 11 -
10 11 11 11 9 4 1 7
7 3 2 7 9 7 2 6 9 52
1 1 4 10 4 2 1 1 1 1 4 3 14 10 3 8 8 9 1 1 1 4 4 3 14 113
2 2 6 5 2 1 3 3 2 8 6 4 11 8 5 5 2 1 5 1 8 8 98
6 3 1 2 1 5 4 4 2 1 8 1 1 4 43 20% -
1 2 2 7 2 1 1 1 1 1 1 2 13 9 1 5 7 5 2 1 1 1 1 2 -
2 1 8 9 4 1 3 5 5 14 10 6 14 8 7 6 1 -
10 11 11 11 9 4 1 7
P1 P1b P2 P3 P4 P5 P6 P7 P8 P9 P10 P11 P12 P13 P14 P15 P16 P17 P18 P19 P20 P21 P22 P23 P24 P25 P26 P27 P28 P29
3 2 2 4 4 3 2 5 4 29
3 1 1 4 2 1 4 16
1 2 1 2 1 7
3 1 1 1 1 1 1 3 1 1 14 -
1 1 1 3 1 1 1 1 1 1 1 1 7 6 1 4 2 1 1 1 1 1
3 4 2 2 1 7 3 3 7 3 4 1 3 2 1 -
1 1 1 2 1 1 4 3 2 1 1 1 7 53 2 21 -
2 1 5 4 2 1 3 3 2 6 5 3 7 5 3 5 1 -
10 11 11 11 9 4 1 7
3 15 11 5 9 16 14 11 5 4 2 1 1 11 15 187 8
15 11 5 9 16 14 11 5 4 2 1 1 11 -
15 11 5 9 16 14 11 5 4 2 1 1 11 -
8 3 8 -
5 1 7
13 83 38%
14 137 62%
15 187
7 46
6 77
15 187
56%
31%
13%
12%
41%
Testing (color scheme used in sheet "Test Strategy"): Independent testing - PwC to independently test control based on testing strategy defined in worksheet "Test Strategy" Reperformance of management testing - PwC to obtain management's testing support for management's sample and reperform test of control Rely / Observation/Walkthrough - PwC to independently observe if the control is being performed with the Control Owner, and to confirm the result Criteria used for: Low risk: Not Pervasive; Routine; Low degree of judgement involved; ok for objective testing; low potential for mgt override Medium/High risk: More complex IT Application Controls (ITACs); Higher risk; highly judgemental or complex controls; potential for mgt override SoX controls are allocated in 3 buckets (High, Medium, Low) depending on risk rating. !!! change !!! compared to 2010: Controls risk rating has been aligned with overall risk assessment by process. PY SoX results Test Results 06: Significant deficiencies were noted in the controls surrounding taxes/deferred taxation, fixed assets/CWIP and the Financial Statement Preparation (IFRS) process. No material weaknesses were identified. No SUD or SAAD items identifed. Test Results 07: No significant deficiencies or material weaknesses were identified. No SUD or SAAD items identifed. Test Results 08: No significant deficiencies or material weaknesses were identified. No SUD item identifed. 1 SAAD item recorded (Tax accrual in Tanzania). Test Results 09: Two significant deficiencies, Consolidation Close process at the HQ and Prepaid revenue in Chad Test Results 10: No significant deficiencies or materlal weaknesses were identified. No SUM item identifed. 4 SAM items recorded. Group environment: Backbone V3.1: rationalisation of controls based on local management comments. Mainly clarification of controls responsible and testing procedures. Management testing will use V3.1 as from Q1_2011. => Assessment of Management testing to perform based on Q2_2011 CSA Peer review results.
Controls Description
P# P01 Payroll Procedure C# IC01 Control Name Personnel additions (Local Senior Management and Regional equivalents) are approved Control Description Responsible Type Category Preventive Frequency Control Formalization E/O X V/M C R/O PD
Subsequent to the approval of RAR, the package for the new Local Senior Management and Regional equivalents is approved.
Each new recruitment of Packages related to the hiring of Local Senior Management new Local Senior Management and Regional equivalents and Regional equivalents are reviewed and formally approved and related contracts are in line with approved packages.
P01
Payroll
IC02
Personnel additions (other than Local Senior Management and Regional equivalents) are approved
Subsequent to the approval of RAR, the package for employees other than Local Senior Management and Regional equivalents is approved.
Manual
Preventive
Each new recruitment of employee different than Local Senior Management and Regional equivalents
Contracts with new employees, other than Local Senior Management and Regional equivalents, are reviewed and formally approved.
P01
Payroll
IC03
Performance evaluation forms The Head of Department reviews and approves the are approved by Head of evaluation forms of his/her team and sends the evaluation Departments forms to HR Responsible.
Head of Department
Manual
Preventive
Annually
Annual performance evaluation forms are reviewed and reviewed and formally approved.
P01
Payroll
IC04
Business Owner reviews the commissions and other variable pay elements (overtime, paid off, sickness, holidays, absence, personnel expenses).
Manual
Preventive
Monthly
Commissions and other variable pay elements reports are reviewed and formally approved. Calculation of effective bonuses allocated to the Local Senior Management and Regional equivalents is reviewed and formally approved.
P01
Payroll
IC05
Effective bonuses and related Calculation is made based on bonus performance criteria CEO and Head of Manual calculation are approved agreed and communicated by Headquarters. The Performance and Reward performance of the operation is calculated and communicated by Headquarters, the individual performance discussed and agreed at operation level. Calculation of effective bonuses for Local Senior Management and Regional equivalents is prepared locally and reviewed by the Regional Manager and approved by Head of Performance and Reward. Effective bonuses and related Calculation is made based on bonus performance criteria calculation are approved agreed and communicated by Headquarters. The performance of the operation is calculated and communicated by Headquarters, the individual performance discussed and agreed at operation level. Calculation of effective bonuses for employees below Local Senior Management and Regional equivalents is prepared locally and reviewed and approved by GM. Payroll Coding Assignments are reviewed by department GM Manual
Preventive
Annually
P01
Payroll
IC06
Preventive
Annually
Calculation of effective bonuses allocated to people below the Local Senior Management and Regional equivalents is reviewed and formally approved.
P01
Payroll
IC10
The mapping between the job positions within the company Human Resources and related cost center code is reviewed by the Human department (GM-2) Resources department (GM-1 or GM-2).
Manual
Preventive
Quarterly
Mapping between job positions and related cost center code is reviewed and formally approved.
P01
Payroll
IC11
Monthly payroll activity is Human Resources Staff analyses payroll monthly report Human Resources compared to previous periods against payroll report of previous period (variance > 10% is Responsible (GM-1) supported by explanation).
Manual
Detective
Monthly
Analytical review with explanation for variance >10% is reviewed and formally approved.
P01
Payroll
IC12
Returns are reviewed for reasonableness and unusual items prior being filled with the authorities. Note: All the Employee (Direct, Indirect, Consultants) related Taxes and Social Security commitments must be calculated. Employee Taxes (PAYE, WHT, etc) of Local as well as Expatriate employees must be calculated.
Manual
Preventive
Each Filling
Copies of the returns kept on file are reviewed and formally approved.
P01
Payroll
IC13
P01
Payroll
SC07
Review the follow up of recorded conflicts of employee Changes in employment status and variable pay elements are approved before input in the payroll database
HR Responsible reviews and ensures follow up of cases for recorded complaints of employees.
Manual
Preventive
Monthly
Complaint book is properly reviewed and approved. - Status change request documents ('Personnel action' form) are reviewed and formally approved. - All other variable pay elements and related files to be entered into the Payroll System are approved - Printed copy of discount rate's file is approved X X X
1) HR Responsible reviews and authorizes the following Human Resources changes in employee status/package (salary, variable pay Responsible (GM-1) elements, benefits, etc) before they are input into the Payroll System: - Changes due to employee dismissal / termination (removal of the employee from the employee list) - Changes due to employee recruitment (formalization of new employee contracts) - Changes due to annual performance evaluation (approval of annual performance evaluation forms) - Changes due to employee promotion - Changes due to employee leveling - Changes due to employee move from one department to another 2) HR Responsible reviews the commissions and other variable pay elements (e.g.overtime, sickness, holidays, absence, personnel expenses and bonuses). 3) Deduction rates, as well as rates for external requirements such as social payments and others, are reviewed every time there is a change, to identify changes or errors in the rates.
Manual
Preventive
Monthly
P01
Payroll
SC08
Payroll monthly reports are reconciled with payroll fixed and variable data
Human Resources Staff reconciles payroll monthly report against documents approved by HR Responsible during control SC7 in order to identify mistakes, inconsistency or duplication. In addition, the Human Resources Staff ensures that the number of employees in the monthly payroll report equals the total number of employees.
Manual
Detective
Monthly
P01
Payroll
SC09
Bonus accrual computation is The Human Resources department prepares the bonus reviewed accrual computation based on expected performance.
Manual
Preventive
Quarterly
P02
Inventory Management
IC01
Supply Chain Department must assess and decide if the need to order is relevant. Decision must be documented and based on the inventory review/monitoring performed at warehouse level and formally approved.
GM for Handsets and Manual Customer Premises Equipment; Supply Chain Manager for SIM cards, Scratch cards and other Accessories.
Preventive
Weekly
P02
Inventory Management
IC02
Stock Order Form/Dispatch Note is completed Warehouse Supervisor Manual (Nature/Destination/Origin) reviewed and formally (Head of Supply Chain-2) approved by the Sending Warehouse Responsible. This document is completed at destination and reviewed and formally approved by the receiving party (i.e. confirmation of appropriate stock quantity received). When transfer has been done, the Stock Order Form / Dispatch Note is returned to the sending party who ensures that the stock delivered was equal to the stock sent. Any differences are investigated and explained; any corrective actions are taken and documented.
Preventive
Each delivery
P02
Inventory Management
IC03
The list of goods in transit are reviewed. Any old Warehouse Responsible outstanding goods in transit (for which no approved Stock (GM-2) Order Form/Dispatch Note has been received) are investigated; any required corrective actions are taken and documented. Final analysis is reviewed. The SCM-3 reviews the stock order form for quantity, amount and credit limit and approves the form. Head of Supply Chain-3 (SCM-3)
Manual
Detective
Monthly
P02
Inventory Management
IC04
Manual
Preventive
P02
Inventory Management
IC05
All sales prices included in the invoicing system are reviewed against the approved price list.
Manual
Preventive
P02
Inventory Management
IC06
Quantity reconciliation Stock quantity from the invoicing system is reconciled with between invoice and Dispatch the stock quantity indicated in the Stock Order Note / Stock Order Form Form/Dispatch Note. Any differences are investigated and explained; any corrective actions are taken and documented.
Manual
Detective
Each change and at least Prices list extracted from the quarterly invoicing system reviewed and formally approved. Each stock sale Reconciliation reviewed and formally approved.
P02
Inventory Management
IC10
Warehouse Supervisor reviews Stock Return Form (description of inventory item returned detailing the accessories, quantity received, reason for return) and approves it.
Detective
Each return
P02
Inventory Management
IC11
The credit note is reviewed based on Stock Return Form and approved.
CFO-2
Manual
Preventive
P02
Inventory Management
IC12
CFO-2
Manual
Detective
P02
Inventory Management
IC19
Sales to Dealers above the approved credit limit must be formally approved
CFO
Manual
Preventive
P02
Inventory Management
IC20
A list of Dealers which have monthly balances above their authorized credit limit is printed and reviewed.
CFO
Manual
Detective
Monthly
List summarizing dealers with balances above their credit limited is reviewed and formally approved Cost of sale calculation methodology and criterias reviewed and formally approved. Reconciliation reviewed and formally approved. X X X
P02
Inventory Management
SC07
Accounting methodology for stock is documented by the accounting team and reviewed.
CFO
Manual
Preventive
Annually
P02
Inventory Management
SC08
Reconciliation is performed between sales from the accounting system and sales report from the invoicing system. Any differences are investigated and explained; any corrective action is taken and documented.
Manual
Detective
Monthly
P02
Inventory Management
SC09
Reconciliation is performed between the value of total inventory from the accounting system and from inventory module. Any differences are investigated and explained; any corrective action is taken and documented. Reconciliation is performed between the stock count and the inventory report / list of obsolete items. Explanations and corrective actions are formalized by accounting team and reviewed.
Manual
Detective
Monthly
P02
Inventory Management
SC13
Manual
Detective
P02
Inventory Management
SC14
Assumptions for obsolete inventory and slow-moving items reviewed List of obsolete items approved Obsolete items identified
Guidelines to determine obsolete and slow moving items are documented and reviewed.
CFO
Manual
Preventive
P02 P02
SC15 SC16
CFO and GM
Manual Manual
Detective Preventive
Quarterly Quarterly
Based on the list of obsolete items reviewed by the GM and Warehouse Responsible CFO, the Warehouse Responsible clearly identifies and separates those items. Accounting Responsible (CFO-1)
List reviewed and formally approved. List identifying the obsolete items reviewed and formally approved.
X X
X X
P02
Inventory Management
SC17
Manual
Detective
Quarterly
P02
Inventory Management
SC18
- If stock remeasurement test is not performed, an explanation is documented in a memorandum. - If a stock remeasurement test is performed, the conclusions are documented in a memorandum.
Manual
Detective
Quarterly (quarter-end)
P02 P03
SC21 IC01
Billing system parameters that affects the invoicing process IT Critical System are reviewed. Responsible CFO ensures all major fixed assets purchases are CFO approved by the Board.
Manual Manual
Detective Preventive
Quarterly Each request for new major fixed-assets acquisition List of approved CAR by the Board reviewed and formally approved. X
P03
IC02
The Purchasing Responsible checks the supplier estimate Purchasing Responsible for goods/services vs. the Capital Application Request (GM-2) Form to ensure purchases are within the approved amount for the CAR.
Manual
Preventive
P03
IC03
The Vendor Master File is reviewed. In particular, inactive suppliers are identified and blocked.
Manual
Preventive
Catalogue of master file including status of suppliers reviewed and formally approved. Checklist reviewed and formally approved.
P03
IC04
Manual
Preventive
Each contract
P03
IC07
Credit Note received by supplier is reviewed by GM-3 to validate the transaction before booking.
Manual
Preventive
P03
IC11
When an advance payment has been made, at the time Accounting Responsible the goods/service is received, a booking to reverse the (CFO-3) advance payment must be made. Amount of the reversal is received before booking.
Manual
Preventive
P03
IC17
Timesheets reviewed
Timesheets detailing the cell-site commissioning team working on site under construction and the time spent per project / sites is reviewed by CTO.
CTO
Manual
Preventive
Monthly
P03
IC20
List of assets to be capitalized List of assets (including tag number) to be capitalized is approved approved when site starts generating revenue or project is completed.
GM-2
Manual
Preventive
P03
IC27
When asset is received by the Receiving Department, ATN Receiving Department is signed-off. (GM-4)
Manual
Preventive
Each transfer
P03
IC29
P03
IC32
The FA Responsible prepares by assets owner a list of all assets under their custody. This document is sent to all Head of Department for confirmation. - Asset Disposal Note is completed by Finance Responsible (CFO-2) based on User Department information and ATN. - Receipt of sale proceed is attached. - ARO computation is documented. - Realized gain or loss is documented. CFO reviews the ADN and signs it for approval.
Detective
Quarterly (not necessarily Lists of assets signed off at quarter end) Each transfer ADN reviewed and formally approved.
Preventive
P03
SC05
CAPEX/OPEX/Inventory check
Head of Department reviews the transaction type (CAPEX, Head of Department OPEX or inventory) which is inputted in the purchase request
Manual
Preventive
P03
SC06
PO approved
Manual
Preventive
Each PO
P03
SC08
2-way match
PO module
Automatic
Preventive
System Parameters
P03
SC09
Accounting team (preferably the AP Responsible) extracts Accounting Responsible from the accounting system the open CAPEX accrual (CFO-2) transactions and summarizes them by supplier. Analysis per supplier is then performed to ensure accuracy of data (including existence, review of duplication, and explanation on aged accruals balances over 6 months etc.)
Manual
Detective
Monthly
P03
SC10
Accruals checklist is completed by CFO-2 and reviewed. In Accounting Responsible particular, CFO-1 reviews the list for completeness, (CFO-1) explains reasons for current accruals booked, indicates whether there was an accrual last month and the total amount booked in the accounts (for each accrual type). Accounting team (best AP Responsible) extracts from the Accounting Responsible accounting system the open advances and summarizes (CFO-2) them by supplier. Analysis per supplier is then performed to ensure accuracy of data (appropriate reversal performed).
Manual
Detective
Monthly
P03
SC12
Manual
Detective
Monthly
P03
SC13
Invoices approved
Manual
Preventive
Each invoice
P03
SC14
3-way match
PO module prevents to record invoice quantity and price higher than the PO and the GRN/SDN.
PO module
Automatic
Detective
System Parameters
P03
SC15
FA Responsible ensures that when assets are capitalized, a final tagging is applied which follows the assets coding communicated by the HQ and at the latest 8 weeks after the date of transfer from CWIP to FA.
Preventive
Each asset
P03
SC16
Based on the key terms of the contract summarized in a memorandum, CFO-1 documents the accounting treatment of transactions linked to the turnkey project and CFO reviews and approves.
CFO
Manual
Preventive
P03
SC18
Based on the information received from the CTO, Human Resource values the time spent by the cell-site commissioning team for the construction of sites. This analysis is signed-off and communicated to Accounting Department.
Manual
Preventive
Monthly
P03
SC19
CWIP register is prepared and includes at minimum assets Fixed Assets Responsible Manual identification (can be serial number or any other mean), (GM-2) date of receipt, PO reference, value, expected date of capitalization, location and asset description. Fixed Assets Responsible reviews the CWIP register for completeness and reconciles it to the CWIP accounts in the Accounting System. Any discrepancy is investigated and solved. ARO provision calculation is prepared by CFO-1 and reviewed by CFO. CFO Manual
Detective
Monthly
P03
SC21
Preventive
P03
SC22
Costing (including assets, ARO, interests, services, freight, Accounting Responsible duties, etc.) prepared by Fixed Assets Responsible (CFO- (CFO-1) 2) is reviewed by CFO-1. System print-out evidencing the accounts update is attached and reviewed.
Manual
Preventive
Each capitalization
Costing sheet reviewed and formally approved attached with the system update
P03
SC23
The License Summary Sheet (Part I) relating to the capitalization rule is completed (including deferred costs) by the Accounting Responsible (CFO-1) and reviewed by CFO.
CFO
Manual
Preventive
P03
SC24
Depreciation rates comply with Based on the FAR, Fixed Assets Responsible (CFO-2) MIC Accounting Policy extracts details of all assets. A summary by assets category is prepared showing depreciation rate used. Those rates are checked against the MIC Accounting Policy (including assets with no depreciation rate). Any discrepancy is investigated and correction documented and booked into the FAR. CFO ensures that the FA Responsible has properly performed his review. Assets with negative net book Fixed Assets Register is extracted from the fixed assets value reviewed module. Any asset with a negative net book value is reviewed and corrected.
CFO
Manual
Detective
Quarterly (quarter-end)
P03
SC25
Detective
Monthly
P03
SC26
Asset new useful life reviewed When depreciation period needs to be modified, new asset CFO useful life is reviewed by CFO and communicated to GFC for review.
Manual
Preventive
P03
SC28
Based on the sequential numbering of ATN, a list is created and updated for each transfer performed. This list should include the transfer date, receipt date and fixed assets register update date. Once a month, the list is reviewed and any missing ATN is investigated to ensure all transfers were properly updated in the Fixed Assets Register. 1) FA Responsible (CFO-2) reconciles the count with the Fixed Assets Register. All differences are investigated, corrective actions performed and documented. 2) List of obsolete items is summarized, investigated, accounting adjustment booked and documented. 3) Final documents are reviewed by the CFO-1.
Detective
Monthly (not necessarily at Cut-off report reviewed and month-end) formally approved.
P03
SC30
Detective
All assets to be counted at Reconciliation reviewed and least once a year formally approved.
P03
SC31
1) FA Responsible (CFO-2) reconciles the CWIP schedule Fixed Assets Responsible Manual with the count or any relevant supporting documentation (GM-2) (civil work, loan interest, custom duties and freight). All differences are investigated, corrective actions performed and documented. 2) Final document is reviewed by the CFO-1. Realized gain or loss calculation is prepared by CFO-1 and CFO reviewed by CFO. Manual
Detective
All assets to be counted at Reconciliation reviewed and least once a year formally approved.
P03
SC33
Preventive
Each disposal
P04
Cash Management
IC01
In case where a supplier requests an advance payment above a threshold (predefined in MIC policy manual) and that no bank guarantees are given, the Purchasing Dept must request a service provider to assess the existence, quality and solvability of such supplier. A report must be obtained summarizing what the basis for the assessment was. The report must be reviewed internally by the Purchasing Dept and forwarded to the CFO for approval. Vendor complaints are summarized by the Purchasing Department in a log book and communicated once a month to the Accounting Responsible (CFO-1) for review (appropriate provision booked).
CFO
Manual
Preventive
Each time a new supplier requests an advance payment and no guarantees are given
P04
Cash Management
IC03
Manual
Detective
Monthly
P04
Cash Management
IC05
Before initiating a payment, the vendor balance is reviewed Treasurer to ensure that no credit note exists and that previous invoices were paid.
Manual
Preventive
Each payment
P04
Cash Management
IC11
Customer Service Responsible prepares the log of complains. The log must be maintained and reviewed monthly by the CFO to ensure appropriate provision has been booked. The log must include actions taken and current status of the complaint. Before the first submission of the monthly financial data, a bank reconciliation summary sheet is prepared by CFO-1 and includes for all bank accounts the status of the reconciliation and in case of incomplete reconciliation, the remaining unexplained amounts and the action plan to explain / correct those differences. This summary is then reviewed by CFO.
CFO
Manual
Detective
Monthly
P04
Cash Management
IC14
CFO
Manual
Detective
Monthly
P04
Cash Management
IC15
Supporting documents for All petty cash advances are authorized. petty cash advances approved
Manual
Preventive
Each advance
P04
Cash Management
IC16
Manual
Preventive
Each advance
P04
Cash Management
IC17
The responsible manager reviews the original invoices supporting the cash expended and ensures that it was used for legitimate business purpose.
Manual
Preventive
Each advance
P04
Cash Management
IC18
Petty cash safe content must be counted at least once a CFO-1 or CFO-2 month (using specific form for the reconciliation). Any discrepancy with the Petty Cash Register maintained by the Petty Cash Custodian must be investigated and escalated.
Manual
Detective
Monthly
P04
Cash Management
SC02
P04
Cash Management
SC04
Aging balance report reviewed The payable aging balance report is extracted and CFO-1 reviewed. In particular, all unpaid amounts for more than 6 months are analyzed and cleared. Reconciliation of vendor a) All vendors should be checked once a year (ongoing Finance Responsible statements with accounts (CFO-1) program - at least 1/12 of the supplier database a payable month) b) List of 20 top suppliers is obtained. CFO-3 prepares circularization letter and sends them to the selected suppliers. When answers are received from suppliers, a reconciliation is performed with the A/P. Differences are investigated, explained and actions are taken. If no answer is received within the following 2 weeks of the sent request, a reminder is sent to the supplier and any action performed to obtain the information is documented on a summary sheet listing the 20 suppliers selected.
Manual
Detective
Monthly
Payable aging balance report reviewed and formally approved. Reconciliation reviewed and formally approved.
Manual
Detective
a) Monthly b) Quarterly
P04
Cash Management
SC06
Payment voucher / instructions Payment voucher / instruction / cheque is signed based on Responsible according to / cheque authorized approved supporting documents. approved authority matrix
Manual
Preventive
Each payment
P04
Cash Management
SC07
CFO reviews the list of authorized direct debit obtained from financial institutions and ensures that they were all approved and valid.
CFO
Manual
Detective
Quarterly
P04
Cash Management
SC08
Confirmation from financial institution of the cash deposit and of electronic payment reconciled with sales report Cash reconciliation between billing and accounting system
The treasurer or collection department reconciles the sales Treasurer or Collection report obtained from the billing system with the cash Responsible (GM-3) received confirmed by the financial institution (cash deposited and electronic payment confirmed). Cash report from the billing system is reconciled to the accounting system. Any discrepancy is investigated, explained and actions are taken. Treasurer or CFO-1
Manual
Detective
Daily
P04
Cash Management
SC09
Manual
Detective
P04
Cash Management
SC10
Reconciliation between banking summary and bank statements (dealers indirect sales force)
Upon receipt of the bank statements from the central cash Accounting Responsible account, the accounting department must reconcile the (GM-3) statements to the banking summary reports provided by the dealers. Any discrepancy must be investigated, documented and actions taken.
Manual
Detective
Weekly
P04
Cash Management
SC12
CFO-1 verifies that any blocked deposits are properly identified in the accounts (versus cash free of encumbrance).
CFO-1
Manual
Detective
Quarterly
Extract of cash accounts from accounting system reviewed and formally approved with evidence of proper segregation X
P04
Cash Management
SC13
For all cash accounts, a reconciliation with bank statement Accounting Responsible is performed by CFO-2. All reconciled items are (CFO-1) investigated, explained and corrective actions booked if any. This analysis includes also: - the clearing of old outstanding unreconciled items (above 2 months). - the review of zero-balance accounts (account in the accounting system should be blocked) - the review of uncashed cheques - the review of unapplied cash accounts All reconciliation are reviewed by CFO-1. Note: in case some reconciled items are not explained before end of the closing period, their investigation should continue the following month and be closed before the start of the next closing period.
Manual
Detective
Monthly for each Bank Reconciliation reviewed and account but formally approved. recommended weekly for high usage accounts
P05
Debt Management
IC01
Loan Summary Form (including all loans terms and conditions) is completed by the Financial Responsible (CFO-1), reviewed and approved by CFO and HQ (Corporate Finance).
CFO
Manual
Preventive
P05
Debt Management
IC02
Cash receipt is matched against loan agreement to ensure Treasury responsible that correct amount was received. (CFO-2)
Manual
Detective
P05
Debt Management
IC05
When a breach is identified, debt covenants computation is Finance Responsible sent to HQ (Corporate Finance) for review. Evidence of this (CFO-1) review is obtained by the CFO-1. All new loans and lines of credit in excess of USD 500,000 Treasury responsible are to be discussed and agreed with Corporate Treasury (CFO-2) before the operation enters into such agreements.
Manual
Detective
Debt covenants computation reviewed and formally approved by HQ. Approval received from HQ.
P05
Debt Management
IC06
New loans and lines of credit in excess of USD 500K are approved by Corporate Treasury.
Manual
Preventive
P05
Debt Management
SC03
Interest and loan classification Interest as per calculation sheet is reconciled with the reviewed accounts and loan classification between long-term and short-term is reviewed.
Manual
Detective
Monthly
P05
Debt Management
SC04
All covenants are computed by the Finance Responsible CFO (CFO-1) based on current data and based on the company 12 months forecast. Breaches are identified and documented. Analysis is then reviewed by the CFO.
Manual
Detective
Covenants computation and breach identification memo reviewed and formally approved.
P06
Prepayment
IC01
After the accounting team has inputted the data related to Accounting Responsible / Manual prepayment into the Fixed Assets Register, an Accounting Supervisor (CFO-2) Responsible / Supervisor (CFO-2) reviews the prepayment parameters with the contract summary sheet.
Detective
Prepayment parameters sheet from FAR reconciled, reviewed and formally approved.
P06
Prepayment
SC02
Accounting Responsible (CFO-2) recomputes manually the monthly prepayment amortization, compares it to the amount automatically recorded in the accounting system and checks prepayment closing balance. Any discrepancies are investigated and explained. This analysis is then reviewed by the Accounting Responsible (CFO-1). Current and deferred taxes accruals are prepared by the Accounting Responsible (CFO-3) and reviewed by the CFO-2. CFO reviews and approves tax return prior filling.
Manual
Detective
Monthly
P07
Taxes
IC01
Manual
Preventive
Monthly
P07
Taxes
IC02
CFO
Manual
Preventive
P07
Taxes
IC05
Tax booked in the accounts is compared to quarterly tax provision calculation or to tax assessment if any. The difference is identified and approved.
Manual
Preventive
P07
Taxes
IC06
Creation or update of tax parameters related to customer / Customer Care supplier / product or service are reviewed before input in Responsible (GM-3) and system. Accounting Responsible (CFO -2) Tax advisor (internal / external) documents in a memo the current tax status of all taxes applicable to the entity and specifically notes the recent tax changes. The memo is then reviewed by the CFO. Customer Care Responsible (up to GM-3) and/or Accounts Payable/Receivable Responsible review any change made in the parameters of any customer or supplier, including supporting documentation for the change. CFO reviews and approves tax return prior filling. CFO
Manual
Preventive
P07
Taxes
IC07
Manual
Preventive
P07
Taxes
IC08
Customer Care Manual Responsible (up to GM-3) and/or Accounts Payable/Receivable Responsible (CFO-2) CFO Manual
Detective
Monthly
P07
Taxes
IC10
Preventive
P07
Taxes
SC03
Tax advisors (internal / external) performs the following activities: a) ensures that all direct taxes have been considered by using a checklist listing all required direct taxes, b) reviews the tax calculation including tax rate, c) reviews uncertain tax position, d) reviews the loss carry forward analysis prepared, e) reviews, if any, the tax assessment received from the Tax Administration. This analysis is then sent to CFO for review. Accounting Responsible (CFO-1) prepares the reconciliation between the accounting base and the tax base and the one between the effective tax rate and the statutory tax rate. Both reconciliations are reviewed by the CFO. Tax advisor (internal / external) performs the following activities: a) ensures that all indirect taxes have been considered by using a checklist listing all required indirect taxes, b) performs a rationalization test per indirect taxes rate for indirect taxes payable and receivable, c) reviews, if any, the tax assessment on indirect taxes received from the Tax Administration. In case of discrepancies, adjustment to be booked is clearly documented. Analysis performed is sent to CFO-1 for review. The conclusion of the impairment test and computation of any impairment loss is reviewed by the CFO and GFC. Reports programmed are controlled under IT general control environment.
CFO
Manual
Detective
P07
Taxes
SC04
Reconciliation between accounting and income tax base and between statutory and effective income tax rates reviewed Internal / external tax advisor review on indirect tax approved
CFO
Manual
Detective
Quarterly
P07
Taxes
SC09
Manual
Detective
P08
Assets Impairment
SC01
Manual
Preventive
Quarterly
P09
Bad debts
SC01
Preventive
Continuous
P09
Bad debts
SC02
Total accounts receivable from the ageing balance is reconciled by the accounting team to the account receivables as per the general ledger. Purpose is to validate the adequacy of the aging balance reporting. Reconciliation is reviewed by Accounting Responsible (CFO-1).
Manual
Detective
Quarterly
P09
Bad debts
SC03
Interconnect and roaming partners, dealers and overdue Accounting Responsible postpaid subscribers (financial stress customers identified (CFO-1) and Head of during the dunning process) are reviewed on an individual Region basis. For customers or partners facing financial stress, an additional provision is determined and reviewed by CFO-1. For balances above 120 days, the absence of a bad debt provision has to be reviewed and approved by Head of Region.
Manual
Detective
Quarterly
Calculation (and absence of a bad debt provision if any) reviewed and formally approved.
P09
Bad debts
SC04
Bad debt calculation reviewed Based on the aging balance (postpaid subscriber only), the Accounting Responsible bad debt provision is calculated using the rule defined in (CFO-1) the Policy Manual. Contract details reviewed
Manual
Detective
Quarterly
P10
Contract Management
IC01
Contract is reviewed by legal department in order to ensure Legal Responsible (GM-2) Manual adequacy of the general terms and conditions.
Preventive
Each contract
P10
Contract Management
IC02
Signed contract is reviewed by the legal team in order to Legal Responsible (GM-2) Manual ensure that the contract has been signed by the other party and according to the authorized signatory as per the approved authority matrix.
Preventive
P10
Contract Management
IC03
Contract summary form is prepared by the requesting department and reviewed by Legal Responsible who includes a sequential contract reference number.
Preventive
Each contract
P10
Contract Management
SC04
Based on the contract and contract summary form, the accounting team determines the appropriate accounting treatment (as per MIC Accounting Policy Manual) and details any required calculation (pre-requisites for the journal entries booking). Final analysis is reviewed by Accounting Responsible (CFO-1).
Manual
Preventive
Each contract
P11
SC01
CAPEX open PO list reviewed A list of all CAPEX purchase commitments is reviewed by the Purchasing Responsible to ensure accuracy of listed items and completeness.
Manual
Detective
Quarterly
P11
SC02
The list of pending litigation and lawsuits is reviewed by Legal Expert (Internal Legal Expert to ensure the accuracy of the description, Legal Counsel and/or status and estimated loss. In addition, he confirms/updates External Provider) the probability of occurrence, based on his expert opinion. List of pledged assets is prepared and reviewed. CFO
Manual
Preventive
Quarterly
P11
SC03
Manual
Preventive
Quarterly
List reviewed and formally approved. Compliance Memo reviewed and formally approved.
P11
SC04
License agreement Compliance of license and agreements with terms and compliance analysis reviewed conditions is monitored.
Manual
Preventive
Quarterly
P11
SC05
Based on a review of all contracts, a list is prepared Financial Responsible summarizing all leasing contracts (financial and operating). (CFO-1) This list is reviewed for accuracy and completeness.
Manual
Preventive
Quarterly
P11
SC06
Summary of tax commitments List of tax commitments and contingencies is prepared and Tax Responsible (GM-2) and contingencies reviewed reviewed.
Manual
Preventive
Quarterly
P11
SC07
List of other commitments and contingencies and their supporting document reviewed
In order to capture all commitments and contingencies, a template is provided to all department heads in order to document any commitments or contingencies they would be aware of.
Detective
Quarterly
P12
SC01
Accounting Responsible (CFO-1) extracts from the accounting system a report listing the accounting parameters and reviews them for accuracy.
Manual
Preventive
P12
SC02
The Accounting System is configured for double-entry accounting and prevents the entry of duplicate journal numbers.
Automated
Preventive
Continuous
System parameterization
P12
SC03
Standard JE approval
Standard journal entries are - prepared by Accounting Responsible (CFO-3), - reviewed by Accounting Responsible (CFO-2), - authorized by Accounting Responsible (CFO-2) below a threshold predefined according to the approved authority matrix and by Accounting Responsible (CFO-1) above this threshold, - posted by Accounting Responsible (CFO-2 or CFO-1 depending on the threshold). Non-standard journal entries are - prepared by Accounting Responsible (CFO-3), - reviewed by Accounting Responsible (CFO-2), - authorized by Accounting Responsible (CFO-2) below a threshold predefined according to the approved authority matrix and by Accounting Responsible (CFO-1) above this threshold, - posted by Accounting Responsible (CFO-2 or CFO-1 depending on the threshold). End of month, a list of all the non-standard JEs is summarized by Accounting Responsible (CFO-1) and reviewed and approved by CFO.
Manual
Preventive
Standard journal entries and supporting documents reviewed and formally approved.
P12
SC04
Non-standard JE approval
Manual
Preventive
Non-standard journal entries and supporting documents reviewed and formally approved.
P12
SC05
CFO
Manual
Detective
Monthly
P12
SC06
Closing binder is prepared by the accounting team and CFO includes all the evidences related to the month-end controls. A checklist is completed to ensure completeness and accuracy of controls performed and signed-off by the CFO. After the import into the IFRS ledger, CFO-2 reconciles the Accounting Responsible local and IFRS ledgers. Any discrepancies are investigated (CFO-2) and corrected.
Manual
Detective
Monthly
- Closing checklist reviewed and formally approved. - Closing binder including all supporting documents
P12
SC07
Manual
Detective
Monthly
P12
SC08
Manual
Detective
Monthly
P12
SC09
In the consolidation system, the transfer of data from the local accounting system is reviewed: in the promotion screen, the pass/fail box and the validation box need to be marked as ok. If it is not the case, the blocking validation screen is reviewed to detect the error. In specific situations and based on approved supporting documents, the manual journal entries to be booked in the consolidation system are prepared, reviewed, authorized and posted.
Automated
Detective
Monthly
P12
SC10
Preventive
Monthly
P12
SC11
Reporting binder is prepared by the Accounting Responsible (CFO-1) and includes all the documents supporting each reporting pack disclosure (a clear link should be evidenced between the reporting pack disclosure and the related supporting documents). Binder is then reviewed by CFO.
CFO
Manual
Detective
Quarterly
P12
SC12
CFO ensures the reporting pack has been approved by HQ CFO (consolidation) by reviewing the promotion level For all critical systems, platforms, applications and databases, there is a testing environment: - separated logically and/or physically from the production environment, - which allows adequate stress, unit, end-to-end testing - which reflects as much as possible the live environment (data in kind and quantity), - which is available for sufficient testing time CIO
Manual
Detective
Monthly
P13
IC04
Testing for systems, platforms, applications and databases is performed in a testing environment
Manual
Preventive
Print copy of the catalogue and/or description of the testing environments are reviewed and formally approved
P13
IC10
Implementation of change/project is communicated to all Critical Systems IT relevant parties (end-users, stakeholders) to ensure they Responsible(s) are aware of the change and its related impacts
Manual
Preventive
P13
IC11
The Logical Access Management policy (or security policy) CIO is reviewed and approved to check that the management of user accounts for joiners, job changes and job termination is part of the policy (for both employees and contractors, for local and remote access...)
Manual
Preventive
Bi-annually (period of 5 to Logical Access Management 7 months required Policy (or Security Policy) is between control reviewed and formally approved executions)
P13
IC26
Personal data and sensitive information are inventoried and adequately protected to ensure data confidentiality Backup execution is reviewed
Personal data and sensitive information are adequately protected to ensure data confidentiality
Manual
Preventive
Quarterly
Security set-up for personal data and sensitive information privacy is reviewed and formally approved
P13
IC28
Backup execution results are documented in the backup journal and validated to ensure that backups are carried out on critical systems, platforms, applications and databases at least daily for data and weekly for configuration setups
Manual
Detective
Daily
P13
IC32
The formalized DRP is reviewed and approved Note: DRP and BCP plans should be updated whenever there is a large change implemented.
CIO and GM
Manual
Preventive
Bi-annually (period of 5 to The DRP is reviewed and formally 7 months required approved between control executions) Annually The test results of the DRP are reviewed and formally approved
P13
IC33
CIO and GM
Manual
Preventive
P13
IC34
The Incident and Problem Management Policy and Procedures is reviewed to check that non-standard events are analyzed and resolved in a timely manner, including escalation procedures, supplier involvement if appropriate and a clear description of the process (flowchart for example)
CIO
Manual
Preventive
Bi-annually (period of 5 to The Incident and Problem 7 months required Management Policy is reviewed between control and formally approved executions)
P13
IC35
Significant IT events or incidents and failures are Critical Systems IT monitored, communicated and resolved in a timely manner Responsible(s)
Manual
Detective
P13
IC36
CIO and GM
Manual
Detective
Monthly
P13
IC39
The list of authorized software The list of authorized, tolerated and unauthorized software CIO permitted for use by is formalized and reviewed employees is documented and communicated
Manual
Preventive
Bi-annually (period of 5 to List of authorized, tolerated and 7 months required unauthorized software is reviewed between control and formally approved executions)
P13
IC40
The list of software installed is The list of software installed and used on each computer reviewed and server is reviewed and reacted upon
Security Officer
Manual
Detective
Quarterly
P13
IC42
The results of scheduled jobs Summary of the batch jobs executions is communicated executions are communicated and approved to ensure batch jobs run properly and approved The operating procedures are Formalized operating procedures are in place and reviewed and approved documented
CIO
Manual
Detective
Monthly
The job scheduling checklist and related results are reviewed and formally approved Operating procedures are reviewed and formally approved
P13
IC43
CIO
Manual
Preventive
P13
IC44
An inventory listing all potential suspicious activities should be maintained to allow the monitoring of unauthorized activities Change requests are authorized
An inventory listing all potential suspicious activities for CIO and Security Officer each system should be maintained to allow the monitoring of unauthorized activities. This list should be updated based on experience and used to review unauthorized activities (P13.SC37). Change request forms are completed, reviewed and approved Business Owners and Stakeholders and Critical Systems IT Responsible(s)
Manual
Preventive
Bi-annually (period of 5 to 7 months required between control executions) Bi-annually (period of 5 to 7 months required between control executions)
P13
SC01
Manual
Preventive
P13
SC02
Existing controls are identified, Existing controls (which may be affected by the design tested and redesigned if and implementation of changes) are identified and necessary reported in the change request. Testing of the existing controls impacted is documented as part of the test plans in the change request. Change acceptance tests performed by Business Owners and Stakeholders include the testing of these controls. Appropriate actions are taken to modify or redesign these controls, if necessary, to retain their integrity Change requests (including Test plan, roll-out plan and roll-back plan are formalized, changes to critical end-user reviewed and approved prior to implementation of the computing tools) have a test change plan, a roll-out plan and a rollback plan developed prior to implementation
Manual
Preventive
Impact analysis of existing controls, and if appropriate tests results, are reviewed and formally approved
P13
SC03
Manual
Preventive
Test plan, roll-out plan and fallback plan are reviewed and formally approved
P13
SC05
Testing of interfaces between Interface test results are formalized and reviewed to systems and the confirm that data transmissions are complete, accurate corresponding results are and valid and that interfaces are working properly reviewed
Manual
Preventive
At least every 3 years, and Interfaces' test results are before a new or changed reviewed and formally approved interface is put into production
P13
SC06a
Test results are reviewed and Changes are tested, test results are reviewed and decision approved before going live to go live in production is approved with the change in the production environment
Manual
Preventive
P13
SC06b
Implementation results are reviewed and approved after going live with the change in the production environment
Business Owners
Manual
Detective
P13
SC07a
Impact of change on the documentation and support service plans of critical systems, platforms, applications and databases is assessed and the documentation is updated if necessary Documentation and support service plans for critical systems, platforms, applications and databases is reviewed Impact of change on the documentation and support service plans of end-user computing tools is reviewed and the documentation is updated if necessary Documentation and support service plans for end-user computing tools is reviewed
Changes in a critical system, platform application or database are subject to an impact analysis of the related documentation (user and operation procedures, manuals, technical documentation, support service plans, training materials, ) which is updated if necessary
Preventive
Documentation (including location) for changed critical systems, platforms, applications and databases is reviewed and formally approved
P13
SC07b
The documentation of critical systems, platforms, applications and databases (user and operation procedures manuals, technical documentation, support service plans, training materials, ) is reviewed to ensure sufficiency against business needs Changes to end-user computing tools are subject to an impact analysis of the related documentation (user and operation procedures, manuals, technical documentation, training materials, ) which is updated if necessary
Detective
List of available documentation (including location) for critical systems, platforms, applications and databases is reviewed and formally approved Documentation (including location) for changed end-user computing tools is reviewed and formally approved
P13
SC08a
Business Owners
Manual
Preventive
P13
SC08b
The documentation of end-user computing tools (user and Business Owners operation procedures manuals, technical documentation, training materials, ) is reviewed to ensure sufficiency against business needs Emergency changes are reviewed to assess legitimacy and compliance with change management policies and procedures CIO and GM
Manual
Detective
Bi-annually (period of 5 to 7 months required between control executions) Every emergency changes
List of available documentation (including location) for end-user computing tools is reviewed and formally approved Emergency changes documentation is reviewed and formally approved
P13
SC09
Manual
Detective
P13
SC12
Matrix of profiles (and related rights) are reviewed and mapped to job descriptions
The profiles/roles in the systems, platforms, applications Business Owners/Critical and databases are mapped to each job description (up-to- Systems Responsibles date), to ensure that related access rights granted via the and Human Resources. profiles are commensurate with job/position responsibilities
Manual
Preventive
The profiles matrix (and related rights) related to each job description are reviewed and formally approved
P13
SC14
Provisioning / deprovisioning forms are reviewed and approved to grant users only the access they need
The logical access request forms for joiners, job changes and job terminations for employees, contractors, vendors and non-client personnel are: - prepared and approved by the Head of Department (of the employee or contracting a third-party), - reviewed and approved by the Human Resources Responsible vs. the job description for legitimacy and segregation of duties purposes, - processed by the IT Staff Human Resources prepares a monthly list of all transfers and leavers which is used by the Security Officer to verify that the relevant access rights have been modified or revoked
Manual
Preventive
P13
SC15
Accesses to systems, platforms, applications and databases is reviewed against the list of all transfers and leavers
Detective
Monthly
Review of accesses vs. The list of transfers and leavers is formally approved
P13
SC16
Access rights to systems, platforms, applications and databases that are granted (through profiles) are reviewed, updated if necessary and approved
The complete access rights (granted through allocation of profiles) are reviewed to check that: - access rights are in line with employee's position and responsibilities in the company (job description) and that these are still aligned with need-to-have and segregation of duties principles - all users of systems, platforms, applications and databases receive a unique user ID by which they can be uniquely identified (any exception to this rule must be well documented, rationalized and approved) - temporary accounts, generic accounts, applicative accounts are legitimate and adequately supported by documentation
Manual
Detective
Quarterly
P13
SC17
Access for migrating new/modified systems, platforms, applications and databases into the production environment is restricted
User access rights are reviewed and approved to check that: - only authorized personnel has access for migrating new/modified systems, platforms, applications and databases into the production environment; - user access rights are in line with job description; - this personnel is not authorized to perform any development.
Manual
Detective
Quarterly
User access rights related to the migration of new/modified systems, platforms, applications and databases are reviewed and formally approved
P13
SC18
Privileged access (admin, super users) to systems, platforms, applications and databases is reviewed and approved
The list of usernames (and corresponding persons) with privileged/powerful access rights to systems, platforms, applications and databases is reviewed to ensure that capability to issue powerful commands is limited to appropriate individuals
Manual
Detective
Quarterly
List of usernames (and corresponding persons) granted with privileged/powerful access rights to systems, platforms, applications and databases is reviewed and formally approved
P13
SC19
End-user computing tools are End-user computing tools (such as spreadsheets and secured from unauthorized other end-user programs) are placed on secured access and use directories, for which the list of usernames (and corresponding persons) with access to these, is reviewed to ensure that accesses respect the need-to-have principles Note: End-user computing tools are all tools created by business department personnel not limited to only spreadsheets (e.g. Excel Macro, Excel reconciliation spreadsheets, MS Access tools) that are used to compute or control figures of Financial Statement.
Manual
Detective
Quarterly
User access rights list to end-user computing tools is reviewed and formally approved
P13
SC20
Access rights granted to The access rights granted to providers (including generic, vendors and contractors are application and maintenance accounts) are reviewed to strictly limited in terms of time assess the need-to-be of active vendors' accounts and profile (need-to-have basis)
Human Resources Manual Responsible and Security Officer and Critical Systems IT Responsible(s)
Detective
Monthly
The vendors/contractors accounts and related access rights are reviewed and formally approved
P13
SC21
Remote access connection capability from vendors, contractors and employees is adequately limited
The timeframe and business requirements for remote access granted to vendors, contractors and employees is reviewed
Detective
Monthly
The list of user accounts with remote access capability is reviewed and formally approved
P13
SC22
Remote access connections Activities on network components performed during remote Critical Systems IT from vendors, contractors and access are monitored by the Critical Systems Technical Responsible(s) employees is monitored Responsible through review and documentation of the activity logs (connection, tasks performed, disconnection) to ensure they are in line with the planned remote activities. The monitoring of connection/disconnection to the VPN platform (if any) is the responsibility of the Critical System IT Responsible. The reports on remote connections are communicated and approved Remote connections and the related activities performed are reported Security Officer and CIO
Manual
Detective
The logs of activities from remote connections vs. planned activities are reviewed and formally approved
P13
SC23
Manual
Detective
Monthly
Reports on remote connections and activities performed are reviewed and formally approved
P13
SC24
The security set-up for the critical information is reviewed to ensure that only authorized users are in the list
Password files, authorization tables, communications Security Officer and CIO software, encryption keys and critical installation programs are stored in logically protected areas or otherwise protect from read-and-write access
Manual
Detective
Quarterly
P13
SC25
The set-up for passwords of each system, platform, application and database is reviewed
Password controls to critical network and systems, platforms, applications and databases are in effect and consider minimum security rules (where technically feasible)
Manual
Preventive
Security rules implemented in the systems, platforms, applications and databases (print screens, ) are reviewed and formally approved
P13
SC27
Storage and backup principles Retention periods, backup and storage terms are defined CIO and Legal or are formalized and approved for documents, data, programs, reports and messages, as Regulatory Responsible well as the data (keys, certificates) used for their encryption and authentication, while considering the classification of company data/information sensitivity
Manual
Preventive
Bi-annually (period of 5 to Retention periods and storage 7 months required terms are reviewed and formally between control approved executions)
P13
SC29
P13
SC30
The backup journal is reviewed to ensure that backups are CIO carried out on critical systems, platforms, applications and databases at least daily for data and weekly for configuration setups The backup restore journal is reviewed to verify the results Critical Systems IT of the restore tests Responsible(s) and CIO
Manual
Detective
Monthly
Manual
Preventive
Bi-annually (period of 5 to The restore journal is reviewed 7 months required and formally approved between control executions)
P13
SC31
Only authorized individuals have access to the back-up data and media
The list of individuals able to access the backups CIO (physically and logically, on media and on logical drives, onsite and off-site) is reviewed vs. the authorizations
Manual
Detective
Quarterly
The review of accesses to backups vs. the authorizations is reviewed and formally approved
P13
SC37
Unauthorized activities attempts recorded in audit trails (logs) on key systems and network components are reviewed
Unauthorized activities attempts (successful and Critical Systems IT unsuccessful) done at network, systems, platforms, Responsible(s) and applications and databases level are identified and reacted Security Officer upon in an appropriate way. It does include a review of firewall / IDS logs to detect any hacking intrusion attempt. Unauthorized activities and their resolution and status are reported CIO and GM
Manual
Detective
Weekly
The security logs and unauthorized activities highlighted are reviewed and formally approved
P13
SC38
Manual
Detective
Monthly
P13
SC41
The daily job scheduling checklists and corresponding results are reviewed
Batch jobs are scheduled and monitored to ensure they run as needed and to completion
Manual
Detective
Daily
The job scheduling checklist and related results are reviewed and formally approved
P14
IC04
Testing for systems, platforms, applications and databases is performed in a testing environment
For all critical systems, platforms, applications and databases, there is a testing environment: - separated logically and/or physically from the production environment, - which allows adequate stress, unit, end-to-end testing - which reflects as much as possible the live environment (data in kind and quantity), - which is available for sufficient testing time
CTO
Manual
Preventive
Print copy of the catalogue and/or description of the testing environments are reviewed and formally approved
P14
IC09
Implementation of change/project is communicated to all Critical Systems Technical Manual relevant parties (end-users, stakeholders) to ensure they Responsible(s) are aware of the change and its related impacts
Preventive
P14
IC10
The Logical Access Management policy (or security policy) CTO is reviewed and approved to check that the management of user accounts for joiners, job changes and job termination is part of the policy (for both employees and contractors, for local and remote access...)
Manual
Preventive
Bi-annually (period of 5 to Logical Access Management 7 months required Policy (or Security Policy) is between control reviewed and formally approved executions)
P14
IC20
Backup execution results are documented in the backup journal and validated to ensure that backups are carried out on critical systems, platforms, applications and databases at least daily for data and weekly for configuration setups
Detective
Daily
P14
IC24
The formalized DRP is reviewed and approved Note: DRP and BCP plans should be updated whenever there is a large change implemented.
CTO and GM
Manual
Preventive
Bi-annually (period of 5 to The DRP is reviewed and formally 7 months required approved between control executions) Annually The test results of the DRP are reviewed and formally approved
P14
IC25
CTO and GM
Manual
Preventive
P14
IC26
The Incident and Problem Management Policy and Procedures is reviewed to check that non-standard events are analyzed and resolved in a timely manner, including escalation procedures, supplier involvement if appropriate and a clear description of the process (flowchart for example)
CTO
Manual
Preventive
Bi-annually (period of 5 to The Incident and Problem 7 months required Management Policy is reviewed between control and formally approved executions)
P14
IC27
Significant NW events or incidents and failures are Critical Systems Technical Manual monitored, communicated and resolved in a timely manner Responsible(s)
Detective
P14
IC28
CTO and GM
Manual
Detective
Monthly
P14
IC31
The operating procedures are Formalized operating procedures are in place and reviewed and approved documented
CTO
Manual
Preventive
P14
IC32
An inventory listing all potential suspicious activities should be maintained to allow the monitoring of unauthorized activities Change requests are authorized
An inventory listing all potential suspicious activities for CTO and Security Officer each system should be maintained to allow the monitoring of unauthorized activities. This list should be updated based on experience and used to review unauthorized activities (P14.SC29). Change request forms are completed, reviewed and approved Business Owners and Stakeholders and Critical Systems Technical Responsible(s)
Manual
Preventive
Bi-annually (period of 5 to 7 months required between control executions) Bi-annually (period of 5 to 7 months required between control executions)
P14
SC01
Manual
Preventive
P14
SC02
Existing controls are identified, Existing controls (which may be affected by the design tested and redesigned if and implementation of changes) are identified and necessary reported in the change request. Testing of the existing controls impacted is documented as part of the test plans in the change request. Change acceptance tests performed by Business Owners and Stakeholders include the testing of these controls. Appropriate actions are taken to modify or redesign these controls, if necessary, to retain their integrity Change requests (including Test plan, roll-out plan and roll-back plan are formalized, changes to critical end-user reviewed and approved prior to implementation of the computing tools) have a test change plan, a roll-out plan and a rollback plan developed prior to implementation
Manual
Preventive
Impact analysis of existing controls, and if appropriate tests results, are reviewed and formally approved
P14
SC03
Preventive
Test plan, roll-out plan and fallback plan are reviewed and formally approved
P14
SC05
Testing of interfaces between Interface test results are formalized and reviewed to systems and the confirm that data transmissions are complete, accurate corresponding results are and valid and that interfaces are working properly reviewed
Preventive
At least every 3 years, and Interfaces' test results are before a new or changed reviewed and formally approved interface is put into production
P14
SC06a
Test results are reviewed and Changes are tested, test results are reviewed and decision approved before going live to go live in production is approved with the change in the production environment
Manual
Preventive
P14
SC06b
Implementation results are reviewed and approved after going live with the change in the production environment
Business Owners
Manual
Detective
P14
SC07a
Impact of change on the documentation and support service plans of critical systems, platforms, applications and databases is assessed and the documentation is updated if necessary
Changes in a critical system, platform application or database are subject to an impact analysis of the related documentation (user and operation procedures, manuals, technical documentation, support service plans, training materials, ) which is updated if necessary
Manual
Preventive
Documentation (including location) for changed critical systems, platforms, applications and databases is reviewed and formally approved
P14
SC07b
Documentation and support service plans for critical systems, platforms, applications and databases is reviewed Emergency changes are reviewed
The documentation of critical systems, platforms, applications and databases (user and operation procedures manuals, technical documentation, support service plans, training materials, ) is reviewed to ensure sufficiency against business needs Emergency changes are reviewed to assess legitimacy and compliance with change management policies and procedures
Manual
Detective
List of available documentation (including location) for critical systems, platforms, applications and databases is reviewed and formally approved Emergency changes documentation is reviewed and formally approved
P14
SC08
CTO and GM
Manual
Detective
P14
SC11
Provisioning / deprovisioning forms are reviewed and approved to grant users only the access they need
The logical access request forms for joiners, job changes and job terminations for employees, contractors, vendors and non-client personnel are: - prepared and approved by the Head of Department (of the employee or contracting a third-party), - reviewed and approved by the Human Resources Responsible vs. the job description for legitimacy and segregation of duties purposes, - processed by the Technical Staff The complete access rights (granted through allocation of profiles) are reviewed to check that: - access rights are in line with employee's position and responsibilities in the company (job description) and that these are still aligned with need-to-have and segregation of duties principles - all users of systems, platforms, applications and databases receive a unique user ID by which they can be uniquely identified (any exception to this rule must be well documented, rationalized and approved) - temporary accounts, generic accounts, applicative accounts are legitimate and adequately supported by documentation The list of usernames (and corresponding persons) with privileged/powerful access rights to systems, platforms, applications and databases is reviewed to ensure that capability to issue powerful commands is limited to appropriate individuals
Manual
Preventive
P14
SC12
Access rights to systems, platforms, applications and databases that are granted (through profiles) are reviewed, updated if necessary and approved
Detective
Quarterly
P14
SC13
Privileged access (admin, super users) to systems, platforms, applications and databases is reviewed and approved
Manual
Detective
Quarterly
List of usernames (and corresponding persons) granted with privileged/powerful access rights to systems, platforms, applications and databases is reviewed and formally approved
P14
SC14
Access rights granted to The access rights granted to providers (including generic, vendors and contractors are application and maintenance accounts) are reviewed to strictly limited in terms of time assess the need-to-be of active vendors' accounts and profile (need-to-have basis)
Human Resources Manual Responsible and Security Officer and Critical Systems Technical Responsible(s)
Detective
Monthly
The vendors/contractors accounts and related access rights are reviewed and formally approved
P14
SC15
Remote access connection capability from vendors, contractors and employees is adequately limited
The timeframe and business requirements for remote access granted to vendors, contractors and employees is reviewed
Detective
Monthly
The list of user accounts with remote access capability is reviewed and formally approved
P14
SC16
Remote access connections Activities on network components performed during remote from vendors, contractors and access are monitored by the Critical Systems Technical employees is monitored Responsible through review and documentation of the activity logs (connection, tasks performed, disconnection) to ensure they are in line with the planned remote activities. The monitoring of connection/disconnection to the VPN platform (if any) is the responsibility of the Critical System IT Responsible The reports on remote connections are communicated and approved
Critical Systems Technical Manual Responsible(s) and Critical System IT Responsible(s) (if applicable)
Detective
The logs of activities from remote connections are reviewed and formally approved
P14
SC17
Activities performed on network components during remote Security Officer, CTO and Manual access are reported and reviewed by the Security Officer CIO (if applicable) and the CTO. Remote connections to the VPN platform (if any) are reported and reviewed by the Security Officer and the CIO
Detective
Monthly
Reports on remote connections and activities performed are reviewed and formally approved
P14
SC18
The set-up for passwords of each system, platform, application and database is reviewed
Password controls to critical network and systems, platforms, applications and databases are in effect and consider minimum security rules (where technically feasible)
Manual
Preventive
Security rules implemented in the systems, platforms, applications and databases (print screens, ) are reviewed and formally approved
P14
SC19
Storage and backup principles Retention periods, backup and storage terms are defined CTO and Legal or are formalized and approved for documents, data, programs, reports and messages, as Regulatory Responsible well as the data (keys, certificates) used for their encryption and authentication, while considering the classification of company data/information sensitivity
Manual
Preventive
Bi-annually (period of 5 to Retention periods and storage 7 months required terms are reviewed and formally between control approved executions)
P14
SC21
P14
SC22
The backup journal is reviewed to ensure that backups are CTO Manual carried out on critical systems, platforms, applications and databases at least daily for data and weekly for configuration setups The backup restore journal is reviewed to verify the results Critical Systems Technical Manual of the restore tests Responsible(s) and CTO
Detective
Monthly
Preventive
Bi-annually (period of 5 to The backup restore journal is 7 months required reviewed and formally approved between control executions)
P14
SC23
Only authorized individuals have access to the back-up data and media
The list of individuals able to access the backups CTO (physically and logically, on media and on logical drives, onsite and off-site) is reviewed vs. the authorizations
Manual
Detective
Quarterly
The review of accesses to backups vs. the authorizations is reviewed and formally approved
P14
SC29
Unauthorized activities attempts recorded in audit trails (logs) on key systems and network components are reviewed
Unauthorized activities attempts (successful and Critical Systems Technical Manual unsuccessful) done at network, systems, platforms, Responsible(s) and applications and databases level are identified and reacted Security Officer upon in an appropriate way. It does include a review of firewall / IDS logs to detect any hacking intrusion attempt.
Detective
Weekly
The security logs and unauthorized activities highlighted are reviewed and formally approved
P14
SC30
CTO and GM
Manual
Detective
Monthly
P15
IC01
Terms & conditions set out in the interconnect agreement must be reviewed for their technical/financial terms by the relevant departments.
GM
Manual
Preventive
P15
IC02
All provisioned changes to trunks and routing data are reported and reviewed on a daily basis.
A report (based on a predefined query) summarizes any changes to the settings of the Switch and/or interconnect billing system ( i.e. destinations etc). This report is reviewed and approved by the Billing Manager. This is either done based on a report that runs daily or based on an exception / alarm report that is issued upon occurrence.
Billing Manager
Daily
- Description and system documentation (technical / functional description) on how the alarm / exception report works. - Upon occurrence, exception / alarm reports are reviewed and formally approved OR if a daily report comes out, daily report is reviewed and formally approved
P15
IC03
Identify the source of the rejection (if possible) and try to resolve the problem in order to prevent the event from happening in the future. Furthermore, the rejected EDRs are recuperated where possible. This process occurs continuously and the events that happen the most are tackled first.
Billing Staff
Daily
- Formal procedure / task description of reviewing and resolving rejected EDRs. - Exception / reject reports are reviewed and formally approved
P15
IC04
Reconciliation of reference data (e.g. trunk groups and gateway transit routes) in the Switch, Mediation and interconnect billing system
Reference data (i.e. Trunk and gateway transit routes) Billing Manager needs to be reconciled between Switch and Interconnect Billing System per operator. I.e. validating that the operator trunk code and gateway transit routes are linked to the correct operator by the interconnect billing system. The reconciliation should include the mediation in case of filtration rules defined based on Trunk Groups on Mediation Device.
Manual
Detective
Reconciliation report of reference data in Switch, Mediation and interconnect Billing system is reviewed and formally approved
P15
IC08
Check whether all the invoices generated are sent out to the relevant operators.
CFO-2
Manual
Detective
Monthly
Check list of invoices generated and sent out is reviewed and formally approved
P15
SC05
All rejected EDRs are formally EDRs not corrected are reviewed by CFO and Local reported during the Revenue Assurance Manager before clearing them from interconnect bill run the Billing System (based on delegation of authority and local regulations).
P15
SC06
Mediation output is reconciled Reconciliation of output from the Mediation device with the Billing Manager with Interconnect billing input input into the Interconnect Billing System and its output (or and output support system such as a database or data warehouse) in number of EDRs and in number of minutes. This is a standard MIC input / output report.
Daily
Reconciliation report (Mediation output with Interconnect Billing input and output) is reviewed and formally approved
P15
SC07
Detailed interconnect revenue The monetary values, the minutes and events in the invoice validation interconnect revenue invoices are checked for their accuracy.
CFO-1
Manual
Detective
Monthly
Check list of interconnect revenue invoice validation is reviewed and formally approved
P15
SC09
Usage Report (EDRs Count, Minutes etc) from other operators are reconciled with the registered traffic sent to them
Usage Report ( EDRs Count, Minutes etc) received from Billing Manager the other operators are reconciled with the output from the Interconnect Billing system by the Billing Manager. If the figures deviate from a preset tolerance limit (threshold), a detailed analysis is needed (exchange of EDRs may be necessary in this case).
Manual
Detective
Monthly
Analysis report of the deviations (Interconnect usage figures) is reviewed and formally approved
P15
SC10
P15
SC11
Payable invoices from other operators are reconciled with the Usage Report reconciliation All payable invoices that are accepted are subject to approval
Payable interconnect invoices received from the other Interconnect Manager operators by the Interconnect Manager are reconciled with the Usage Report ( EDRs Count, Minutes etc) reconciliation done in SC9. All payable invoices of interconnect operators that are GM and Interconnect accepted are subject to an approval of the Interconnect Manager Manager and GM.
Manual
Detective
Monthly
Analysis report of the deviations (Interconnect invoices) is reviewed and formally approved Invoices of Interconnect operators are reviewed and formally approved before payment
Manual
Detective
Monthly
P15
SC12
All the accounting records in relation to interconnection revenue & cost are verified by the CFO-1 before posting into the GL.
CFO-1
Manual
Preventive
Monthly
P15
SC13
Revenue and cost data in the Comparison of interconnect revenue & cost booked in the CFO interconnect billing system accounting system with the revenue/cost from the (both accruals and invoices) is interconnect billing system & the invoices sent out/received. reconciled with the accounting system
Manual
Detective
Monthly
Reconciliation report (interconnect costs/revenues in Billing system and Accounting systeml) is reviewed and formally approved
P15
SC14
Netting of invoices is reviewed Validation of the invoices netted off and the resulting by the CFO-1 values.
CFO-1
Manual
Detective
Monthly
Interconnect netting validation report is reviewed and formally approved Roaming agreement is reviewed and formally approved
P16
IC01
Formal review and approval of Terms & conditions set out in the roaming agreement must GM all roaming agreements be reviewed for their technical/financial terms by the relevant departments.
Manual
Preventive
P16
IC03
All provisioned roaming changes on the Switch and Roaming Billing system are reported (by means of a predefined query) and reviewed on a daily basis. This is done based on a report that runs daily.
If the TAP OUT files generation is outsourced to Mach, validation over Mach changes reported by Mach are reviewed. Changes done at Mach side are available and should be reviewed through their 'Service Ticketing System'.
Category Manager
Daily
Report on all changes done on the Switch and Roaming Billing System / Mach Platform (via 'Service Ticketing System') are reviewed and formally approved
P16
IC05
Credit & Collection Roaming high usage reports received from visited Manager -1 and Billing operators are reviewed by the Credit & Collection Manager -1 Manager-1 on a daily basis. Any actions taken based on this report should be communicated to and executed by the Billing Manager -1. If NRTRDE is implemented, High Usage Reports have to be reported through use of Fraud detection system handling the NRTRDE files. The File Delivery Report (FDR) from Mach has also to be used to ensure that all files that were sent have been received, and to identify any missing file. In addition, the Error Report (ER), listing any errors encountered by the HPMN to process the NRTRDE records, should be reviewed and appropriate actions should be taken together with Mach to prevent future errors. Billing Manager -1
Daily
High usage reports with documentation of corrective actions and underlying reasons are reviewed and formally approved. For NRTRDE (Near Real Time Roaming Data Exchange ), NRTRDE High Usage reports should be reviewed including FDR and ER
P16
IC09
Validation on whether the All the A numbers contained in the Outbound Roaming IMSI, MIN, ... numbers belong records are compared with the subscribers database, in to your subscribers order to verify whether the record pertains to your subscribers Outbound Roaming.
Manual
Detective
Daily
Reconciliation report (A numbers in TAP IN vs subscribers database) is reviewed and formally approved
P16
IC10
The upload and conversion of TAP IN files is followed up and reported on a daily basis.
Billing Manager -1
Manual
Detective
Daily
Report on the successful / failed TAP IN file uploads and conversions is reviewed and formally approved
P16
IC13a
Analyze and resolve rejected Identify the source of the rejection (if possible) and try to Inbound Roaming EDRs at the resolve the problem in order to prevent the event from Billing System happening in the future. Furthermore, the rejected EDRs should be recuperated if possible. This process occurs continuously and the events that happen the most are tackled first.
Billing Staff
Daily
Rejected EDRs report (Billing system level) is reviewed and formally approved
P16
IC13b
Analyze and resolve Inbound Roaming EDRs rejected during the MBF and TAP OUT generation
Identify the source of the rejection (if possible) and try to Billing Staff resolve the problem in order to prevent the event from happening in the future. Furthermore, the rejected EDRs should be recuperated if possible. This process occurs continuously and the events that happen the most are tackled first. Rejections are investigated from two sources: - during MBF files generation; - during MACH TAP OUT files generation. Rejected EDRs are listed in MACH COM portal (Rejected, CDR Details Report) including the reason of their rejection. These rejections have to be investigated and corrected if possible together with Mach support. The Billing Manager verifies that the Billing system/Fraud Billing Manager system generates and sends out the high usage report for subscribers visiting your network each day. In case of NRTRDE files are stored on MACH server every 4 hours.
Daily
Rejected EDRs reports (Mediation and MACH level) are reviewed and formally approved
P16
IC15
Daily review of the high usage reporting + validation of the sending of any existing high usage reports
Manual
Detective
Daily
High usage reports is reviewed and formally approved In case of NRTRDE files are stored on MACH server every 4 hours (All such reports can be reviewed on a subsequent day from occurrence)
P16
IC24
IOT updates and rating information for new roaming partners are sent to MACH at least 4 weeks before the agreed start date of application.
Billing Manager
Manual
Preventive
P16
SC02a
Reconciliation of inbound roaming settings in the Switch and corresponding settings in the inbound roaming Billing System and Mediation device (if required)
There is a reconciliation between the inbound roaming settings (IMSI ranges per operator) on the Switch against the corresponding settings in the roaming Billing System and Mediation Device. The reconciliation report should include the underlying reasons of discrepancies and corrective actions.
Billing Manager
Monthly
Inbound roaming settings reconciliation report (Switch vs. Mediation vs. Roaming Billing System) is reviewed and formally approved
P16
SC02b
Reconciliation of inbound roaming settings in the Switch and corresponding settings in the Mediation device.
There is a reconciliation between the inbound roaming Billing Manager settings (IMSI ranges per operator) on the Switch against the corresponding settings in the Mediation device. The reconciliation report should include the underlying reasons of discrepancies and corrective actions.
Monthly
Inbound roaming settings reconciliation report (Switch vs. Mediation device) is reviewed and formally approved
P16
SC06
Duplicate check on Outbound The TAP IN processor (or the postpaid billing system) Roaming EDRs checks for duplicates based on certain fields in a call record that are equal. This is either done based on a report that runs daily or based on an exception / alarm report that is issued upon occurrence.
Billing Staff
Daily
P16
SC07
Billing Manager -1
Manual
Detective
Daily
P16
SC08
Reconciliation of rates applied There is reconciliation between the rates applied in the Billing Manager -1 in the records in the TAP IN records from the TAP IN files with rates agreed upon. This file with rates agreed upon. reconciliation may be performed on a relevant sample of TAP IN files if the control is performed completely manual. It is however preferred to perform the reconciliation on all TAP IN files.
Daily
Reconciliation report (rates applied in TAP IN file with those agreed upon) is reviewed and formally approved
P16
SC11
Validation of currency conversion rates used to convert SDR values in local currency values
The currency conversion from SDR values in the TAP IN records to local currency is timely updated and performed by the Billing Manager and reviewed by the CFO-1.
CFO-1
Monthly
Validation report of the currency conversion from SDR values is reviewed and formally approved
P16
SC12
Reconciliation of Billing records contained in TAP IN files with the Roaming records in the Billing System or Prepaid EDRs
There is a reconciliation between the billing records contained in TAP IN records with the roaming records uploaded in the postpaid billing system. Note: Wherever Prepaid Camel is offered for Out roamers a reconciliation of TAP IN EDRs (received for Prepaid roaming) should be reconciled with prepaid EDRs.
Billing Manager
Reconciliation report (TAP IN vs Postpaid Billing system and Prepaid platform for Camel) is reviewed and formally approved
P16
SC14a
All rejected Inbound Roaming Prepare a report on all Inbound Roaming records, together Billing Manager, Local EDRs in Billing System are with relevant explanations at the TAP OUT file generation. Revenue Assurance formally reported during the Manager and CFO TAP OUT file generation All Inbound Roaming EDRs rejected during MBF generation are formally reported All Inbound Roaming EDRs rejected during both MBF and Billing Manager, Local TAP OUT generation (Rejected Process Summary Report) Revenue Assurance are formally reported Manager and CFO
Manual
Detective
Monthly
Rejected (and not corrected) EDRs report is reviewed and formally approved
P16
SC14b
Manual
Detective
Monthly
Rejected (and not corrected) EDRs report is reviewed and formally approved
P16
SC16
Sequential numbering of TAP All TAP out files have a unique sequential identification OUT file number. There is a validation on the sequence number.
Billing Manager -1
Daily
P16
SC17a
Detailed validation on the correctness of the rating of the records in the TAP OUT file.
Billing Manager -1
P16
SC17b
Review the exception report on the IOT check (Detail Report) provided by Mach. All exceptions have to be investigated together with Mach. Reconciliation of Mediation output with the Inbound Roaming Billing System output in number of EDRs and in number of minutes / bytes. This is a standard MIC input / output report.
Billing Manager -1
Daily
Exception report on the IOT check (Detail Report) is reviewed and formally approved Reconciliation report (Mediation vs Billing system) is reviewed and formally approved X
P16
SC18a
The output from the Mediation is reconciled with the Inbound Roaming Billing System output (with all the sub steps)
Billing Manager
Daily
P16
SC18b
The output from the Mediation Reconciliation of Mediation output (MBF files or raw CDRs) Billing Manager is reconciled with the Mach with the Mach 'TAP creation report for Revenue Assurance' TAP creation report in number of EDRs and in number of minutes / bytes.
Daily
Reconciliation report (Mediation vs Mach 'TAP creation report for Revenue Assurance') is reviewed and formally approved
P16
SC19
Validation with Clearing House Check whether the Clearing House has received the TAP of TAP OUT file sent Out files sent by the MIC subsidiary.
Billing Manager -1
Manual
Detective
Daily
Report of TAP OUT filles received by the Clearing House is reviewed and formally approved
P16
SC20
Validation of clearing house netting results by comparing difference retrieved TAP IN and created TAP OUT
Comparison of the Summary report sent by the Clearing CFO-1 House against the MIC subsidiarys own Tap IN & Tap OUT details.
Manual
Detective
Monthly
Reconciliation report (netting vs. TAP IN & TAP OUT) is reviewed and formally approved
P16
SC21
All the accounting records in relation to roaming revenue & CFO-1 cost are verified by the CFO -1 before posting into the GL.
Manual
Preventive
Monthly
Specific approval form for bookings is reviewed and formally approved AND/OR Adequate access security / segregation of duties setup in the accounting system (i.e. only the CFO-1 can actually post journal entries) is reviewed and formally approved Reconciliation report (Jounal Entries vs Mach reports) is reviewed and formally approved
P16
SC22
Accounting journal entries are The CFO reviews and validates the proposed Roaming reconciled with MACH reports revenue and cost bookings in the accounting system with the MACH reports.
CFO
Manual
Detective
Monthly
P16
SC23
Tariffs applied to TAP OUT are reviewed against those of Billing Manager -1 the signed agreement (AA14) with all roaming partners. All agreements have to be reviewed once a year, with 25% of roaming partners being reviewed quarterly on a rolling basis.
Quarterly
Reconciliation report (AA14 vs TAP out rates setup) is reviewed and formally approved
P17
IC01
A formal credit check is For each new postpaid subscriber recommended by the performed for each postpaid Go-to-Market Department, a formal credit check is subscriber before provisioning performed based on the approved Commercial policy to review and assess the credit status and reputation of the subscriber.
Manual
Preventive
P17
IC02
A specific exception form A specific exception form (prepared and justified by the Credit and Collection exists on the acceptance of Sales department) exists on the acceptance of postpaid Manager subscribers that do not comply subscribers that do not comply with the Commercial policy. with the Commercial policy / credit check limits
Manual
Preventive
P17
IC03
A specific exception form exists on the acceptance of exceptional discounts that do not comply with the Commercial policy
A specific exception form (prepared and justified by the Sales department) exists on the acceptance of exceptional discounts that do not comply with the Commercial Policy.
Manual
Preventive
P17
IC05
A formal verification is made to ensure that all credit limits reported are implemented in accordance with the Commercial policy.
Daily
P17
IC06
All manually provisioned changes to critical subscriber data are automatically reported and reviewed
All manually provisioned changes to critical subscriber data Consumer Manager (in the Switch and Billing environment) are automatically reported (based on a predefined query) and reviewed. The review verifies whether the reported provisioned changes equal the approved subscriber data change requests. Critical subscriber data is (but not limited to): name, address, services and status.
Daily
Formal report of all provisioned changes in both the switch and billing environment is reviewed and formally approved. Each provisioned change is matched with an approved change request.
P17
IC08
A standard report with all tariff A standard (predefined query) report with all tariff changes Category Manager changes is generated and is generated and signed off on a daily basis. This is either signed off on a daily basis done based on a report that runs daily or based on an exception / alarm report that is issued upon occurrence. When the control is based on an alarm: the approval must be attached to the exception report.
Manual
Detective
Daily
P17
IC11
Analyze and resolve corrupted Identify the source of the corruption (e.g. A or B number Billing staff EDRs at the mediation level not clear) and try to resolve the problem in order to prevent the event from happening in the future. Furthermore, the corrupted EDRs should be recuperated if possible. This process should occur continuously and the events, which happen the most, should be tackled first.
Daily
Upon occurrence, exception / alarm reports on corrupted EDRs are reviewed and formally approved OR if a daily report comes out, a daily report is reviewed and formally approved
P17
IC12
Analyze the filtered non-billable EDRs based on the reason for filtering and obtain proper approval. If no filtering occurs then this control is not applicable.
Billing Manager -1
Manual
Detective
Daily
P17
IC13
All corrupted EDRs at on Mediation device should be formally reported before bill run
Prepare a report on all EDRs, which are beyond error Billing Manager and CFO correction together with relevant explanations at the time of the bill run.
Manual
Detective
P17
IC14
A proper review of Business Rules for filtering of non billable EDRs is performed.
Manual
Detective
Monthly
Business rules and filters setup for non-billable traffic are reviewed and formally approved
P17
IC16
The mediation device or billing system includes an Billing Staff automated control that checks the time gaps between EDRs (calls or data traffic) and compares them to a certain threshold. If the time gap is too big (> threshold, e.g. no calls for more than half hour) the control should send out a critical alarm. This is either done based on a report that runs daily or based on an exception / alarm report that is issued upon occurrence.
Daily
Upon occurrence, exception / alarm reports on time gaps of EDRs are reviewed and formally approved OR if a daily report comes out, a daily report is reviewed and formally approved
P17
IC17
The test call matrix consists out of a relevant sample of test Billing Manager -1 calls (as well as other types of traffic e.g. SMS, MMS, etc) which are followed up from Switch up to the Billing System. Best practice is to use a test call generator to generate all possible call scenarios. In case no test call generator is used, the test call matrix contains the call scenarios that represent at least 90% of all traffic (data traffic included).
Manual
Detective
Monthly
- Test call matrix document outlining the type of tests that need to occur and the sample method. - Test call results are reviewed and formally approved (test call matrix along with print screens from the billing system call details) Rejected EDRs report (Billing system level) is reviewed and formally approved
P17
IC18
Identify the source of the rejected EDRs and try to resolve the problem in order to prevent the event from happening in the future. Furthermore, the rejected EDRs should be recuperated if possible. This process should occur continuously and the events that happen the most should be tackled first.
Billing Staff
Daily
P17
IC20
Monitoring of high usage looks at value, but also at minutes Credit and Collection and transactions (and must cover both prepaid as well as Manager -1 postpaid). Specific thresholds are applied (based on approved high usage policy & procedures) and subscribers surpassing the thresholds are followed up. Appropriate actions are taken, such as contacting the subscriber for an explanation or even barring the subscriber. This is either done based on a report that runs daily or based on an exception / alarm report that is issued upon occurrence.
Daily
High usage report summarizing high usage activity and the actions taken is reviewed and formally approved
P17
IC21
Usage of test SIMs is monitored and evaluated to detect any misuse. This is either done based on a report that runs daily or based on an exception / alarm report that is issued upon occurrence.
Revenue Assurance
Monthly
P17
IC22
Sample testing pre and post The accuracy of the invoices is verified on a sample basis. Billing Manager bill run (testing completeness The sample should represent a variety of billing scenarios. and calculation of invoice) A log should be maintained for any errors identified.
Manual
Detective
Pre and Post bill run sample testing reports and results are reviewed and formally approved
P17
S0C4
All discounts (not part of a discount plan) are reported in a specific exception report on a daily basis. This report must be based on a predefined query.
Consumer Manager
Daily
Formal report of all exceptional discounts given is reviewed and formally approved
P17
SC07
Record all future movement of Future movements of revenues (e.g. connections fees) are CFO-1 revenues (e.g. connection computed and reported in a schedule, which is used for fees) based on the MIC Policy recognizing and booking the corresponding entries based on the MIC accounting policy.
Manual
Detective
Monthly
Reconciliation between future movement schedule and accounting entries is reviewed and formally approved
P17
SC09
The Switches (and other EDR generating nodes) must number their call records sequentially. A control is performed by the mediation device to verify whether the sequence is respected (completeness of EDRs). This is either done based on a report that runs daily or based on an exception / alarm report that is issued upon occurrence.
Billing Manager
Daily
P17
SC10
Automated check for duplicate The database of the billing system (or mediation) is EDRs checked for duplicate EDRs based on certain fields in a call record that are equal. This is either done based on a report that runs daily or based on an exception / alarm report that is issued upon occurrence.
Billing staff
Daily
Upon occurrence, alarm reports on duplicate EDRs are reviewed and formally approved OR if a daily report comes out, a daily report is reviewed and formally approved
P17
SC15
Reconcile the input of mediation device against the output Billing Manager by EDR category. This reconciliation is common for all type of Traffic ( i.e. Postpaid, Interconnect and Roaming). This reconciliations is the standard MIC input / output report, must occur both in numbers of EDRs, minutes and (kilo) bytes where applicable.
Daily
Reconciliation report (Mediation Input Vs Mediation Output) is reviewed and formally approved
P17
SC19
All rejected EDRs at on billing EDRs not corrected are reviewed by CFO and Local Platform should be formally Revenue Assurance Manager before clearing them from reported before bill run the Billing System (based on delegation of authority and local regulations).
Manual
Detective
Rejected (and not corrected) EDRs report is reviewed and formally approved
P17
SC23
Check all the revenue Ensure that all the revenue movements in the Billing cycle Billing Manager movements in the Billing cycle are captured and that all the pending subscription fees (e.f. is captured flat fee services and packages) are included in the settlement invoice.
Reconciliation of billable flat fees and flat fees actually billed during the bill run is reviewed and formally approved
P17
SC24
Check that all subscribers are Reconciliation of subscribers in the subscriber database included in a billing cycle against the subscribers covered by the bill runs in order to verify whether all subscribers are assigned to at least one of the bill runs.
Billing Manager
P17
SC25
Reconciliation provisioning prepaid platform with bills generated by the billing system for fixed bills
Validate fixed bills generated for fixed bill subscribers in the Billing Manager prepaid billing system to ensure that the reload (top-up) at the beginning of the month reconciles to the invoices generated at the end of the month.
Reconciliation report (fixed bills amounts with balance reloads of fixed bill subscribers) is reviewed and formally approved
P17
SC26
Reconciliation between the mediation output with the billing system input and Output
Reconciliation of output from the Mediation device with the Billing Manager input and Output into the Billing Systems in number of EDRs and in number of minutes and (kilo) bytes where applicable. This is a standard MIC input / output report.
Daily
Reconciliation report (Mediation output Vs Billing system input and output) is reviewed and formally approved
P17
SC27
Reconciliation between invoices generated versus invoices Billing Manager printed and sent out (including electronic invoices sent through the email).
Reconciliation report (invoices generated Vs invoices sent out) is reviewed and formally approved
P17
SC28
A report with the status of all overdue subscribers is Credit and Collection generated. Their status is compared to the theoretical Manager status they should have as per the barring / dunning policy, i.e. it should be verified whether all subscribers that are overdue with their invoice payment are barred in time.
Weekly
Overdue subscriber report with actual status is reviewed and formally approved
P17
SC29
Review non billable subscribers traffic (i.e. traffic from subscribers that do not need to pay for certain or all services) and ensure related revenue are not in accounting
All non-revenue generating traffic related to specific subscribers that are not billed (cf. MIC policy) are formally reported and approved. This control must be done before transactions are transferred in the accounting system so that only revenue generating transactions are posted.
Detective
P17
SC30
All bookings should be first prepared in draft and then CFO-1 approved by the CFO-1 before being booked in the G/L (this should be performed in both cases where there is an interface between the Postpaid system and the accounting system or if this is a manual booking into the accounting system).
Manual
Preventive
Specific approval form for bookings is reviewed and formally approved AND/OR Adequate access security / segregation of duties setup in the accounting system (i.e. only the CFO-1 can actually post journal entries) is reviewed and formally approved Reconciliation report (Billing system Vs Accounting system) is reviewed and formally approved
P17
SC31
Revenue data in the Billing System is reconciled with the Accounting System (both accruals and invoices)
The relevant bookings in the G/L are reconciled with their CFO source, i.e. the billing system and the invoices and accruals generated by it. This reconciliation must also reconcile the classification of revenue in both systems.
Manual
Detective
P17
SC32
Reconcile the output of Switch against input of mediation CTO-1 device by EDR category. This reconciliation is common for all type of Traffic ( i.e. Postpaid, Interconnect and Roaming). This reconciliations is the standard MIC input / output report, must occur both in numbers of EDRs, minutes and (kilo) bytes where applicable.
Daily
Reconciliation report (Switch Output Vs Mediation Input) is reviewed and formally approved
P18
IC02
Determine commercial All new / changed tariffs are subject to a profitability impact Category Manager feasibility of tariff changes/add analysis by Go-To-Market. The analysis must be reviewed and approved.
Manual
Preventive
Results of the profitability impact analysis of new/changed tariff is reviewed and formally approved
P18
IC04
Manual
Preventive
Request forms (for changes / additions to tariff (plans)) are reviewed and formally approved
P18
IC07
All manually initiated changes to subscriber balances require prior approval of the Customer Support. Manual changes are all changes that are not part of the normal automated logic of using and uploading balances. This covers adjustments and initiating batches for promotions and discount corrections. Note: The approval has to be in line with the MIC Policy No.B4.3.2. based on the thresholds set.
Customer Support
Manual
Preventive
Requests for manually initiated changes to prepaid subscriber balances are reviewed and formally approved
P18
IC10
Prepaid traffic which can not be rated, and for which default rated cant be applied is reported.
Billing Manager
Manual
Detective
Monthly
P18
IC14
The test transaction matrix consists out of a relevant sample of events scenarios (as well as other types of transactions e.g. Voice, SMS, MMS, GPRS, recharge vouchers, e-pin) that is executed each month, which are followed up from switch up to the Prepaid platform (or independent comparison of test call records from matrix with IN system and in case of any missing records, trace back on Switch or Mediation). The test transaction matrix contains the scenarios that represent at least 90% of all transactions. The billing manager ensures the forfeiture is taking place as per card expiry.
Billing Manager -1
Manual
Detective
Test matrix document and test transaction results are reviewed and formally approved
P18
IC15
Billing Manager
Monthly
Report for de-activation / expiry of scratch card/e-pins is reviewed and formally approved
P18
IC20
Before generating new PINs and registering these on the Category Manager network, the Category Manager should approve this action.
Manual
Preventive
P18
IC24
There is a proper management approval for activation of PINs in the prepaid platform. The Warehouse Manager is responsible for informing the Billing Manager.
Warehouse Manager
Manual
Preventive
Before PINs are activated PINs activation request is reviewed and formally approved
P18
IC26
A formal commercial policy is drafted and approved. This policy outlines the rules for accepting a dealer (credit checks that the dealer needs to pass, reputation considerations, etc). Secondly the policy also puts forward the acceptable commissions that can be granted per type of dealer or per the size of purchase.
Go to Market responsible
Manual
Preventive
P18
IC27
Credit vetting is performed For each new dealer recommended by the Go-To-Market / Credit & Collection based on the criteria set in the sales department, a formal credit check is performed by Manager Commercial Policy the credit and collection manager to review and asses the credit status and reputation of the dealer as per the Comercial policy for accepting dealers. A specific Yes/No answer field on the credit assessment form flags if a dealer is in line with the policy or not. The credit assessment is approved by the Credit & Collection Manager before appointment of the dealer. Approval taken from Management for appointing the Dealer A specific exception report (that needs to be approved) GM & CFO exists on the acceptance of dealers that do not comply with the commercial policy / credit limits check. This document is validated by the CFO and the GM.
Manual
Preventive
Credit status of dealer is documented in the Credit assessment form and reviewed and formally approved before appointment of the dealer
P18
IC28
Manual
Preventive
Acceptance of dealers taht do not comply with the commercial policy / credit limit checks is reviewed and formally approved
P18
IC29
A standard (predefined query) report with all commission parameter changes is generated and signed off on a daily basis. This is appropriate in case of automated control for commission calculation.
Category Manager
Manual
Detective
Daily
Formal report on all commission parameter changes is reviewed and formally approved
P18
IC30
Before transferring the credit to dealers e-Pin account, the Financial Responsible credit and especially the commission calculation (i.e. the (CFO-1) or Consumer difference between the payment and the proposed credit) Manager are approved by the Consumer Manager or Finance Responsible (CFO-1) to validate that the commission is in line with the commercial policy, and that an actual payment has occurred. The proof of the actual payment (e.g. bank statement, cash receipt, etc) is attached. This control is for manual commission calculations only.
Manual
Preventive
E-Pin request form (including credit to transfer and comission calculation) is reviewed and formally approved
P18
IC33
Validate identity of e-Pin credit transferred of credit and authentication of transfer and e-Pin deduction occurs before e-Pin addition
The SMSC and prepaid platform (and if relevant the e-Pin platform) will process the request for a balance transfer and verify the identity of the transferred, validity of the request and credit balance. Typically, the transferred is identified based on his MSISDNS and the transfer request is authenticated by means of a secret pin code provided in the SMS. To ensure that the deduction of the e-Pin accounts happens prior to the additions to subscriber accounts, the debit should precede a credit for every transaction. This should be tested each time the system changes.
Automated
Preventive
System documentation explaining the identification and authentication procedures is reviewed and formally approved
P18
SC01
Reconciliation of MSISDNs, subscribers profile and status in Switch subscriber db and prepaid and postpaid billing platform
The MSISDNs, subscriber's profiles and status (Active/Inactive) in the switch subscriber DB (HLR) and prepaid/postpaid Billing platform are reconciled by the billing manager. The Billing manager should review exceptions and propose corrective actions to IT and Network. Any corrective actions should be formerly documented Note: Ring Back Tone should also be reconciled (between RBT server, IN, Billing System and the Switch). For practical reasons the profile and MSISDNS reconciliation for prepaid and postpaid should be done at the same time.
Billing Manager
Daily
Reconciliation report (MSISDNs, subscribers profile and status in Switch and Billing environments) is reviewed and formally approved
P18
SC03
Changed or new tariff (plans) may have an impact on the CFO way revenue is recorded. As such, Finance needs, as per the MIC accounting policy manual, to assess the impact of a tariff change.
Manual
Preventive
Results of the accounting treatment impact analysis of new/changed tariff is reviewed and formally approved
P18
SC05
Changed / added tariffs report A standard (predefined query) report with all tariff changes Category Manager (including interconnect, roaming, prepaid, postpaid and wireless) is generated and signed off. This is either done based on a report that runs daily or based on an exception / alarm report that is issued upon occurrence.
Manual
Detective
Daily
P18
SC06
Reconciliation between EDRs generated by the prepaid platform and the ones generated by the Switch / SMSC / MMSC / GPRS (depending upon network architecture)
A reconciliation between EDRs generated by the prepaid Billing Manager platform and the ones generated by the Switch (or other EDR generating nodes on the network, e.g. SMSC, MMSC, GPRS Nodes, etc) should be performed in order to ensure integrity of transfer between both systems. The reconciliation should occur both in numbers of EDRs as well as in number of minutes and (kilo) bytes where applicable. Wherever it is applicable for content, there should be a reconciliation of SMS_MT with the Switch and IN EDRs.
Daily
Reconciliation report (EDRs generated by the prepaid platform and the ones generated by the Technical Network nodes) is reviewed and formally approved
P18
SC08
A predefined query reports all manual changes to subscriber balances. Issued report is reviewed and validated.
Daily
Report of all manual changes to the subscriber balances is reviewed and formally approved
P18
SC09
Review reasons for all subscriber with negative balance (or subscribers credited to 0 balance) and obtain validation by appropriate level of management
All negative balances for prepaid subscribers should be reviewed on a regular base. This includes also the instances where subscribers would normally have a negative balance but received a 0 balance because the prepaid platform does not allow / cannot handle negative balances.
Billing Manager -1
Weekly
Report including negative and null balances is reviewed and formally approved
P18
SC11
Formal report on all free traffic, zero rated traffic, default rated traffic
Free traffic is traffic for which a subscriber is not rated at Billing Manager all. A call is zero rated if a zero tariff is applied to the call. Default rated traffic are traffic for which no applicable rate could be found but where instead (in order to ensure service) a default rate was applied. If the system is not set up for free traffic, zero rating or default rating, then the weekly reports should not be run and in stead documentation should be provided proving that the system is not doing so. Note: This control just as all the other ones is relevant for all types of traffic and not only voice calls.
Weekly
Report listing free calls and zero rated calls (allowing to review these and to take corrective actions) is reviewed and formally approved. If the system is not set up for free traffic, zero rating or default rating then the weekly reports should not be run and in stead documentation should be provided proving that the system is not doing so. This documentation is reviewed and formally approved by the billing manager on a quarterly basis. Testing results of the post-hoc sample re-rating of the traffic are reviewed and formally approved
P18
SC12
There is a regular post-hoc testing / re-rating of the prepaid Billing Manager traffic of one day, this should be performed on a monthly basis. I.e. one day is selected (as a sample) and for that day all calls are re-rated. The result is reconciled with the actual result of that day. Note: This control just as all the other ones is relevant for all types of traffic and not only voice calls.
Manual
Detective
Monthly
P18
SC13
The prepaid platform must number their event records sequentially (Note: this numbering could e.g. be based on the billing ID, and does not need to reflect switch EDR sequential numbering). This is either done based on a report that runs daily or based on an exception / alarm report that is issued upon occurrence.
Billing Manager
Daily
Description and system documentation (technical / functional description) on how the alarm / exception report works. Exception report on missing sequence numbers is reviewed and formally approved.
P18
SC16
Accounting entries with regard to expired revenue are reconciled with actual subscriber balance and scratch card / PIN expirations on the prepaid platform
The accounting entries for expired revenue must be based CFO on and reconciled with actual balance and scratch card / PIN expirations on the prepaid platform, i.e. the deferred income that is taken into revenue via the accounting entry must be reconciled with balance deductions on the user accounts or scratch cards registered in the prepaid platform.
Monthly
Reconciliation report (expired balances and scratch cards/PINs in Prepaid platform and expired revenues booked in Accounting) is reviewed and formally approved
P18
SC17
Reconciliation between prepaid usage and the delta of the opening and closing balance of accounts
The following reconciliation should be performed: Billing Manager and The opening balance - usage (voice and data) + top-ups + Finance Responsible promotional credits +/- subscriber balance adjustments (CFO-1) expired subscriber credit = closing balance.
Daily
The reconciliation (prepaid usage and the delta of the opening and closing balance of accounts) is reviewed and formally approved
P18
SC18
All bookings should be first prepared in draft and then approved by the CFO-1 before being booked in the G/L.
CFO-1
Manual
Preventive
Monthly
P18
SC19
Prepaid platform report is The relevant bookings in the G/L are reconciled with their CFO reconciled with the accounting source, i.e. the prepaid platform. This reconciliation must system also reconcile the classification of revenue in both systems. Note: It should also include the Tigo Lends You platform report when reconciling the deferred revenue.
Manual
Detective
Monthly
Reconciliation report (Accounting Vs. Prepaid platform) is reviewed and formally approved
P18
SC21
Formal policies, procedures and documentation related to IT Security Staff scratch card PINs / HRNs security (platform documentation, procedure for generating PINs, authority of accesses, access security controls and/or encryption, etc.) should be formalized and reviewed on a bi-annually basis.
Automated
Preventive
Documentation of access rights to PINs/HRNs, actual security settings in the system (s) involved and documentation of the encryption method used to send PINs / HRNs to the warehouse are reviewed and formally approved
P18
SC22
The scratch cards and eThe scratch cards and e-vouchers have unique vouchers receive a sequential identification numbers as defined in the functionality of serial number in the prepaid prepaid platform. platform
Technical team
Automated
Preventive
P18
SC23
Reconciliation between PIN generated value on IN (including status) and those approved by marketing and then received in inventory
There is reconciliation between the scratch cards received in inventory against the PINs generated by the prepaid platform or PIN Generator. Also, this is checked against the approved PIN/HRN request (IC20). The Warehouse Manager performs this control, whilst the Financial Responsible (CFO-1) has to review and approve this reconciliation.
Detective
Reconciliation report (PINs received in Inventory Vs. PINs generated Vs. Approved requests) is reviewed and formally approved.
P18
SC25
Duplicated usage of scratch cards / PINs are reported and Billing Manager reviewed on a regular basis.
Daily
P18
SC31
A reconciliation is performed between money receipt in CFO-1 Billing System (Cash Management) against the e-pin credit given to the dealers.
Manual
Detective
Daily
Reconciliation report (money receipt in Billing against e-pin credit given in Paltform) is reviewed and formally approved
P18
SC32
A reconciliation at the account level is performed as per Billing Manager and CFO- Manual (electronic Detective the following: Opening Balance minus transfer out plus 1 evidence) transfer in plus/minus adjustments (if any) equals to the closing balance. Revenue Assurance reviews and ensures that actions are taken.
Daily
Reconciliation report at account level (epin opening balance transfer out + transfer in +/adjustments = epin closing balance) is reviewed and formally approved
P18
SC34
E-Pin output is reconciled with Reconciliation of the output from the e-Pin System against Billing Manager Prepaid Platform Input input for the prepaid platform. This reconciliation must occur in values and at the subscriber account level.
Daily
Reconciliation report (E-Pin output Vs. Prepaid Platform Input) is reviewed and formally approved
P19
IC01
For each new postpaid Wireless subscriber recommended Credit and Collection by the commercial department, a formal credit check is Manager -1 performed based on the approved Commercial policy to review and assess the credit status and reputation of the subscriber.
Manual
Preventive
P19
IC02
A specific exception form exists on the acceptance of subscribers that do not comply with the Commercial policy / credit check limits
A specific exception report (that needs to be approved) Credit & Collection exists on the acceptance of subscribers that do not comply Manager with the commercial policy / credit check limits. This report is based on a predefined query.
Manual
Preventive
P19
IC03
A specific exception form exists on the acceptance of exceptional discounts that do not comply with the Commercial policy
A specific exception form (prepared and justified by the Sales department) exists on the acceptance of exceptional discounts that do not comply with the Commercial Policy.
Manual
Preventive
For each new subscriber Exceptional discount allocated an exceptional acceptance form is reviewed discount and formally approved
P19
IC04
Discount Report
All discounts (not part of a discount plan) are reported in a specific exception report on a daily basis. This report must be based on a predefined query.
Consumer Manager
Daily
Formal report of all exceptional discounts given is reviewed and formally approved
P19
IC05
Check if installation material is All additional material used at the time of installation assigned to subscriber should be charged during provisioning.
Billing team
Manual
Preventive
P19
IC06
All manually provisioned changes to critical subscriber data are automatically reported and reviewed
All manually provisioned changes to critical subscriber data Consumer Manager (in the switch or billing environment) are automatically reported and reviewed. The review verifies whether the reported provisioned changes equal the approved subscriber data change requests. Critical subscriber data is (but not limited to): name, address, services and status.
Daily
Formal report of all provisioned changes in both the switch and billing environment is reviewed and formally approved. Each provisioned change is matched with an approved change request.
P19
IC09
There is a check over additional material charging if its required during the installation.
Billing Staff
Charging report on additional material required during the installation is reviewed and formally approved
P19
IC10
Sample testing pre and post bill run (testing completeness and calculation of invoice)
The accuracy of the invoices is verified on a sample basis. Billing Manager The sample should represent a variety of billing scenarios. A log should be maintained for any errors identified.
Manual
Detective
Pre and Post bill run sample testing reports and results are reviewed and formally approved
P19
IC11
Check that all subscribers are Reconciliation of subscribers in the subscriber data against Billing Manager included in a billing cycle the subscribers covered by the bill runs in order to verify whether all subscribers are assigned to at least one of the bill runs.
P19
IC17
Verify whether installation is assigned to client before picking up CPE from the warehouse
There is a verification that CPE given out for installations Warehouse Manager corresponds to a real customer. CPE are given to technicians upon a valid installation order which is amended and signed off by the Warehouse manager (a copy is kept at warehouse for filing).
Manual
Preventive
Installation orders are amended and formally approved by the Warehouse manager before providing a CPE
P19
IC18
Reconcile disconnection instructions with received CPEs in Credit and Collection warehouse and ensure allocation of charges for non Manager received CPEs
Weekly
Reconciliation report (disconnection instructions with received CPEs in warehouse) is reviewed and formally approved
P19
SC07
Reconciliation subscriber numbers and profiles in wireless network routers and billing system
Reconciliation subscriber numbers and profiles in wireless network routers and billing system. This includes the number reconciliation, Status, and speed.
Billing Manager
Daily
Reconciliation report (subscriber numbers in wireless network routers and billing system) is reviewed and formally approved
P19
SC12
Comparison of invoices generated in the billing system against the invoices printed and sent out.
Billing Manager
Reconciliation report (invoices generated Vs invoices printed and sent out) is reviewed and formally approved
P19
SC13
P19
SC14
Review non billable subscribers traffic (i.e. traffic from subscribers that do not need to pay for certain or all services) and ensure related Validation of prepared bookings by CFO-1
All non-revenue generating traffic related to specific subscribers that are not billed (cf. MIC policy) are formally reported and approved. This control must be done before transactions are transferred in the accounting system so that only revenue generating transactions are posted. All bookings are first prepared in draft and then approved by the CFO -1 before being booked in the G/L.
CFO-1
Manual
Preventive
Specific approval form for bookings is reviewed and formally approved AND/OR Adequate access security / segregation of duties setup in the accounting system (i.e. only the CFO-1 can actually post journal entries) is reviewed and formally approved Reconciliation report (Billing system Vs Accounting system) is reviewed and formally approved
P19
SC15
Revenue data in the billing system (both accruals and invoices) is reconciled with the accounting system
The relevant bookings in the G/L are reconciled with their CFO source, i.e. the billing system and the invoices and accruals generated by IT. This reconciliation also reconciles the classification of revenue in both systems.
Manual
Detective
P19
SC16
On a weekly basis a formal review is performed on the status of all overdue subscribers according as defined by the collection / barring policy.
Weekly
P1b
Payroll Outsourced
IC01
Personnel additions (Local Senior Management and Regional equivalents) are approved
Subsequent to the approval of RAR, the package for the new Local Senior Management and Regional equivalents is approved.
Preventive
Each new recruitment of Packages related to the hiring of Local Senior Management new Local Senior Management and Regional equivalents and Regional equivalents are reviewed and formally approved and related contracts are in line with approved packages. Each new recruitment of employee different than Local Senior Management and Regional equivalents Contracts with new employees, other than Local Senior Management and Regional equivalents, are reviewed and formally approved.
P1b
Payroll Outsourced
IC02
Personnel additions (other than Local Senior Management and Regional equivalents) are approved
Subsequent to the approval of RAR, the package for the employees other than Local Senior Management and Regional equivalents is approved.
Manual
Preventive
P1b
Payroll Outsourced
IC03
Performance evaluation forms The Head of Department reviews and approves the are approved by Head of evaluation forms of his/her team, and then sends the Departments evaluation forms to HR Responsible.
Head of Department
Manual
Preventive
Annually
P1b
Payroll Outsourced
IC04
Business Owner reviews the commissions and other variable pay elements (overtime, paid off, sickness, holidays, absence, personnel expenses).
Manual
Preventive
Monthly
Commissions and other variable pay elements reports are reviewed and formally approved. Calculation of effective bonuses allocated to the Local Senior Management and Regional equivalents is reviewed and formally approved.
P1b
Payroll Outsourced
IC05
Effective bonuses and related Calculation is made based on bonus performance criteria CEO and Head of Manual calculation are approved agreed and communicated by Headquarters. The Performance and Reward performance of the operation is calculated and communicated by Headquarters, the individual performance discussed and agreed at operation level. Calculation of effective bonuses for Local Senior Management and Regional equivalents is prepared locally and reviewed by the Regional Manager and approved. Effective bonuses and related Calculation is made based on bonus performance criteria calculation are approved agreed and communicated by Headquarters. The performance of the operation is calculated and communicated by Headquarters, the individual performance discussed and agreed at operation level. Calculation of effective bonuses for employees below Local Senior Management and Regional equivalents is prepared locally and reviewed and approved by GM. Payroll Coding Assignments are reviewed by department GM Manual
Preventive
Annually
P1b
Payroll Outsourced
IC06
Preventive
Annually
Calculation of effective bonuses allocated to people below the Local Senior Management and Regional equivalents is reviewed and formally approved.
P1b
Payroll Outsourced
IC08
The mapping between the job positions within the company Human Resources and related cost center code is reviewed by the Human department (GM-2) Resources department (GM-1 or GM-2).
Manual
Preventive
Quarterly
Mapping between job positions and related cost center code is reviewed and formally approved.
P1b
Payroll Outsourced
IC11
Returns and fillings prepared Returns and fillings are reviewed by Human Resources Human Resources by the service organization are department for reasonableness and unusual items department (GM-2) reviewed for reasonableness Note: All the Employee (Direct, Indirect, Consultants) related Taxes and Social Security commitments must be calculated. Employee Taxes (PAYE, WHT etc) of Local as well as Expatriate employees must be calculated.
Manual
Detective
Every Filling
Copies of the returns kept on file are reviewed and formally approved.
P1b
Payroll Outsourced
IC13
Monthly payroll activity is Human Resources Staff analyses payroll monthly report compared to previous periods against payroll report of previous period. All variances greater than 10% should be investigated and explained.
Manual
Detective
Monthly
Analytical review with explanation for significant variances is reviewed and formally approved.
P1b
Payroll Outsourced
SC07
Changes in employment status and variable pay elements are approved before communication to Third Party Service Provider
1) HR Responsible reviews and authorizes the following Human Resources changes in employee status/package (salary, variable pay Responsible (GM-1) elements, benefits, etc) before they are communicated to the Third Party Service Provider: - Changes due to employee dismissal / termination (removal of the employee from the employee list) - Changes due to employee recruitment (formalization of new employee contracts) - Changes due to annual performance evaluation (approval of annual performance evaluation forms) - Changes due to employee promotion - Changes due to employee leveling - Changes due to employee move from one department to another 2) HR Responsible reviews the commissions and other variable pay elements (overtime, paid off, sickness, holidays, absence, personnel expenses and bonuses). 3) Deduction rates, as well as rates for external requirements, social payments and others, are reviewed every time there is a change, to identify eventual changes or errors in the rates. 4) HR Responsible reviews and ensures follow up of cases for recorded complaints of employees.
Manual
Preventive
Monthly
- Employee identification sheet, status change request documents ('Personnel action' form) are reviewed and formally approved. - All other variable pay elements reports to be communicated to the Third Party Service Provider are approved - Printed copy of discount rate's file is approved - Complaint book is properly approved
P1b
Payroll Outsourced
SC09
Sample of payroll amounts HR manager recomputes a sample of 3 payroll amounts are recomputed and traced to for clerical accuracy and agrees details with information in information as per personal personal files. files
Manual
Detective
Monthly
Copy of pay slip from selected employee retained on file with evidence of review is reviewed and formally approved.
P1b
Payroll Outsourced
SC10
Bonus accrual computation is The Human Resources department prepares the bonus reviewed accrual computation based on expected performance.
Manual
Preventive
Quarterly
P1b
Payroll Outsourced
SC12
Pay slip for each individual must be reconciled to fund request form detail and total cash disbursement
Pay slips for each individual must be reconciled to fund request form details and to the total cash disbursement.
Manual
Detective
Monthly
P1b
Payroll Outsourced
SC14
Fund request form is approved by Human Resources department (GM-1 or GM-2) and CFO. All billing complaints accepted by Consumer undergo an additional validation by the billing department.
Manual
Preventive
Monthly
Report is reviewed and formally approved. Subscriber billing complaints are reviewed
P20
Adjustments
IC01
Manual
Detective
P20
Adjustments
IC02
Review proposed billing adjustment for prepaid / postpaid / e-pin / wireless subscribers
All Billing Adjustments for all services arising from issues detected by means of the internal controls are validated and approved.
Billing Manager
Manual
Preventive
Prepaid / postpaid / e-pin / wireless billing adjustment form is reviewed and formally approved
P20
Adjustments
IC03
All roaming and interconnect billing adjustments are validated and approved by the CFO and the billing manager.
Manual
Preventive
P20
Adjustments
IC04
Additional approval of massive In case e-pin, prepaid, postpaid or wireless billing GM and Customer billing adjustment adjustments have an impact on multiple subscribers an Manager analysis report needs to be approved by the GM and the Customer Manager. An audit log should be kept for every massive adjustments using a batch / script for the review purposes. Massive = adjustments that affect multiple subscribers at the same time. Typically, this is the case where the number of adjustments is so high that it is favorable to automate the adjustment in a batch / script in stead of performing the adjustment one by one.
Manual
Preventive
P20
Adjustments
IC06
All billing adjustments as per the systems are reported and CFO matched with the corresponding approved requests for adjustments (i.e. IC1-IC4).
Manual
Detective
Monthly
Reconciliation report (billing adjustments vs. corresponding approval forms) is reviewed and formally approved
P20
Adjustments
SC05
Billing adjustments are validated/ reviewed and approved based on MIC Policy.
Manual
Preventive
P20
Adjustments
SC07
Validation of prepared Journal All the accounting records in relation to CNs or DNs are Voucher for CN/DN bookings verified by the CFO -1 before posting into the GL.
CFO-1
Manual
Preventive
Monthly
P20
Adjustments
SC08
CN / DN in the billing systems A reconciliation of the credit and debit notes in the different CFO are reconciled with the billing systems with the credit and debit notes recorded in accounting system the accounting system.
Manual
Detective
Monthly
Reconciliation report (CN/DN in billing systems Vs accounting system) is reviewed and formally approved
P21
IC01
The functional and technical description of the batch or IT Manager and report that is used for subscriber reporting must be aligned Consumer Manager and with the MIC subscriber reporting policy. IT should sign off CFO-1 on this technical description on their understanding of the MIC policy. Finance and Consumer must sign off on their understanding of the functional description and the alignment of this description with the MIC policy. The number of subscribers as recorded in the Reporting GM and CFO package is analytically reviewed by CFO and GM as part of the Reporting package validation and approval before sending out the Reporting package.
Manual
Preventive
Each time a change occurs to the report, module or batch that generates this report
Functional and technical description of the report or batch (vs. subscriber reporting policy) is reviewed and formally approved
P21
IC02
Subscribers numbers as recorded in the reporting package are reviewed and approved by CFO and GM as part of the Reporting Package validation and approval Check compliance with accounting principles
Manual
Detective
For each reporting Weekly and monthly reporting package (i.e. weekly packages are reviewed and report and monthly report) formally approved
P21
IC03
The functional and technical description of the batch or report that is used for subscriber reporting must be aligned with the accounting principles. IT should sign off on this technical description on their understanding of the accounting principles. Finance and Consumer must sign off on their understanding of the functional description and the alignment of this description with the accounting principles. The reported subscribers are validated by the Consumer manager. Then, the recording of the number of subscribers should be first prepared in draft and then approved by the CFO before being actually recorded or disclosed.
Manual
Preventive
Each time a change occurs to the report, module or batch that generates this report
Functional and technical description of the report or batch (vs. accounting principles) is reviewed and formally approved
P21
IC04
Manual
Preventive
P22
Intercompany
IC02
Manual
Preventive
Each IC invoice
P22
Intercompany
IC03
Intercompany reconciliation is On a monthly basis, Accounting Responsible approves the Accounting Responsible approved by Accounting intercompany BS and PL reconciliation (Excel spreadsheet (CFO-1) Responsible supported by e-mails exchanged) communicated by the Accounting Staff. The purpose is to ensure that all intercompany balances and transactions are reconciled, enabling proper elimination on consolidation.
Manual
Detective
Monthly
P22
Intercompany
SC01
The IC contract is signed off by both parties (concerns only CFO loan and TSF).
Manual
Preventive
P23
IC01
Accounting responsible validates fair value of unquoted securities by reviewing the inputs to the models used
Manual
Preventive
Monthly
P23
SC02
CFO reviews assumptions and CFO reviews assumptions and approves final computation. CFO approves final computation
Manual
Preventive
Monthly
P24
IRU
SC01
The list of installations On a monthly basis, region technical responsible prepares AMNET Region CFO completed during the month is a list of installations completed during the month. This reviewed document is reviewed and approved by the AMNET Region CFO before being communicated to the region accounting department. Conclusions on IRU classification (service agreement vs lease) are reviewed The IRU agreements are reviewed in order to assess whether the IRU should be considered as a lease or a service agreement. Conclusions on IRU classification must be in line with MIC Policy Manual, properly documented by the accountant of the company that is purchasing the IRU and approved. The IRU agreements are reviewed in order to assess whether the lease should be considered as a financial lease or an operating lease. Conclusions on lease classifications must be in line with IAS 17, properly documented by the accountant of the company that is purchasing the IRU and approved. AMNET Region CFO
Manual
Monthly
List of installations completed during the month reviewed and formally approved.
P24
IRU
SC02
Manual
Conclusions on IRU classification in accordance with MIC Policy Manual reviewed and formally approved.
P24
IRU
SC03
Conclusions on lease classification in accordance with IAS 17 (capital vs operating lease) are reviewed
Manual
Conclusions on lease classification in accordance with IAS 17 reviewed and formally approved.
P24
IRU
SC04
The leasing amortization table prepared by Accounting Local CFO of the Staff for financial lease according to the lease agreement's company purchasing the terms and conditions is approved. IRU
Manual
P24
IRU
SC05
The computation of the straight line rent prepared by Local CFO of the Accounting Staff for operating lease according to the lease company purchasing the agreement's terms and conditions is approved. IRU
Manual
P24
IRU
SC06
Every time there is a change to existing IRUs / Network capacity agreements are reviewed by Region Category Manager to identify changes in existing IRU and assumptions. The list of changes is approved by AMNET Region CFO
Manual
The list of changes to existing IRU and assumptions reviewed and formally approved.
P24
IRU
SC07
IRU assets that are impaired / On a quarterly basis, IRU assets are reviewed by no longer in use are reviewed Accounting Staff to identify any assets that are impaired or no longer in use. The list is approved by Local CFO. Reconciliation between The accounts related to the IRU's Net Book Value (NBV) accounting and lease as per the accounting system are reconciled with the amortization table is reviewed amortization table. Discrepancies are investigated and documented.
Local CFO of the company purchasing the IRU Local CFO of the company purchasing the IRU
Manual
Quarterly
List of IRU assets that are impaired / no longer in use reviewed and formally approved. Reconciliation reviewed and formally approved.
P24
IRU
SC08
Manual
Monthly
P24
IRU
SC09
Cost allocation sheet prepared based on country requested capacity / usage is reviewed Installation requirements are reviewed
A cost allocation sheet is prepared by the region operations AMNET Region technical technicals to summarize the IRU cost to be recharged to responsible each country. The cost is calculated based on the country requested capacity / usage. For each new content contracted, installation requirements -Regional Programming are reviewed and formally approved before being Director communicated to the Local Technical Area. -COO Home or Regional CEO Home & Corporate
Manual
Monthly
P25
IC02
Manual
Preventive
P25
SC01
New contents' agreements are Agreement with content providers are reviewed and approved. formally approved.
-Regional Programming Director -COO Home or Regional CEO Home & Corporate
Manual
Preventive
P25
SC03
List of installations completed A list of installations, removals or movements during the month is reviewed completed during the month is reviewed and formally (Line up Review) approved. This list is then communicated to the Regional Programming department and to the Financial department. The report must include all the signals that are in the line up specifying name and position by head-end divided into analog and digital (splitting analog from digital)
Local CTO
Manual
Preventive
List of installations completed during the month reviewed and formally approved.
P25
SC04
Programming cost Cost computation report (including both flat fee report and Regional Programming computation report is reviewed variable cost report) is prepared by the Programming Director department based on the terms of the agreement (number of subscribers per type of package / country and based on the cost per subscriber). The report is reviewed and approved.
Manual
Detective
Monthly
P25
SC05
Monthly accrual calculation is prepared by Programming department. Conclusions are reviewed and approved. Amount is communicated to operations for booking.
Manual
Detective
Monthly
P25
SC06
Reconciliation between programmers invoices vs. Payments made and their calculation is reviewed
Reconciliation is performed between Programmers' Local Accounting invoices comparing them vs. the payments made during Manager (each country) / the month and the calculation made to determine those Local CFO (each country) payments. Any differences are investigated and explained; any corrective actions are taken and documented. (The reconciliation must tie the following 3 primary elements: invoice, payment and calculation). For each new or changed cable TV product, tariff and/or Category Manager promotion, the Marketing department should initiate a commercial feasibility study (including cost/benefit analysis, a market study, a comparison with the competitors, etc). This study should be formally documented and approved.
Manual
Detective
Monthly
P26
IC01
Manual
Preventive
For each new or changed Results of the profitability cable TV product/tariff/ impact analysis of promotion new/changed tariff is reviewed and formally approved
P26
IC04
Each new or changed cable TV product, tariff and/or promotion should be approved as per MIC Policy.
Manual
Preventive
For each new or changed Request forms (for changes / cable TV product/tariff/ additions to tariff (plans)) are promotion reviewed and formally approved
P26
IC05
A formal credit check is For each new corporate cable TV subscriber and for each Credit & Collection performed for each subscriber new residential cable TV subscriber with a digital cable TV Manager -1 before provisioning package and Pay-Per-View (Pay Per View) option, a formal credit check is performed by the Credit & Collection Manager -1 before any provisioning activities. A specific exception report (that needs to be approved) exists on the acceptance of subscribers that do not comply with the commercial policy / credit check limits.
Manual
Preventive
For each new corporate Credit check form is reviewed and cable TV subscriber and formally approved for each new residential cable TV subscriber with a digital cable TV package and Pay-Per-View (Pay Per View) option
P26
IC06
A specific exception report exists on the acceptance of subscribers that do not comply with the commercial policy / credit check limits
A specific exception report (that needs to be approved) Credit & Collection exists on the acceptance of cable TV subscribers that do Manager not comply with the commercial policy / credit check limits. This report is based on a predefined query.
Manual
Preventive
P26
IC07
All discounts or free usage are All discounts or free usage, given to corporate cable TV reviewed and approved by the subscribers, are reviewed and approved by the Credit & Credit & Collection Manager Collection Manager.
Manual
Preventive
For each new corporate cable TV subscriber, receiving a discount or free usage
Report including all discounts or free usage given to the corporate subscriber is reviewed and formally approved
P26
IC08
All outstanding cable TV work orders are reported in a Installations Head specific follow-up report and reviewed and approved by the Installations Head on a daily basis. This report is based on a predefined query.
Daily
Follow-up report on all outstanding work orders is reviewed and formally approved
P26
IC09
Check if installation material is All additional material used at the time of installation assigned to subscriber should be charged during provisioning.
Billing Staff
Manual
Preventive
P26
IC10
All manually provisioned changes to critical subscriber data are automatically reported and reviewed
All manually provisioned changes to critical subscriber data Consumer Manager (in the television billing system and the television network platform) are automatically reported and reviewed. The review verifies whether the reported provisioned changes equal the approved subscriber data change requests. Critical subscriber data is (but not limited to): name, address, services and status.
Daily
Formal report of all provisioned changes in both the television billing system and television network platform is reviewed and formally approved. Each provisioned change is matched with an approved change.
P26
IC11
Analyze and resolve rejected Identify the source of the rejected EDRs and try to resolve usage records at the television the problem in order to prevent the event from happening billing system in the future. Furthermore, the rejected EDRs should be recuperated if possible. This process should occur continuously and the events that happen the most should be tackled first.
Billing Staff
Daily
Rejected EDRs report (Billing system level) is reviewed and formally approved
P26
IC15
Sample testing pre and post bill run (testing completeness and calculation of invoice)
The accuracy of the cable TV invoices is verified on a sample basis. The sample represents a variety of billing scenarios. A log is maintained for any errors identified.
Billing Manager
Manual
Detective
Pre and Post bill run sample testing reports and results are reviewed and formally approved
P26
IC23
Reconcile disconnection work On a weekly basis, a reconciliation is performed between Credit and Collection orders with CPEs received in received disconnection work orders with CPEs received in Manager warehouse the warehouse. Any exceptions are analyzed and followedup. Changed/added products/tariffs/promotions report on Billing System are reviewed A standard (predefined query) report with all existing cable Category Manager TV products, tariffs and promotions is generated and signed off on a monthly basis.
Weekly
Reconciliation report (disconnection work orders with CPEs received in the warehouse) is reviewed and formally approved Formal report on all tariff changes is reviewed and formally approved
P26
SC02
Daily
P26
SC03
Determine accounting impact of tariff changes/addition in cable TV products, tariffs and/or promotions (including bundled offers)
Changes or addition of cable TV products, tariffs and/or CFO promotions (including bundled offers) may have an impact on the way revenue is recognized. As such, Finance needs, as per the MIC accounting policy manual, to assess the impact of a change. in revenue recognition.
Manual
Preventive
For each new or changed Results of the accounting cable TV product/tariff/ treatment impact analysis of promotion new/changed tariff is reviewed and formally approved
P26
SC12
Reconcile subscriber numbers Reconciliation of cable TV subscriber numbers and profiles Billing Manager and profiles in television between television billing system and television network network platform and platform. television billing system
Daily
Reconciliation report (subscribers in the billing system vs. network platform) is reviewed and formally approved
P26
SC13
Reconciliation of usage records between television billing system and television network platform
Reconciliation of the Pay Per View usage records between Billing Manager the television billing system and the television network platform.
Daily
Reconciliation report (usage in the billing system vs. network platform) is reviewed and formally approved
P26
SC14
Check whether charges outside of basic fee are assigned to the subscriber
There is a check over additional charges related to material required during the installation which was not included in the basic fee.
Billing Staff
P26
SC16
Reconciliation of cable TV subscribers in the subscriber Billing Manager data against the cable TV subscribers covered by the bill runs in order to verify whether all subscribers are assigned to at least one of the bill runs.
P26
SC17
All rejected EDRs on TV Billing Platform should be formally reported before bill run
EDRs not corrected are reviewed by CFO and Local Revenue Assurance Manager before clearing them from the Billing System (based on delegation of authority and local regulations).
Manual
Detective
Rejected (and not corrected) EDRs report is reviewed and formally approved
P26
SC18
Reconciliation between invoices generated versus invoices printed and sent out
Reconciliation between invoices generated versus invoices Billing Manager printed and sent out.
Reconciliation report (invoices generated Vs invoices printed and sent out) is reviewed and formally approved
P26
SC20
All bookings are first prepared in draft and then approved by the CFO -1 before being booked in the G/L.
CFO-1
Manual
Preventive
Specific approval form for bookings is reviewed and formally approved AND/OR Adequate access security / segregation of duties setup in the accounting system (i.e. only the CFO-1 can actually post journal entries) is reviewed and formally approved Reconciliation report (Billing system Vs Accounting system) is reviewed and formally approved
P26
SC21
Revenue data in the television The relevant bookings in the G/L are reconciled with their billing system is reconciled source, i.e. the television billing system and the invoices with the accounting system and accruals generated by IT. This reconciliation also reconciles the classification of revenue in both systems.
CFO
Manual
Detective
P26
SC22
A formal review must be On a weekly basis a formal review is performed on the Credit and Collection performed on the status of all status of all overdue cable TV subscribers according to the Manager overdue cable TV subscribers defined collection / barring policy.
Weekly
Overdue subscriber report with actual status is reviewed and formally approved
P27
Hedging
C01
Local CFO reviews the For each new hedging instrument, the local CFO reviews hedging memo (part A) before the Memo part A (assessing the hedging opportunity) and submission to HQ signoff the part A of the memo related to the hedging activity. Local CFO also authorizes the submission of the memo to the HQ Head Corporate Finance (HCF) reviews the hedging memo (part A) and authorizes hedging opportunities Head Corporate Finance reviews the hedging agreement against the hedging opportunities. HCF also reviews the memo (part A) related to the hedging activities and authorizes the transaction
Region CFO
Manual
Each new Hedging The local CFO signs the part A of instrument is mentioned in the memo control description, any change in subsequent phase (memo part D) Each new Hedging The HEF signs the part A of the instrument is mentioned in memo control description, any change in subsequent phase (memo part D)
P27
Hedging
C02
Manual
P27
Hedging
C03
Local legal dept ensures that the terus conditions ar eproperly reflected within the draft contract and gives its approval on the continuance of the process.
Manual
Each new Hedging The local legal department signs instrument is mentioned in the draft contract according to the control description, any Memo part A change in subsequent phase (memo part D)
P27
Hedging
C04
The GFC reviews the part B of the hedging memo in order GFC to check the compliance of the contract with IAS 39.88 criteria.
Manual
P27
Hedging
C05
The Group CFO reviews the hedging agreement together with the GFC comments and approves the transaction
Group CFO
Manual
P27
Hedging
C06
GFC reviews the hedging memo (part C) and related accounting treatment
GFC reviews the hedging memo provided by the Group Finance department and approve the qualification (fair value, cash flow, foreign currency) and the related accounting treatment.
GFC
Manual
P27
Hedging
C07
GFC reviews the hedging memo (part D), journal entry and disclosure
GFC reviews the hedging memo (part D), including data assumptions for the valuation, accounting treatment and valuation method and also reviews the related journal entries and disclosures required by IFRS 7.22 for all hedging instruments and related hedged items
GFC
Manual
Each new Hedging instrument or change in the contract / Each reporting date
P27
Hedging
C08
GFC reviews and approves the conclusion of the hedging memo (part E)
GFC
Manual
On a quaterly basis
P27
Hedging
C09
P27
Hedging
C10
P27
Hedging
C11
GFC reviews the assessment of changes and the updated version of the hedging memo (part D GFC reviews valuation method, journal entry and disclosures required by IFRS 7.22 GFC reviews derecognition journal entry and disclosures required by IFRS 7.22
GFC reviews the assessment of changes of the hedging memo (part D) factors leading to direct derecognition GFC reviews valuation method, journal entry and disclosures required by IFRS 7.22 and give the approval for the journal entries GFC reviews the derecognition journal entry and the disclosures required by IFRS 7.22 for all hedging instruments and related hedged items
Manual
On a quaterly basis
GFC
Manual
On a quaterly basis
GFC signs the derecognition rationale and the related journal entries GFC signs the derecognition journal entry and disclosures
GFC
Manual
At each derecognition
P28
C01
Local CEO, CFO and CTO review the accuracy of the documentation prepared to assess the tower lease back opportunities
The local CEO, CFO and CTO review the tower lease back Local CEO, CFO and opportunities (including business case, potential returns, CTO etc.) and the availabilities of counterparts
Manual
P28
C02
Group CFO ensures that everything have been properly and entirely identified and assessed
Group CFO
Manual
P28
C03
Local CFO reviews and approves the lease back contract qualification analysis
The local CFO reviews whether the lease should be considered as a financial lease or an operating lease. Conclusions on lease classifications must be in line with IAS 17 and MIC policies.
Local CFO
Manual
Conclusions on lease classification in accordance with IAS 17 and MIC policies are approved
P28
C04
GFC reviews and approves the lease back contract qualification analysis
The GFC reviews whether the lease should be considered GFC as a financial lease or an operating lease. Conclusions on lease classifications must be in line with IAS 17 and MIC policies. Based on the local CFO analysis
Manual
Conclusions on lease classification in accordance with IAS 17 and MIC policies are approved
P28
C05
GFC reviews the computation and the accounting memo prepared by the Finance department for operating and finance according to the lease agreement's terms and conditions.
GFC
Manual
P28
C06
Group CFO reviews the computation, the accountin memo Group CFO and the journal entires prepared by the Finance department for operating and finance according to the lease agreement's terms and conditions.
Manual
P28
C07
GFC reviews the disposal accounting treatment (including sales & lease back accounting specificities)
GFC reviews the disposal accounting treatment and any excess of sales proceeds over the carrying amount.
GFC
Manual
Computation is approved
P28
C08
Local CFO reviews lease computation, related journal entry and disclosures
Local CFO, according to the type of lease, reviews the Local CFO computation, in case of finance lease: - computes the discounted value (using incremental interest borrowing rate), - creates the leasing amortization table, - prepares the related journal entry, and - prepares the specific disclosures as per IAS 17 and IFRS 7; in case of finance lease: prepares the computation of the rent on a straight line basis, prepares the related journal entry and the specific disclosures as per IAS 17 and IFRS 7 Local CFO, according to the type of lease, reviews the GFC computation, in case of finance lease: - computes the discounted value (using incremental interest borrowing rate), - creates the leasing amortization table, - prepares the related journal entry, and - prepares the specific disclosures as per IAS 17 and IFRS 7; in case of finance lease: prepares the computation of the rent on a straight line basis, prepares the related journal entry and the specific disclosures as per IAS 17 and IFRS 7 Local CFO
Manual
Computation is approved
P28
C09
Manual
Computation is approved
P28
C10
Local CFO reviews the lease Local CFO approves the identified changes in the lease payment conditions changes payment conditions occurred during the period
Manual
P28
C11
Local CFO approves the transferability of the rental Local CFO agreement concerned by the transaction and the purchase request form
Manual
P28
C12
Local CFO and CTO checks the supplier responses and approves the transaction
Manual
Agreement is approved
P29
IC04
Testing for systems, platforms, applications and databases is performed in a testing environment
For all critical systems, platforms, applications and databases, there is a testing environment: - separated logically and/or physically from the production environment, - which allows adequate stress, unit, end-to-end testing - which reflects as much as possible the live environment (data in kind and quantity), - which is available for sufficient testing time
Preventive
Print copy of the catalogue and/or description of the testing environments are reviewed and formally approved.
P29
IC10
Implementation of change/project is communicated to all Critical Systems relevant parties (end-users, stakeholders) to ensure they Technology are aware of the change and its related impacts Responsible(s)
Manual
Preventive
Each new project/change The profiles matrix (and related implemented rights) related to each job description are Approved
P29
IC11
The Logical Access Management policy (or security policy) Technology Factory Chief Manual is reviewed and approved to check that the management of user accounts for joiners, job changes and job termination is part of the policy (for both employees and contractors, for local and remote access...)
Preventive
Bi-annually (period of 5 to Logical Access Management 7 months required Policy (or Security Policy) is between control reviewed and formally approved executions)
P29
IC26
Personal data and sensitive information are inventoried and adequately protected to ensure data confidentiality Backup execution is reviewed
Personal data and sensitive information are adequately protected to ensure data confidentiality
Preventive
Quarterly
Security set-up for personal data and sensitive information privacy is reviewed and formally approved
P29
IC28
Backup execution results are documented in the backup journal and validated to ensure that backups are carried out on critical systems, platforms, applications and databases at least daily for data and weekly for configuration setups
Manual
Detective
Daily
P29
IC32
A Disaster Recovery Plan (DRP) is in place and is formalized The DRP is tested on a regular basis
The formalized DRP is reviewed and approved Note: DRP and BCP plans should be updated whenever there is a large change implemented. The test results of the DRP are reviewed and approved
Preventive
P29
IC33
Preventive
Bi-annually (period of 5 to The DRP is reviewed and formally 7 months required approved between control executions) Annually The test results of the DRP are reviewed and formally approved
P29
IC34
The Incident and Problem Management Policy and Procedures is reviewed to check that non-standard events are analyzed and resolved in a timely manner, including escalation procedures, supplier involvement if appropriate and a clear description of the process (flowchart for example)
Preventive
Bi-annually (period of 5 to The Incident and Problem 7 months required Management Policy is reviewed between control and formally approved executions)
P29
IC35
Significant IT events or incidents and failures are Critical Systems monitored, communicated and resolved in a timely manner Technology Responsible(s)
Manual
Detective
P29
IC36
Detective
Monthly
P29
IC39
The list of authorized software The list of authorized, tolerated and unauthorized software Technology Factory Chief Manual permitted for use by is formalized and reviewed employees is documented and communicated
Preventive
Bi-annually (period of 5 to List of authorized, tolerated and 7 months required unauthorized software is reviewed between control and formally approved executions)
P29
IC40
The list of software installed is The list of software installed and used on each computer reviewed and server is reviewed and reacted upon
Security Officer
Manual
Detective
Quarterly
P29
IC42
The results of scheduled jobs Summary of the batch jobs executions is communicated executions are communicated and approved to ensure batch jobs run properly and approved The operating procedures are Formalized operating procedures are in place and reviewed and approved documented
Detective
Monthly
The job scheduling checklist and related results are reviewed and formally approved
P29
IC43
Preventive
Bi-annually (period of 5 to Operating procedures are 7 months required reviewed and formally approved between control executions)
P29
IC44
An inventory listing all potential suspicious activities should be maintained to allow the monitoring of unauthorized activities Change requests are authorized
An inventory listing all potential suspicious activities for Technology Factory Chief Manual each system should be maintained to allow the monitoring and Security Officer of unauthorized activities. This list should be updated based on experience and used to review unauthorized activities (P13.SC37). Change request forms are completed, reviewed and approved Business Owners and Stakeholders and Critical Systems Technology Responsible(s) Manual
Preventive
Bi-annually (period of 5 to Listing including all potential 7 months required suspicious activities. between control executions)
P29
SC01
Preventive
Change request form is Approved according to the local change management policy.
P29
SC02
Existing controls are identified, Existing controls (which may be affected by the design and tested and redesigned if implementation of changes) are identified and reported in necessary the change request. Testing of the existing controls impacted is documented as part of the test plans in the change request. Change acceptance tests performed by Business Owners and Stakeholders include the testing of these controls. Appropriate actions are taken to modify or redesign these controls, if necessary, to retain their integrity
Manual
Preventive
Impact analysis, and if appropriate tests results, are reviewed and formally approved
P29
SC03
Change requests (including Test plan, roll-out plan and roll-back plan are formalized, changes to critical end-user reviewed and approved prior to implementation of the computing tools) have a test change plan, a roll-out plan and a rollback plan developed prior to implementation
Preventive
Test plan, roll-out plan and fallback plan are reviewed and formally approved
P29
SC05
Testing of interfaces between Interface test results are formalized and reviewed to systems and the confirm that data transmissions are complete, accurate corresponding results are and valid and that interfaces are working properly reviewed
Manual
Preventive
At least every 3 years, and Interfaces' test results are before a new or changed Approved interface is put into production
P29
SC06a
Test results are reviewed and Changes are tested, test results are reviewed and decision approved before going live to go live in production is approved with the change in the production environment
Manual
Preventive
P29
SC06b
Implementation results are reviewed and approved after going live with the change in the production environment
Business Owners
Manual
Detective
P29
SC07a
Impact of change on the documentation and support service plans of critical systems, platforms, applications and databases is assessed and the documentation is updated if necessary Documentation and support service plans for critical systems, platforms, applications and databases is reviewed Impact of change on the documentation and support service plans of end-user computing tools is reviewed and the documentation is updated if necessary Documentation and support service plans for end-user computing tools is reviewed Emergency changes are reviewed
Changes in a critical system, platform application or database are subject to an impact analysis of the related documentation (user and operation procedures, manuals, technical documentation, support service plans, training materials, ) which is updated if necessary
Preventive
List of available documentation (including location) for critical systems, platforms, applications and databases is reviewed and formally approved.
P29
SC07b
The documentation of critical systems, platforms, applications and databases (user and operation procedures manuals, technical documentation, support service plans, training materials, ) is reviewed to ensure sufficiency against business needs Changes to end-user computing tools are subject to an impact analysis of the related documentation (user and operation procedures, manuals, technical documentation, training materials, ) which is updated if necessary
Detective
List of available documentation (including location) for end-user computing tools is reviewed and formally approved.
P29
SC08a
Business Owners
Manual
Preventive
P29
SC08b
P29
SC09
The documentation of end-user computing tools (user and Business Owners Manual operation procedures manuals, technical documentation, training materials, ) is reviewed to ensure sufficiency against business needs Emergency changes are reviewed to assess legitimacy Technology Factory Chief Manual and compliance with change management policies and and Country Manager procedures
Detective
Detective
Bi-annually (period of 5 to 7 months required between control executions) Every emergency changes
P29
SC12
Matrix of profiles (and related rights) are reviewed and mapped to job descriptions
The profiles/roles in the systems, platforms, applications and databases are mapped to each job description (up-todate), to ensure that related access rights granted via the profiles are commensurate with job/position responsibilities
Business Owners, Critical Manual Systems Technology Responsibles and Human Resources.
Preventive
The profiles matrix (and related rights) related to each job description are reviewed and formally approved
P29
SC14
Provisioning / deprovisioning forms are reviewed and approved to grant users only the access they need
The logical access request forms for joiners, job changes and job terminations for employees, contractors, vendors and non-client personnel are: - prepared and approved by the Head of Department (of the employee or contracting a third-party), - reviewed and approved by the Human Resources Responsible vs. the job description for legitimacy and segregation of duties purposes, - processed by the IT Staff Human Resources prepares a monthly list of all transfers and leavers which is used by the Security Officer to verify that the relevant access rights have been modified or revoked
Manual
Preventive
P29
SC15
Accesses to systems, platforms, applications and databases is reviewed against the list of all transfers and leavers
Detective
Monthly
Review of accesses vs. The list of transfers and leavers is formally approved
P29
SC16
Access rights to systems, platforms, applications and databases that are granted (through profiles) are reviewed, updated if necessary and approved
The complete access rights (granted through allocation of profiles) are reviewed to check that: - access rights are in line with employee's position and responsibilities in the company (job description) and that these are still aligned with need-to-have and segregation of duties principles - all users of systems, platforms, applications and databases receive a unique user ID by which they can be uniquely identified (any exception to this rule must be well documented, rationalized and approved) - temporary accounts, generic accounts, applicative accounts are legitimate and adequately supported by documentation User access rights are reviewed and approved to check that: - only authorized personnel has access for migrating new/modified systems, platforms, applications and databases into the production environment; - user access rights are in line with job description; - this personnel is not authorized to perform any development.
Manual
Detective
Quarterly
P29
SC17
Access for migrating new/modified systems, platforms, applications and databases into the production environment is restricted
Detective
Quarterly
User access rights related to the migration of new/modified systems, platforms, applications and databases are reviewed and formally approved
P29
SC18
Privileged access (admin, super users) to systems, platforms, applications and databases is reviewed and approved
The list of usernames (and corresponding persons) with privileged/powerful access rights to systems, platforms, applications and databases is reviewed to ensure that capability to issue powerful commands is limited to appropriate individuals
Detective
Quarterly
List of usernames (and corresponding persons) granted with privileged/powerful access rights to systems, platforms, applications and databases is reviewed and formally approved
P29
SC19
End-user computing tools are End-user computing tools (such as spreadsheets and secured from unauthorized other end-user programs) are placed on secured access and use directories, for which the list of usernames (and corresponding persons) with access to these, is reviewed to ensure that accesses respect the need-to-have principles Note: End-user computing tools are all tools created by business department personnel not limited to only spreadsheets (e.g. Excel Macro, Excel reconciliation spreadsheets, MS Access tools) that are used to compute or control figures of Financial Statement.
Manual
Detective
Quarterly
User access rights list to end-user computing tools is reviewed and formally approved
P29
SC20
Access rights granted to The access rights granted to providers (including generic, vendors and contractors are application and maintenance accounts) are reviewed to strictly limited in terms of time assess the need-to-be of active vendors' accounts and profile (need-to-have basis)
Human Resources Manual Responsible and Security Officer and Technology Factory Chief
Detective
Monthly
The vendors/contractors accounts and related access rights are reviewed and formally approved
P29
SC21
Remote access connection capability from vendors, contractors and employees is adequately limited
The timeframe and business requirements for remote access granted to vendors, contractors and employees is reviewed
Human Resources Manual Responsible and Security Officer and Technology Factory Chief
Detective
Monthly
The list of user accounts with remote access capability is reviewed and formally approved
P29
SC22
Remote access connections Activities on network components performed during remote Critical Systems from vendors, contractors and access are monitored by the Critical Systems Technical Technology employees is monitored Responsible through review and documentation of the Responsible(s) activity logs (connection, tasks performed, disconnection) to ensure they are in line with the planned remote activities. The monitoring of connection/disconnection to the VPN platform (if any) is the responsibility of the Critical System IT Responsible. The reports on remote connections are communicated and approved Remote connections and the related activities performed are reported
Manual
Detective
The logs of activities from remote connections vs. planned activities are reviewed and formally approved
P29
SC23
Detective
Monthly
Reports on remote connections and activities performed are reviewed and formally approved
P29
SC24
The security set-up for the critical information is reviewed to ensure that only authorized users are in the list
Password files, authorization tables, communications Security Officer and Manual software, encryption keys and critical installation programs Technology Factory Chief are stored in logically protected areas or otherwise protect from read-and-write access
Detective
Quarterly
P29
SC25
The set-up for passwords of each system, platform, application and database is reviewed
Password controls to critical network and systems, platforms, applications and databases are in effect and consider minimum security rules (where technically feasible)
Preventive
Security rules implemented in the systems, platforms, applications and databases (print screens, ) are reviewed and formally approved
P29
SC27
Storage and backup principles Retention periods, backup and storage terms are defined Technology Factory Chief Manual are formalized and approved for documents, data, programs, reports and messages, as and Legal or Regulatory well as the data (keys, certificates) used for their encryption Responsible and authentication, while considering the classification of company data/information sensitivity
Preventive
Bi-annually (period of 5 to Retention periods and storage 7 months required terms are reviewed and formally between control approved executions)
P29
SC29
P29
SC30
The backup journal is reviewed to ensure that backups are carried out on critical systems, platforms, applications and databases at least daily for data and weekly for configuration setups The backup restore journal is reviewed to verify the results of the restore tests
Detective
Monthly
Critical Systems Manual Technology Responsible(s) and Technology Factory Chief1 (Support Manager)
Preventive
Bi-annually (period of 5 to The restore journal is reviewed 7 months required and formally approved between control executions)
P29
SC31
Only authorized individuals have access to the back-up data and media
The list of individuals able to access the backups Technology Factory Chief- Manual (physically and logically, on media and on logical drives, on- 1 (Support Manager) site and off-site) is reviewed vs. the authorizations
Detective
Quarterly
The review of accesses to backups vs. the authorizations is reviewed and formally approved
P29
SC37
Unauthorized activities attempts recorded in audit trails (logs) on key systems and network components are reviewed
Unauthorized activities attempts (successful and unsuccessful) done at network, systems, platforms, applications and databases level are identified and reacted upon in an appropriate way. It does include a review of firewall / IDS and IPS logs to detect any hacking intrusion attempt.
Manual
Detective
Weekly
The security logs and unauthorized activities highlighted are reviewed and formally approved
P29
SC38
Detective
Monthly
P29
SC41
The daily job scheduling checklists and corresponding results are reviewed
Batch jobs are scheduled and monitored to ensure they run as needed and to completion
Manual
Detective
Daily
The job scheduling checklist and related results are reviewed and formally approved
PwC Testing
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Obtain a list of all employees which were subject to annual performance evaluation (some employees hired too recently may not be subject yet to evaluations). - Select the number of employees to be tested. - For each selected employee obtain the annual performance evaluation form. - Ensure it was reviewed and formally approved before promotion period.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- For each selected month obtain the reports including commissions and other variable pay elements (overtime, paid off, sickness, holidays, absence, personal expenses). - Ensure they are reviewed and formally approved. - Obtain the list of all Local Senior Management and Regional equivalents - Select the number of employees to be tested. - For each selected employee obtain the calculation of effective bonus and related supporting documentation (i.e.: assessment of individual performance and general bonus performance criteria communicated by headquarters). - Ensure arithmetical accuracy. - Ensure each calculation was reviewed and formally approved.
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
non-key
Walkthrough
- Obtain the list of all employees other than Local Senior Management and Regional equivalents - Select the number of employees to be tested. - For each selected employee obtain the calculation of effective bonus and related supporting documentation (i.e.: assessment of individual performance and general bonus performance criteria communicated by headquarters). - Ensure arithmetical accuracy. - Ensure each calculation was reviewed and formally approved.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
non-key
Walkthrough
- Obtain the quarterly mapping between job positions within the company and related cost center code. - Reperform the mapping to ensure that: a) All identical job positions bear the same cost center code. b) All the job positions included in the list are active (no expired or inactive positions must be included) c) All the cost center codes included in the list are active (no expired or inactive codes must be included) - Ensure that any discrepancy is properly explained and that corrective action has been taken. - Ensure mapping was reviewed and formally approved.
Reperformance
non-key
Walkthrough
- For each selected month, obtain the analytical review between current month payroll accounts and previous month. - Ensure that the analytical review includes all the costs related to employees: not only salaries, also other personnel expenses, etc. - Verify that all variations equal or above 10% have been properly investigated and explained. - In case of errors, ensure that corrective actions have been taken and documented. - Ensure that the analytical review has been reviewed and formally approved. - For each selected month, obtain the returns kept on file (taxes and social security). - Ensure that any unusual item has been properly investigated and explained. - Verify the returns have been reviewed and formally approved before communication to the authorities.
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
For the selected month, ensure that the HR Responsible reviewed the complaint book. Select a sample of 2 complaints registered in previous months and inquire abouth the resolution/ follow up performed. 1) For each selected month, obtain a list of the Payroll System changes made during the month (note: you can identify the changes by comparing the payroll detail of the month selected with the previous month. Each change in the employee net salary is in the scope of this control): a) Recruitments (employees added to payroll database). b) Dismissals (employees removed from payroll database). c) Changes in variable pay elements (overtime, paid off, sickness, holidays, absence, personnel expenses). d) Changes in salary and benefits. e) Changes in deduction rates (social payments and others). f) Changes due to employee's complaints. 2) Select 10% of the changes made during the month (sample must include all above categories). 3) For each change selected, obtain the personnel action form or any document evidencing HR Responsible approval (or Head of Performence and Reward approval for changes related to Local Senior Management and Regional equivalents) 4) Ensure that the above mentioned changes were reviewed and formally approved before their input into the payroll system.
Inquiry
non-key
Walkthrough
2 1 Inspection Low Rely
- Obtain the reconciliation between the Payroll monthly report and the payroll data approved before input into the payroll system. - Reperform the reconciliation to ensure arithmetical accuracy. - Ensure that the reconciliation is properly evidenced (existence of tick marks and/or cross references). - Ensure that any discrepancy is properly explained and that corrective action has been taken. - Ensure reconciliation was reviewed and formally approved. - Additionally, for the 2 months selected, obtain an employees' list from HR department and ensure that the number of employees in the monthly payroll report equals the total number of employees in the list.
Reperformance
Low
Rely
- Obtain the computation of the bonus accrual for each selected quarter and related supporting documentation. - Verify arithmetical accuracy and reasonableness of calculation. - Tie out the accrual's computation vs. accounting records.
Reperformance
Med.
Reperformance
- Obtain from the inventory system the list of stock that has been ordered during the period under review. - Select the appropriate sample of orders. - For the sample selected: a) Obtain the approved order request form (or approved e-mail). b) Check that the form is duly supported by an inventory review or that a monitoring was done by the warehouse officer. c) Ensure the order is properly reviewed and formally approved. - Additionally select 5 weeks in which "No need to order" was identified and verify that an analysis or support documentation was properly approved to support this situation. - Obtain from inventory system the list of all goods dispatched to customer, Dealers and goods transferred to local warehouse during the period under review. - Select the sample to be tested and for each transaction selected, obtain approved Stock Order Form / approved Dispatch Note. - Ensure that the form was properly completed, reviewed and formally approved by the sending and receiving parties. - Verify sending party reviewed and formally approved the "completed" Stock Order Form / Dispatch Note to ensure that the quantity requested matches with the quantity delivered and received. - Ensure that any differences identified in this review have been investigated and resolved.
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Obtain the list of goods in transit - Ensure that the old outstanding goods in transit (i.e. for which no approved Stock Order Form/Dispatch Note has been received) have been investigated and that any required corrective actions have been executed. - Verify that the goods in transit analysis have been reviewed and formally approved. - Obtain the list of indirect sales that took place during the period under review. - Select the sample to be tested and obtain the related approved Stock Order Form. - Check that it was reviewed and formally approved (i.e. the quantity, amount and the credit limit of the supplier were validated).
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Obtain the approved list of sales prices - Ensure the list has been directly extracted from the invoicing system. - Ensure it has been reviewed and formally approved. - Obtain from the invoicing system the list of stock sales made during the period under review. - Select the sample to be tested and obtain for each transaction selected, the approved quantity reconciliation between the invoicing system and the stock order form/dispatch note. - Ensure the accuracy of the reconciliation by reperforming it. - For any differences identified, ensure appropriate investigation took place and corrective actions were taken. - Verify that the reconciliation were reviewed and formally approved.
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
non-key
Walkthrough
- Obtain from the inventory system the list of stock returns that took place during the period under review. - Select the samples to be tested and obtain for each transaction, the approved Stock Return Form. - Ensure the form includes the relevant information (description of inventory item returned detailing the accessories, quantity received, reason for return) - Ensure the Stock Return Form were reviewed and formally approved.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- For the sample selected for IC 10, obtain the approved Credit Note. - Ensure the review of the credit note was properly performed by ensuring that the approved Credit Note is in line with the Stock Return Form. - Verify that the credit note was reviewed and formally approved.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- a) Monthly counts: - Obtain the report of the count performed by technical team. - Verify this report was reviewed and formally approved by the accounting team. b) Bi-annual counts: - Obtain the report of the count performed by technical team. - Ensure that all stocks items were counted. - Verify this report was reviewed and formally approved by the accounting team. - Obtain a list of sales authorized to Dealer which were aboce the credit limit. - Verify that the sales has been properly authorized by the CFO
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Obtain the monthly list of dealers which have a balance above their credit limit - Ensure completeness of list - Verify that the list was approved by the CFO - Obtain the approved cost of sale calculation methodology and criteria's. - Ensure accuracy of accounting treatment proposed (compared to MIC accounting policy manual) - Verify that the cost of sale calculation methodology was reviewed and formally approved. - Obtain the approved Reconciliation between sales in accounting system and sales in invoicing system. - Ensure the accuracy of the reconciliation by reperforming it. - For any differences identified, ensure appropriate investigation took place and correction actions were taken. - Verify that reconciliation has been properly reviewed and approved.
Inspection
non-key
Walkthrough
Inspection
Low
Rely
Reperformance
Med.
Rely
- Obtain the Reconciliation between value total inventory in accounting and in inventory module. - Ensure the accuracy of the reconciliation by reperforming it. - For any differences identified, ensure appropriate investigation took place and correction actions were taken. - Verify that reconciliation has been reviewed and formally approved. - Obtain the approved reconciliation between stock counts performed during the quarter and inventory report. - Ensure the accuracy of the reconciliation by reperforming it. - For any differences identified, ensure appropriate investigation took place and correction actions were taken. - Verify that reconciliation has been reviewed and formally approved.
Reperformance
Med.
Rely
Reperformance
Low
Reperformance
- Obtain the approved "Obsolete inventory and slow-moving items" policy and/or procedure. - Ensure the policy is in line with MIC accounting policy guidelines. - Check the policy is reviewed on a yearly basis - Verify policy and / or procedure has been reviewed and formally approved. - Obtain the approved list of obsolete items - Verify the list has been properly approved by CFO and GM - Based on the quarterly list of obsolete items approved by the CFO and GM (Control SC15), select 25 obsolete stock items to be checked. - Through observation in the warehouse verify that those items are clearly identified and separated for other stock items. - Obtain the approved calculation of the obsolescence reserve. - Reperform the calculation to ensure that calculation has been made according to the approved assumptions (SC14 -SC15). - Ensure calculation has been reviewed and formally approved. - Obtain the approved remeasurement tests conclusions - If no remeasurement test should be performed (depends on the stock items type), ensure this conclusion is properly documented and verify in the inventory system that there is effectively no handsets, accessories or CPEs. - If remeasurement test should be performed, obtain the approved stock net realizable value calculation and the methodology describing how to calculate the stock net realizable value. Ensure the approved methodology was properly applied. Ensure that if the NRV was below the current stock value, an adjustment has been booked in the accounts. - Verify that the remeasurement tests conclusions was reviewed and formally approved.
Inspection
Low
Rely
2 2
1 1
Inspection Inspection
Low Low
Rely Rely
Reperformance
Med.
Reperformance
Reperformance
Low
Rely
Med. - Obtain the list of the CAR issued during the period under review - Select the samples to be tested and obtain for each of them the approved CAR - Verify the CAR was reviewed and formally approved - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5 Inspection non-key
Rely Walkthrough
- Obtain from the PO module the list of all assets purchased which were associated to a CAR. - Select the samples to be tested and obtain the associated approved CAR - Verify that the Purchasing responsible has checked that the assets request remains within the approved CAR amount.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Obtain the approved vendor's master file - Verify it was reviewed (e.g. review of potential duplicate suppliers, review and blocking of inactive suppliers) and formally approved. - From contract database, obtain the list of all purchase contracts for the period under review. - Select the samples to be tested and obtain for each of them, the related signed contract and reviewed purchase contract checklist. - Ensure the checklist was properly completed by tracing back all the information to the approved contract. - Verify the checklist was reviewed and formally approved.
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- From the accounting system, obtain the list of all credit notes received from the suppliers during the period under review. - Select the samples to be tested and obtain for each of them the approved credit note. - Ensure that the credit note was reviewed and formally approved before booking.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Obtain from accounting system the list of advanced payments made during the period and select the one for which good/service has been received. - Select the samples to be tested and obtain the evidence of the reversal booking - Ensure each reversal has been reviewed and formally approved before booking.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Obtain summary of approved timesheets (cell-site commissioning team working on site under construction). - Verify the timesheets include for all cell-site commissioning team the time they spent on project or site. - Verify that the timesheets were properly reviewed and formally approved
Inspection
non-key
Walkthrough
- Obtain the list of all sites that went on air during the period under review. - Select the sample to be tested and obtain for each of them the approved confirmation of list of assets to be capitalized. - Verify that the confirmation was reviewed and formally approved before the updated of the FAR.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
non-key
Walkthrough
- Obtain a list of all the assets transferred during the period under review. - Select the samples to be tested and obtain for each of them the approved ATN. - Ensure the ATN was duly completed and formally approved by the sending and receiving department.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Obtain all the approved lists of assets per assets owner. - Ensure that the lists were completed by tracing back the information to the FAR - Ensure that the lists were reviewed and formally approved. - Obtain a list of all the assets disposed during the period under review. - Select the samples to be tested and obtain for each of them the approved ADN. - Ensure the ADN was duly completed, that all required supporting documents were attached (receipt of sales proceed, ARO computation, realized gain or loss) and formally approved.
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Obtain from the accounting system, the list of all purchases (goods or services) done during the period under review. - Select the samples to be tested and obtain for each of them the purchase request including the account classification information. - Ensure that the transaction has been properly classified (check to be done based on the MIC accounting policy manual) - Verify that the transaction classification (CAPEX, inventory, OPEX) included in the purchase request has been reviewed and formally approved - Obtain the approved authority matrix - For the sample selected for SC5, obtain the approved purchase order. - Ensure that the PO was reviewed and formally approved as per the authority matrix.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Rely
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Med.
Rely
There are two possibilities to check this control: a) Obtain the PO module technical book and ensure that the system does not allow to record GRN/SDN quantity higher than the PO quantity. Make sure this option cannot be changed manually. b) If no Technical book can be obtained, ensure that the functionality is properly working in the PO module by performing the following test of 1: try, for one open PO, to record a GRN / SDN with an amount higher to the one assigned in the PO and verify that the system prevents the booking of this operation (make a print-screen as evidence for the test) - Obtain the approved summary statement listing the open CAPEX accruals. - Ensure appropriate analysis has been done (e.g. verify that all open CAPEX accruals have been considered in the analysis, verify that the analysis has been performed by suppliers). Obtain an Ageing of the CAPEX accruals and inquire on all items over 6 months to conclude the reasonability of these balances. - Verify that the analysis was reviewed and formally approved.
Inspection
Low
Rely
Inspection
Med.
Independent
- Obtain the approved accruals checklist. - Ensure appropriate analysis has been done (e.g. completeness check, reasons for accruals explained, identification of accruals booked in previous period, total amount booked in the GL). - Verify that the analysis was reviewed and formally approved.
Inspection
Low
Reperformance
- Obtain the approved advance payments summary statements. - Ensure appropriate analysis has been done (e.g. verify that all advance payments have been considered in the analysis, verify that the analysis has been performed by suppliers, ensure completeness and proper reversal of advance payments when goods are received or services delivered). Obtain an Ageing of the Advance payments and inquire on all items over 6 months to conclude the reasonability of these balances. - Verify that the analysis was reviewed and formally approved. - Obtain the approved authority matrix - For the sample selected for SC5, obtain the approved invoices. - Ensure that the invoice was reviewed and formally approved as per the authority matrix before initiating the payment.
Inspection
Med.
Reperformance
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Med.
Independent
There are two possibilities to check this control: a) Obtain the PO module technical book and ensure that the system does not allow to record invoice quantity higher than the PO and GRN/SDN quantity. Make sure this option cannot be changed manually. b) If no Technical book can be obtained, ensure that the functionality is properly working in the PO module by performing the following test of 1: try, for one open PO, to record an invoice with an amount higher to the one assigned in the GRN/SDN and verify that the system prevents the booking of this operation (make a print-screen as evidence for the test). Note: If the 3-way match is manual, obtain a list of the invoices received during the Quarter and select 10 items; Request the PO and the GRN for each item in your sample and re-perform the 3 way match to ensure that the PO matches in quantity with the GRN; the PO matches in price with the invoice and the GRN matches in quantity with the invoice.
Inspection
Low
Rely
-Obtain from the accounting system the list of assets pertaining to the company - 25 assets (floor to tag approach) - Select 1 type of each different locations (e.g. site on air, office, shop and warehouse) and select in total the - 25 assets (tag to floor approach) appropriate sample of assets from the accounting record. - For each location selected, organise an inspection on site and verify that selected assets are physically present on site and that the tag number is correct (tag to floor approach). Select also some assets in the sites and verify afterward that they were properly recorded in the accounts (floor to tag approach). - Ensure also that the tag numbers used complies with the asset coding mentioned by HQ in MIC Policy manual
Inspection
Med.
Independent
- For the period under review Obtain a list of all new turnkey projects. - Select the samples to be tested and Obtain For each of them the approved accounting memorandum. - Verify that the accounting treatment summarized complies with the contract terms and with MIC accounting policy manual. - Verify that the memorandum was reviewed and formally approved.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Rely
- Based on the sample selected for IC 17, obtain the valuation sheet from the HR department. - Ensure accuracy of calculation - Verify that the valuation sheet was reviewed and formally approved
Inspection
Med.
Rely
Note that this control is only applicable if the CWIP register is manually maintained. If the CWIP is included in the FAR, this control should be considered as no sample. - Obtain the approved manual CWIP register. - Verify that CWIP register includes at minimum assets identification, date of receipt, PO reference, value, expected date of capitalization, location and asset description. - Reperform the reconciliation between CWIP register and CWIP accounts and ensure that any difference identified has been investigated and corrected. - Verify that the reconciliation was reviewed and formally approved. - Obtain a list of assets which were linked to ARO - Select the samples to be tested (new assets acquired and assets disposed) and obtain the approved ARO calculation sheet - Review the accuracy of the calculation by reperforming it and ensure appropriate supporting documents exist. - Verify the calculation was reviewed and formally approved
Inspection
High
Independent
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
Med.
Reperformance
- Based on selection made for IC20, obtain the approved assets costing sheet. - Ensure that all elements have been considered including the assets, ARO, interest, services, freight, duties, etc. - Ensure the accuracy of the costing by reperforming it when possible - Verify that the costing sheet was reviewed and formally approved - Ensure that the accounts were properly updated based on this approved costing sheet. - Obtain the list of all regulatory licenses obtained in the period under review. - For each license selected, obtain the agreement and the approved License Summary Sheet. - Reconcile all information in the license summary sheet with the license agreement. - Verify that capitalization's rules have been correctly applied. - Verify the license summary sheet was reviewed and formally approved.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
High
Reperformance
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Med.
Reperformance
- Obtain the approved summary by assets category showing depreciation rates used. - Verify that analysis was properly performed by ensuring that depreciation rates used correspond to the one approved in the MIC policy. - For those assets which do not follow normal depreciation rates, verify that they were properly identified and documented: - In case of the use of another depreciation rate, verify the justification and the proper approval. - In case of error, verify its follow-up, correction, documentation and correct booking into the FAR. - Verify that the analysis has been reviewed and formally approved. - Obtain the approved analysis of assets with negative net book value. - Ensure that the analysis was properly performed by ensuring that no assets with negative value were included in those reports. - If negative net book value was identified, ensure that appropriate actions were taken to resolve the issue. - verify that the analysis was reviewed and formally approved. - Obtain a list of all Assets for which useful life were modified during the period under review. - Select the samples to be tested and Obtain for each one the approved useful life determination sheet - Ensure the new rate remains in line with the MIC Accounting Policy Manual or has been properly justified and documented. - Verify that the analysis has been reviewed and formally approved.
Reperformance
High
Reperformance
Inspection
High
Rely
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Med.
Rely
- Obtain the approved ATN cut-off report. - Ensure that the report includes all required information (sequential number, transfer date, receipt date, FAR update date - Ensure that any missing ATN in the report has been investigated in order to ensure completeness of FAR update. - Verify that the ATN cut-off report was reviewed and formally approved. - Obtain the approved reconciliation between the count and the FAR. - Ensure the count has been performed for all assets (during the year) and included the verification of the asset number per tag, existence and obsolescence. - Ensure that the reconciliation was properly performed and that any discrepancies identified during the reconciliation process has been properly investigated and that any issues were properly resolved and corrected if required (in the FAR or on the sites) - Ensure that an analysis of the obsolete items has been properly performed and that any required adjustments were properly documented. - Verify that the reconciliation sheet and obsolete analysis were reviewed and formally approved. - Obtain the approved reconciliation between the count and the CWIP register. - Ensure the count has been performed for all assets under constructions and included the verification of the asset number per tag and existence. - Ensure that the reconciliation was properly performed and that any discrepancies identified during the reconciliation process has been properly investigated and that any issues were properly resolved and corrected if required (in the CWIP register or on the sites) - Verify that the reconciliation sheet was reviewed and formally approved. - Based on the sample selected for IC32, obtain the approved computation of realized gain/loss. - Verify the accuracy of the calculation by reperforming it (using valid supporting documents) - Verify the computation was reviewed and formally approved.
Inspection
High
Reperformance
Inspection
High
Independent
Inspection
High
Independent
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
Med.
Rely
- Obtain the list of all advance payments made during the period under review. - Identify all advance payments given to suppliers above a predefined threshold, for which the review of the financial statements was not satisfactory and for which no guarantee exists. - Based on this list, select the samples to be tested. - For each of them, obtain the approved report from the service provider and ensure that it includes assessment of the existence, quality and solvability of the related supplier. - Ensure that the conclusions of report are in line with the grant of advance payment (only positive results in each advance payment). - Verify the report was reviewed and formally approved. - Obtain the approved log book of vendor complaints at purchasing department. - Ensure appropriate provision has been calculated when needed. - Verify it has been reviewed and formally approved on a monthly basis.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
- Obtain from the accounting system the list of all payments made to suppliers during the period under review. - If estimated yearly population > 50 --> select 10% of - For each sample selected, ensure that the treasurer has reviewed and formally approved the supplier balance available population, up to 25 before payment. - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Obtain the approved log book of customers complaints at customer service department and check every case has clearly identified to ensure appropiate decision of Financial responsible to provision. - Ensure appropriate provision has been calculated. - Verify it has been reviewed and formally approved on a monthly basis. - Obtain the approved bank reconciliation summary sheet. - Ensure that this document clearly indicates the reconciliation for each bank accounts, the remaining unexplained amount and the actions plan to explain/correct those differences. - Ensure accuracy of the information included in the summary sheet. a) All active bank accounts are listed. b) Reconciliation was performed based on approved documentation (refer to SC13). c) All discrepancies found were correctly identified and timely resolved. d) The reconciliation has been reviewed and formally approved. - Obtain from the accounting system the list of all petty cash advances granted during the period under review. - Select the samples to be tested and obtain for each of them the approved supporting documents justifying the petty cash advance request. - Ensure adequacy between the petty cash effectively granted and the supporting documents. - Ensure petty cash request is reviewed and formally approved according to authority matrix.
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Based on the sample selected for IC 15, obtain the approved petty cash voucher. - Ensure the petty cash voucher was reviewed and formally approved by the treasurer (prior to the review of the existence of remaining outstanding advance)
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Based on the sample selected for IC 15, obtain all the approved invoices related to the advance payment. - Ensure that the expenses made was in line with the authorized advance payment (cf. IC 15) - Verify that the invoice was reviewed and formally approved as per the authority matrix. - Verify it was verified legality of use (business and legal purposes)
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Obtain the approved petty cash reconciliation (between general ledger and petty cash count). - Reperform reconciliation and ensure that any difference identified has been investigated and resolved if necessary. - Verify that the reconciliation was reviewed and formally approved. - Obtain the approved payable aging balance report. - Ensure all unpaid amounts for more than 6 months were properly analyzed and cleared if required. - Verify the aging report was reviewed and formally approved. - Obtain the list of the top 20 suppliers and ensure that the selection was made based on the volume of purchases done in the last 12 months. - Ensure that a circularization letter has been timely sent to all of them. - Ensure that the reconciliation was completed during the quarter (i.e. all vendors submitted their answer, all reconciliations have been performed). - Reperform the reconciliation between account payable and vendor statement for the defined sample. If difference has been identified, ensure that appropriate investigation has been performed (and documented) and corrective actions were taken if necessary. - Verify than the reconciliations were reviewed and formally approved.
Inspection
non-key
Walkthrough
Inspection
Low
Rely
a) 2 b) 1
Selected the Vendor Reconciliation performed during the Quarter and reperform 10 reconciliations.
Reperformance
High
Independent
- Obtain the list of all payments made during the period under review (from the accounting system). - Exclude from this list all direct debit payments. - Select the samples to test and obtain the approved payment voucher / instructions / cheque. - Verify that the payment voucher / instructions / cheque were reviewed and formally approved (based on adequate supporting documents and as per the approved authority matrix).
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Rely
- Obtain the approved list of authorized direct debit received from the financial institutions. - Ensure it was reviewed and formally approved. - Check that for all unauthorized direct debit identified, actions have been taken and documented (i.e. suppression of direct debit authorization). - For each day selected, obtain the approved reconciliation between the cash deposit and/or electronic payment (from the financial institution) and the sales report (from the cash platform). - Reperform the reconciliation based on valid supporting document and ensure that any differences identified have been investigated and resolved. - Verify that reconciliation was reviewed and formally approved. - Understand frequency of the control and adapt the sample selection based on this frequency. For all samples selected, obtain the approved cash reconciliation between accounting system and billing system. - Reperform the reconciliation based on valid supporting document and ensure that any differences identified have been investigated and resolved. - Verify that reconciliation was reviewed and formally approved. This control is only applicable to dealers indirect sales force. If the company does not have any indirect sales force, this control should be considered as no sample. - In case of sample, obtain the approved reconciliation between banking summary report and bank statements - Reperform the reconciliation based on valid supporting document and ensure that any differences identified have been investigated and resolved. - Verify that reconciliation was reviewed and formally approved. - Obtain the approved analysis of blocked deposit. - Ensure appropriate review was performed on the segregation - Verify that report has been reviewed and formally approved. If weekly: 5 If daily: 25
Inspection
Med.
Independent
25
10
Reperformance
High
Reperformance
If weekly: 3 If daily: 10
Reperformance
Med.
Rely
Reperformance
Med.
Rely
Inspection
Med.
Reperformance
- Obtain from the accounting system the list of all bank accounts. - Obtain for each bank accounts the approved reconciliation (even for zero balance account or account without movement) - Reperform all reconciliations and ensure differences have been identified, investigated and corrected (if needed). If the investigation is not finalized before the closing of the month, ensure that this is clearly documented and that an appropriate follow-up is performed during the following month. Make sure that all reconciled items, whatever the amount, is investigated. - Ensure that an analysis of all old outstanding unreconcilied items has been performed and that appropriate cleaning has been performed. - Ensure that all Zero-balance accounts were blocked in the accounting system. - Ensure that all uncashed cheques has been reviewed and cleaned if necessary - Ensure that all unapplied cash accounts has been reviewed and cleaned if necessary - Verify that all reconciliations were reviewed and formally approved.
Reperformance
High
Independent
- Identify all new financing / loan granted during the period and select the sample to be tested. - Obtain the approved Loan Summary Form and the correspondent agreement signed by both parties. - Ensure that the Loan Summary Form was properly reviewed by tying all its information with the agreement to ensure validity of data. - Verify Loan Summary Form was reviewed and formally approved by CFO and HQ (Corporate Finance).
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- For all the financing / loans selected in IC1: - Obtain the approved reconciliation between the loan agreement and the cash received. - Reperform reconciliation by tying the amount granted in loan agreement vs. cash received - Ensure that any differences identified have been investigated and resolved. - Ensure reconciliation is reviewed and formally approved.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
non-key
Walkthrough
- Based on the results of the analysis performed under SC4, identify if breaches have been identified. - If no, the control is to be considered as no sample - If yes, verify the debt covenants computation has been communicated to HQs for review. - Identify all new financing / loan granted during the period and select the sample to be tested (e.g. bank financing, supplier financing with vendors, 3rd party financing through developing agencies, shareholder loans). - Verify that the agreement was formally approved by HQ (Corporate Finance) before being effective.
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
1.- Interest Expenses: - Obtain the approved reconciliation between the calculation sheet and the accounts - Reperform the reconciliation by tracing back the information to valid source documents. - Ensure that any discrepancy identified has been analyzed, investigated ands resolved. - Verify that the reconciliation was properly reviewed and approved. 2.- Classification of Short / Long Term Debt: - Obtain the approved analysis of the classification between long term and short term. - Review appropriate classification based on contract reimbursements terms. - Verify that the analysis was reviewed and formally approved. - Obtain the approved debt covenants computation. - Ensure the analysis was performed based on current data and based on the company 12 months forecast. (Note: as per MIC policy B.4.7.2.5 the Company has to identify potential future breaches, therefore the calculation using the 12 months forecast should be performed). - Reperform loan covenants computation by checking that all loan covenants as per the agreement have been considered in the analysis (financial and non-financial). Recalculate the financial covenants to ensure accuracy of calculation (use valid source information, e.g. approval budget, financial statements). - Verify that covenants computation has been reviewed and formally approved. - Ensure that if breaches were identified, all the corresponding loan was reclasified into short term, unless an explicit waiver from HQ was obtained. - Obtain from the accounting system, the list of all new prepayments booked during the period under review: - For each sample selected, obtain the approved reconciliation between the prepayment details inputted in the fixed assets register and the ones included in the related contract summary form. - Reperform the reconciliation and ensure that any difference identified has been timely resolved. - Verify that the reconciliation was reviewed and formally approved.
Reperformance
Med.
Reperformance
Reperformance
Med.
Independent
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
non-key
Walkthrough
- Obtain the approved reconciliation between manual recomputation of monthly prepayment and accounting records. - Reperform the manual recomputation based on valid supporting document - Reperform the reconciliation - Verify the reconciliation was reviewed and formally approved.
Reperformance
Low
Rely
- Obtain the approved calculation for the current and deferred taxes accruals. - Reperform the calculation to ensure accuracy (verify validity of source document and ensure arithmetical accuracy of calculation) - Ensure that the provision calculation has been reviewed and formally approved. - Per discussion, understand the frequency of direct tax returns to be filed. Based on this total population, select the sample to be tested. - For the samples selected, ensure that it was reviewed and formally approved by the CFO (signature and / or written comments). - Ensure the review was performed before the return was filed. - Review the accuracy of the tax return by tracing the information to source documents. a) Quarterly comparison: - Obtain the approved comparison between the booking of the tax in the accounts and the tax provision calculation. - Verify arithmetical accuracy. - Verify that comparison was reviewed and formally approved. b) Tax assessment comparison: - Obtain the approved comparison between the booking of the tax in the accounts and the tax assessment. - Verify arithmetical accuracy. - Verify that comparison was reviewed and formally approved. - Obtain from the billing system a report listing all the changes made in the tax parameters during the period under review. - Select an appropriate sample of changes and ensure that the appropriate documentation and approval has been obtained for all of them (check review, sign-off and date) before to be inputted in the billing system. - Obtain the approved quarterly memo summarizing the indirect tax review. - Ensure that any tax rate change (if any) has been documented. - Ensure that an analysis of the indirect tax rate has been performed by type of transaction and that any discrepancy identified has been analyzed, investigated and solved if required. - Verify that the memo was reviewed and formally approved.
Reperformance
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
Quarterly: 2 Ad hoc: - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Quarterly: 1 Ad hoc: - If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
non-key
Walkthrough
25
10
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
- Obtain the approved list of tax parameters changes. 2 - Ensure that a reconciliation was performed between all the changes performed in the system and the approval supporting documents (test the changes according to documentation required in IC06 ). - Verify that the reconciliation has been reviewed and formally approved. - Per discussion, understand the frequency of indirect tax returns to be filed. Based on this total population, select the sample to be tested. - For the samples selected, ensure that it was reviewed and formally approved by the CFO (signature and / or written comments). - Ensure the review was performed before the return was filed. - Review the accuracy of the tax return by tracing the information to source documents. - Obtain the approved tax advisors report. - Verify the advisor has ensured on a quarterly basis the completeness of direct taxes to be booked using a checklist. Reperform the reconciliation. - Verify the advisor has reviewed on a quarterly basisthe tax calculation accuracy including the review of the tax rate. Reperform the calculation by ensuring the accuracy of source documents / information, including tax rate. - Verify the advisor has reviewed on a quarterly basis the uncertain tax position. - Verify the advisor has prepared on an annual basis a loss carry forward analysis. Reperform the analysis by tracing back the analysis to valid supporting documents. - Verify the advisor has reviewed if any the tax assessment received from the Tax Administration. - Ensure the tax report was reviewed and formally approved by the CFO. - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
Quarterly: 2 Annually: 1 Ad hoc: - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Quarterly: 1 Annually: 1 Ad hoc: - If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
High
Independent
- Obtain the approved reconciliations between accounting and income tax base and between statutory and 2 effective income tax rates. - Reperform the reconciliations by tracing back the reconciliation data to valid supporting documents and ensure provided explanations are sufficiently detailed. - Verify that the reconciliations were reviewed and formally approved (signature and / or written comments). - Obtain the approved tax advisors report. - Verify the advisor has ensured on a monthly basis the completeness of indirect taxes to be booked using a checklist. Reperform the reconciliation. - Verify the advisor has performed on a monthly basis a rationalization test per indirect taxes rates. Reperform the reconciliation. - Verify the advisor has reviewed if any the tax assessment received from the Tax Administration. - Ensure the tax report was reviewed and formally approved by the CFO. Monthly: 2 Ad hoc: - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
Med.
Reperformance
Monthly: 1 Ad hoc: - If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
High
Independent
- Obtain the approved impairment calculation sheet. - Reperform the impairment calculation and ensure adequacy of conclusion. - Ensure that the impairment calculation sheet has been reviewed and formally approved. There are two possibilities to check this control: a) Obtain the billing system's parameterization book. - Review that the functionality "Ageing balance report automatically generated" has been activated. - Check this option is automatic and can not be changed manually. b) If no Technical book can be obtained, ensure that the functionality is properly working in the billing system by performing the following test of 1: - Ask an accountant to make an extraction of the ageing report. - Ensure report is automatically generated and contains all data and proper classification of ageing. - Obtain the approved reconciliation between Account Receivables (AR) from the aging balance and from the general ledger. - Reperform the reconciliation by checking that AR aging balance ties with the AR balance in general ledger (check last version in the accounting system) and ensure that any differences identified have been investigated and resolved. - Verify that the reconciliation has been reviewed and formally approved. - Ensure that all amounts overdue for more than 120 days have been provisioned for (unless a waiver has been obtained from the Cluster Responsible). - Ensure that all interconnect and roaming partners, dealers and overdue postpaid subscribers have been reviewed on an individual basis and that for any customers or partner facing financial stress, an additional bad debt provision has been considered in the quarterly bad debt provision balance. - Ensure that this analysis has been properly documented, reviewed and formally approved.
Reperformance
Med.
Reperformance
Inspection
Low
Rely
Reperformance
Low
Rely
Inspection
Med.
Reperformance
- Obtain the approved bad debt provision calculation sheet. - Reperform provision calculation and ensure accuracy (of source information and calculation) - Ensure that all balances overdue for more than 90 days have been provisioned. - Ensure that this analysis has been properly documented, reviewed and formally approved. - Based on the samples selected for IC2, determine the contracts that include the MIC purchasing general terms and conditions and ensure that those terms and conditions were reviewed and formally approved. - For the contracts which does not include the MIC purchasing general terms and conditions, verify that those terms and conditions were reviewed and formally approved by the legal responsible.
Reperformance
Low
Rely
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- From the contracts database, obtain the list of all new contracts / agreements issued during the period under review. - Select in this list the samples to be tested and obtain the related contracts. - Verify for each sample selected that the legal responsible has ensured that the contract was properly signed by both parties. - In particular, ensure that the contract was signed according to the company approved authority matrix. - Based on the samples selected for IC2, obtain the approved contract summary form. - Reconcile the information contained in the contract summary form with the contract to ensure data accuracy. - Verify that it has been reviewed and formally approved by the legal department. - Ensure it is sequentially numbered.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
non-key
Walkthrough
- Based on the samples selected for IC2, obtain the approved "calculation sheet". - Reconcile the information contained in the calculation sheet with the contract summary form and the contract to ensure data accuracy. - Ensure that all accounting treatments comply with the MIC accounting policy - Ensure the arithmetical accuracy of any calculation - Verify that the calculation sheet has been reviewed and formally approved by the accounting responsible - Obtain the approved list of all CAPEX purchase commitments. - Verify that this list was reviewed and formally approved by the Purchasing Responsible to ensure completeness and accuracy (signature and / or written comments) - Verify that the total CAPEX commitments from the detail reviewed matches with the total of CAPEX commitments figure reported to HQ. - Obtain the approved list of all pending litigations and lawsuits. - Verify that this list includes the following information: description of lawsuits, status, estimated loss and probability of occurrence. - Verify that this list was reviewed and formally approved by the Legal Responsible to ensure completeness and accuracy (signature and / or written comments) - Obtain the approved list of the guarantees / pledge assets. - Verify that this list was reviewed and formally approved by the CFO to ensure completeness and accuracy (signature and / or written comments) - Obtain the approved compliance memo. - Obtain also a copy of all the licenses agreements - Verify, in the compliance memo, that all licenses agreements are analyzed. - Verify, in the compliance memo, that for each license agreement, all majors terms and conditions have been listed. - Verify, in the compliance memo, that for each license agreement, a review of all majors terms and conditions has been performed by the Responsible (i.e. purpose is to ensure that no breach is detected and that all terms and conditions are still respected) - Obtain the approved list of all lease agreements (financial and operating). - Verify that this list was reviewed and formally approved by the Financial Responsible to ensure completeness and accuracy (signature and / or written comments) - Obtain the approved summary of tax commitments and contingencies. - Verify that this summary was reviewed and formally approved by the Tax Responsible to ensure completeness and accuracy (signature and / or written comments)
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Med.
Reperformance
Inspection
Low
Rely
Inspection
Med.
Independent
Inspection
Low
Rely
Inspection
Med.
Rely
Inspection
Med.
Reperformance
Inspection
Med.
Rely
- Obtain all the approved lists of other commitments and contingencies. - Verify that this list was completed, reviewed and formally approved by all departments (completeness of documentation review). - If no additional commitment and contingency needed to be reported by a Head of Department, ensure that the review was still performed and resulted in this conclusion (e.g. evidence of investigation, approval of a nil report). - Verify that Finance has reviewed information provided by other departments and accounting treatment decision based on IFRS (accounting booking, disclosure). a) Changes approval: - Obtain from the accounting system a report listing all the changes made in the accounting system parameters during the period under review. - Select randomly changes and ensure that the appropriate review and approval has been obtained for all of them (check sign-off and date). b) Full review of all parameters: - Obtain the report listing all accounting parameters and ensure they were all reviewed and signed (Annual check). There are 2 possibilities to check this control: '1.- Obtain Technical book. - Review that the functionalities "no unbalanced journal entry can be booked" and "journal entries numbers are automatically generated" have been activated. - Check these options are automatic and can not be changed manually. 2.- If no Technical book can be obtained, ensure that the two functionalities are properly working in the system by performing the following test of 1: - Ask the accountant to try to book an unbalanced entry. - Verify that system blocks this action and print the screen. - Ask the accountant to try to book two transactions with the same journal number. - Verify that system blocks or does not allow this action and print the screen. - From the accounting system, obtain a list of standard journal entries (S-JE) recorded in the period under review. (Note: if no list of S-JE available, obtain the full list of JE and filter the Standard ones by using the MIC definition and using the accounts name and/or transaction type / description) - Select randomly S-JE, and for each one: a) Verify the existence and accuracy of supporting documents (reperformance if needed). b) Ensure that the supporting documents properly tie with the journal entry. c) Ensure that the journal entry has been reviewed and formally approved as per the authority matrix. d) Ensure that the posted journal entry corresponds to the one approved.
Inspection
Low
Rely
a) Inspection
Med.
Reperformance
b) 1
b) 1 b) Inspection
Inspection
High
Rely
25
10
Reperformance
High
Independent
- From the accounting system, obtain a list of Non standard journal entries (NS-JE) recorded in the period under review. (Note: if no list of NS-JE available, obtain the full list of JE and filter the Non Standard ones by using the MIC definition and using the accounts name and/or transaction type / description) - Select randomly NS-JE, and for each one: a) Verify the existence and accuracy of supporting documents (reperformance if needed). b) Ensure that the supporting documents properly ties with the journal entry. c) Ensure that the journal entry has been reviewed and formally approved as per the authority matrix. d) Ensure that the posted journal entry corresponds to the one approved.
25
10
Reperformance
High
Independent
- Obtain the Non-standard JEs summary list (monthly report prepared by Accounting Responsible). - Ensure completeness of the list. (Based on the list of JEs extracted from the accounting system, identify by spot check the potential NS-JE and verify that were all included in the approved summary list). - Verify this report has been reviewed and formally approved (check sign-off and date). - Obtain the closing checklist and the closing binder. - Ensure that all control listed in the closing checklist have been properly performed (Tie out all the points included in the check list vs. support documentation included in the closing binder). - Reperform all month-end controls included in the closing binder. - Ensure that the closing checklist and all binder documentation are reviewed and formally approved. (i.e. tick marks ensuring completeness on it, signature of review, etc.). In case local Ledger is different to IFRS one: - Obtain the approved "Local GAAP and IFRS reconciliation". - Obtain a copy of the final version of the Local GAAP Ledger. - Obtain a copy of the final version of the IFRS Ledger (before adjustments). - Reperform the reconciliation. - Ensure that any differences identified have been investigated and resolved. - Ensure reconciliation is reviewed and formally approved. In case local Ledger is different to IFRS, per each month selected: - Obtain the "IFRS adjustments calculation sheet" performed by the accounting team and the list of all the IFRS Adjustments recorded in the accounting system. - Ensure all IFRS adjustments were properly calculated and recorded under IAS principles (i.e. IFRS reference included as a technical support). - Verify the arithmetical accuracy of all IFRS adjustments. - Ensure all IFRS adjustments were reviewed, formally approved and posted in the accounting system (IFRS Ledger). - Per each month selected, obtain the printed "Clean Promotion screen". - Ensure this screen has the "Clean" status, as evidence of the correct transfer of information from local accounting system to consolidation system.
Inspection
High
Independent
Reperformance
High
Reperformance
Reperformance
Med.
Rely
Reperformance
Med.
Independent
Inspection
High
Rely
- From the consolidation system, obtain for the two months selected, all Manual Journal Entries (CM-JE only booked by Operations) in the period under review. For all of them: a) Verify the existence and accuracy of supporting documents (reperformance if needed). b) Ensure that the supporting documents properly tie with the journal entry. c) Ensure that the journal entry has been reviewed and formally approved as per the authority matrix. d) Ensure that the posted journal entry corresponds to the one approved. - Obtain the approved Reporting Binder. - Verify that Reporting Binder contains the final version of reporting packages (by tying total amounts in each reporting package vs. closing Trial Balance ). - Ensure that all points included in the Reporting checklist has been properly performed by the responsible. - Ensure that each single data included in the reporting package disclosures is supported by underlying approved documentation. (Note that a clear link (for instance: tick marks) should be evidenced between the reporting package disclosure and the related supporting documents). - Ensure binder documentation is reviewed and formally approved. (i.e. tick marks ensuring completeness on it, signature of review, etc.). - In order to verify that monthly reporting package has been approved by HQ in the consolidation system, obtain "Promotion screen" and ensure that level indicated is the highest - Obtain the list of all critical systems, platforms, applications and databases. - For each critical system, platform, application and database, obtain and inspect the print copy of the catalogue and/or description of the testing environment. - Ensure that the testing environment is separated logically and/or physically from the production environment, that it allows adequate stress, unit and end-to-end testing, that it reflects as much as possible the live environment (data in kind and quantity), and that it is available for sufficient testing time. - Ensure that the print copy of the catalogue and/or description of the testing environment has been formally reviewed and approved by the CIO. - In case there is no separate testing environment for a critical system, platform, application or database, ensure that there are specific adequate procedures and guidelines in place for testing (including details of mitigating factors and measures in place to prevent negative impact of testing) and that they have been formally reviewed and approved by the CIO. - Obtain and inspect the list of changes to systems, platforms, applications and databases (logs if any), especially changes to critical ones. - Based on professional judgement, select a representative sample of changes for the period under review. - For each selected item, determine whether users and relevant stakeholders were informed of the change implementation.
Reperformance
Low
Rely
Reperformance
High
Independent
Inspection
Low
Rely
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Obtain the Logical Access Management Policy (or Security Policy). - Determine whether the management of user accounts for joiners, job changes and job termination is part of the policy (for both employees and contractors, for local and remote access...). - Ensure that the Logical Access Management Policy (or Security Policy) has been formally reviewed and approved by the CIO within the last 7 months. - Obtain evidence that the Logical Access Management Policy (or Security Policy) has been formally communicated. - Obtain and inspect the formal inventory of personal data and sensitive information. - Ensure that security means are enabled to protect the integrity and privacy of these personal data and sensitive information. - For the last quarter, ensure that the security set-up has been adequately and formally reviewed and approved by the CIO and the Legal or Regulatory Responsible. - Obtain and inspect the backup policy to verify whether the backup terms are appropriate (all critical element considered in scope and backup frequency requirements). - Based on professional judgement, select the sample for the period under review. - For each of the selected days, obtain and inspect the Backup journals to ensure that backups were run as per the backup policy (at least daily for data and weekly for configurations) for all critical systems, platforms, applications and databases. - Ensure that the backups ran successfully to completion (or failure was explained and timely remediated). - Ensure that the backup journals have been formally reviewed and approved by the Critical Systems IT Responsible(s). - Obtain and inspect the Disaster Recovery Plan. - Ensure that the DRP addresses the critical systems, platforms, applications and databases as a minimum requirement. Ensure that the DRP has been formally reviewed and approved by the CIO and GM within the last 7 months. - Obtain and inspect the Disaster Recovery Plan. - Obtain and inspect the DRP test results (if a real disaster occur and lead to the deployment of the plans, then this is considered as the sample item) - Verify that the DRP was tested within the last year. - Ensure that the DRP test results have been formally reviewed and approved by the CIO and GM. - Obtain and inspect the Incident and Problem Management Policy and Procedures. - Ensure that it defines handling, analysis and resolution mechanisms of non-standard events (incidents), including escalation procedures, supplier involvement if appropriate and clear description of the process. - Ensure that the Incident and Problem Management Policy and Procedures have been formally reviewed and approved by the CIO within the last 7 months. - Obtain evidence that the Incident and Problem Management Policy and Procedures have been formally communicated. - Obtain and inspect the Events and Incidents Journals for the period under review. - Based on professional judgement, select a representative sample of significant IT events or incidents and failures for the period under review. - For each of the selected events, incidents and failures, ensure that they have been formally reviewed and approved immediately by the Critical Systems IT Responsible(s). - For each of the selected events, incidents and failures, ensure that it has been communicated and resolved in a timely manner.
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
25
10
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Based on professional judgement, select a 2 month sample for the period under review. - For each of the selected months, obtain and inspect the Events and Incident's Journals. - Ensure that all significant IT events or incidents and failures of the Events and Incident's Journals (including the resolution activities and status) have been formally communicated to the CIO and GM. - Ensure that the Events and Incident's Journals have been formally reviewed and approved by the CIO and the GM. - Obtain and inspect the document defining and listing authorized, tolerated and unauthorized software. - Ensure that the list of authorized, tolerated and unauthorized software has been formally reviewed and approved by the CIO within the last 7 months. - Ensure that the list of authorized, tolerated and unauthorized software has been formally communicated throughout the company. - Obtain and inspect the document defining and listing authorized, tolerated and unauthorized software. - Obtain and inspect the document which formalized the review of software installed and used. - Ensure that the review addresses all the computers and machines (user PCs and servers). - Ensure that any unauthorized software installed has been reported and reacted upon. - Ensure that the review of software installed and used has been formally reviewed and approved by the Security Officer. - Based on professional judgement, select the sample for the period under review. - For each of the selected months, obtain and inspect the job scheduling checklists of all critical systems, platforms, applications and databases to determine whether they have been formally reviewed and approved by the CIO. - Obtain and inspect the operating procedures. - Ensure that all operation procedures have been documented, updated and formally reviewed and approved by the CIO within the last 7 months. - Obtain and inspect the operating procedures. - Ensure that the listing of all potential suspicious activities have been updated and formally reviewed and approved by the CIO and the Security Officer within the last 7 months.
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
- Obtain and inspect the list of changes to systems, platforms, applications and databases (logs if any), especially changes to critical ones. - Based on professional judgement, select a representative sample of changes for the period under review. - For each selected item, obtain the corresponding change request form. - Determine whether the selected change was formally authorized by Business Owners, Stakeholders and the relevant Critical System IT Responsible before the change had been processed.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Med.
Reperformance
- Obtain and inspect the list of changes to systems, platforms, applications and databases (logs if any), especially changes to critical ones. - Based on professional judgement, select a representative sample of changes for the period under review. - For each selected item, obtain the corresponding change request form. - Determine whether the selected change was subject to an impact analysis (in particular regarding controls that may be impaired) reviewed by Business Owners, Stakeholders and the relevant Critical System IT Responsible. - Ensure that appropriate actions were taken to modify or redesign these controls (if necessary) to retain their integrity
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Rely
- Obtain and inspect the list of changes to systems, platforms, applications and databases (logs if any), especially changes to critical ones. - Based on professional judgement, select a representative sample of changes for the period under review. - For each selected item, obtain the corresponding change request form. - Determine whether the selected change was subject to the formalization of a test plan, a roll-out plan and a roll-back plan. - Ensure that these test plan, roll-out plan and roll-back plan had been formally reviewed and approved by the relevant Critical Systems IT Responsible and CIO prior to implementation of the change.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Rely
- Obtain the list of all interfaces between critical systems, platforms, applications and databases. - For each interface, obtain the last testing results. - Ensure the testing results are no more than 3 years old. - Ensure that the test results confirm that data transmissions are complete, accurate and valid. - Ensure that the interface test results have been formally reviewed and approved by the Critical Systems IT Responsible. - Obtain the list of individual changes that occurred on existing interfaces during the period under review. - Based on professional judgement, select a representative sample of changes to interfaces for the period under review. - For each selected item, obtain the interface test results. - Ensure that the test results confirm that data transmissions are complete, accurate and valid. - Ensure that the interface test results have been formally reviewed and approved by the relevant Critical Systems IT Responsible. - Obtain and inspect the list of changes to systems, platforms, applications and databases (logs if any), especially changes to critical ones. - Based on professional judgement, select a representative sample of changes for the period under review. - For each selected item, obtain the corresponding change request form including the test plan approved. - Determine whether the test plan was followed for testing the change. - Determine whether the test results were formally documented, reviewed and approved by Business Owners, Stakeholders and Critical Systems IT Responsible before the change had been implemented (live in the production environment).
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - 1 every 3 years
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5 - 1 every 3 years
Inspection
Low
Rely
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
High
Independent
- Obtain and inspect the list of changes to systems, platforms, applications and databases (logs if any), especially changes to critical ones. - Based on professional judgement, select a representative sample of changes for the period under review. - For each selected item, obtain the corresponding change request form. - Determine whether the change results were reviewed by the Business Owner showing approval of the change implemented.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
High
Independent
- Obtain the list of all changes to critical systems, platforms, applications and databases. - Based on professional judgement, select a representative sample of changes for the period under review. - For selected changes, obtain and inspect the change requests and ensure that documentation impact assessment has been formalized. - If updated, ensure that documentation has been reviewed formally by the Business Owners and CIO.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Reperformance
- Obtain the list of all critical systems, platforms, applications and databases. - For each critical system, platform, application and database, obtain and inspect the list of available documentation and support service plan (including location) and ensure it is kept in the mentioned location. - Ensure that it has been formally reviewed and approved by the Business Owners and CIO.
Inspection
Low
Reperformance
- Obtain the list of all end-user applications. - Based on professional judgement, select a representative sample of changes for the period under review. - For selected changes, obtain and inspect the change requests and ensure that documentation impact assessment has been formalized. - If updated, ensure that documentation has been reviewed formally by the Business Owners.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Rely
- Obtain the list of all end-user applications. - For each end-user application, obtain and inspect the list of available documentation and support service plan (including location) and ensure it is kept in the mentioned location. - Ensure that it has been formally reviewed and approved by the Business Owners. - Obtain and inspect the list of emergency changes to systems, platforms, applications and databases (logs if any), especially emergency changes to critical ones. - Based on professional judgement, select a representative sample of emergency changes for the period under review. - For each selected item, obtain the corresponding emergency change form. - Determine whether the selected emergency change was formally reviewed and authorized by the CIO and the GM. - Obtain the list of all positions/functions in the company and the related job descriptions. - Verify that each job description specifies the profiles/accesses to be allocated to the corresponding position/function. - Obtain and inspect the matrix of profiles to determine whether all positions/functions have been considered. - Verify whether the matrix of profiles is in line with all the job descriptions and roles in the organization. - Ensure that it has been reviewed within last 7 months. - Ensure that it has been formally reviewed and approved by the Business Owners/Critical Systems Responsibles and Human Resources.
Inspection
Low
Rely
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Med.
Rely
Med.
Reperformance
- Obtain and inspect the list of joiners, job changes and job terminations, for employees, contractors, vendors and non-client personnel. - Based on professional judgement, select a representative sample of access request forms (provisioning and deprovisioning) for the period under review. - For each selected item, determine whether selected forms were adequately prepared, reviewed and approved by the Head of Department and the Human Resources Responsible. - Verify in the relevant systems, platforms, applications and databases that the access rights have been granted (in case of provisioning) or revoked (in case of deprovisioning) as per the details of the approved provisioning/deprovisioning form. - Based on professional judgement, select the appropriate sample of month for the period under review. - For each selected month, obtain the list of transfers and leavers from Human Resources Department. - For each transfer and leaver of the list, obtain systems' evidences that the access rights have been updated accordingly (modified for transfers or revoked/suspended for leavers). - For each selected month, ensure that the review of transfers and leavers has been formally reviewed and approved by the Human Resources Responsible and the Security Officer.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Med.
Rely
Med.
Rely
- Obtain and inspect the access rights review performed. - Ensure that the scope of the access rights review is complete (i.e. at least all critical systems, platforms, applications and databases). - For each critical system, platform, application and database, ensure that the effective access rights (system capture) are in line with employee's position and responsibilities in the company (job description) and that these are still aligned with need-to-have and segregation of duties principles. - For each critical system, platform, application and database, ensure that all users have a unique user ID by which they can be identified (any exception to this rule must be well documented, rationalized and approved). - For each critical system, platform, application and database, identify temporary accounts, generic accounts, applicative accounts and ensure that they are legitimate and adequately supported by documentation and explanations. - Ensure that the access rights review has been reviewed and approved by each Critical Systems IT Responsibles and the Security Officer.
High
Independent
- Obtain and inspect the access rights review related to the migration of new/modified systems, platforms, applications and databases. - Ensure that the scope of the access rights review is complete (i.e. at least all critical systems, platforms, applications and databases). - Based on effective access rights (system capture), determine which accounts are authorized migrate new/modified systems, platforms, applications and databases into the production environment. - Determine whether the job descriptions of the personnel capable to migrate new/modified systems, platforms, applications and databases into the production environment, specify such an authority for these positions/functions. - Ensure that these personnel (authorized to migrate new/modified systems, platforms, applications and databases into the production environment) are not authorized to perform any development, in order to comply with Segregation of Duties principles. - Ensure that the access rights review related to the migration of new/modified systems, platforms, applications and databases has been formally approved by the Security Officer and the CIO. - Obtain and inspect the list of usernames (and corresponding persons) with privileged/powerful access rights to systems, platforms, applications and databases. - Ensure that this list is in line with the access actually implemented in systems (system capture). - Ensure that such privileged/powerful access rights are part of the job description of the persons using these usernames. - Ensure that access to powerful operating system commands is limited to the appropriate IT users. - Ensure that the list of usernames with privileged/powerful access rights to systems, platforms, applications and databases has been formally reviewed and approved by the Security Officer and the CIO.
High
Reperformance
High
Reperformance
- Obtain the updated list of end-user computing tools. - For each end-user computing tool (such as spreadsheets and other end-user programs), obtain the user access rights related to it (e.g. access rights to the directory/folder where it is stored and used from the system capture). - Ensure that the list of user access rights to end-user computing tools has been formally reviewed and approved by the Head of Department and Business Owners.
Med.
Reperformance
- Based on professional judgement, select the appropriate sample for the period under review. - For each selected month, obtain the reviewed list of vendors/contractors accounts and the related access rights (system capture). - Ensure that the scope of the list is complete (i.e. at least all critical systems, platforms, applications and databases). - Obtain the access request forms related to each vendor/contractor. - Verify whether each vendor/contractor access is limited in terms of access rights granted and time of activity defined in the access request form. - Verify whether each existing vendors/contractors account is legitimate vs. the provisioning and deprovisioning dates defined in the access request form. - Ensure that the list of vendors/contractors accounts and the related access rights has been formally reviewed and approved by the Human Resources Responsible, Security Officer and Critical Systems IT Responsible(s). - Based on professional judgement, select the appropriate sample for the period under review. - For each selected month, obtain the list of user accounts with remote access capability granted to vendors, contractors and employees (system capture). - Ensure that the scope of the list is complete (i.e. at least all critical systems, platforms, applications and databases). - Obtain the remote connection request forms related to the vendors, contractors and employees who have remote connection capabilities. - Ensure that remote connection is appropriately limited in terms of time window of activity (e.g. no 24h/7d activation) in line with the need-to-have. - Ensure that only vendors, contractors and employees that currently need to access Tigo infrastructure remotely, can actually connect remotely. - Ensure that the list of user accounts with remote access capability granted to vendors, contractors and employees, has been formally reviewed and approved by the Human Resources Responsible, Security Officer and CIO. - Obtain the logs of remote connections for each critical system, platform, application and database. - Based on professional judgement, select a representative sample of remote accesses to these for the period under review. - For each selected item, ensure that the activities were adequately supported by a remote connection request form and the description of activities planned. - Ensure that the logs of activities from remote connections vs. planned activities have been formally reviewed and approved by the Critical System IT responsible.
Med.
Rely
Med.
Rely
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Med.
Reperformance
- Based on professional judgement, select the appropriate sample for the period under review. - For each selected month, obtain the reports on remote connections to critical systems, platforms, applications and databases. - Ensure that the reports contain details (and description of activities) related to all approved remote connection request forms. - Ensure that the reports have been formally reviewed and approved by the Security Officer and the CIO. - Obtain and inspect the security setup review for critical protected areas. - Ensure that critical password files, authorization tables, communications software, encryption keys and critical installation programs are stored in logically protected areas or otherwise protect from read-and-write access. - Ensure that the security setup documentation has been formally reviewed and approved by the Security Officer and the CIO and access to critical protected areas is granted to authorized users only.
Inspection
Med.
Reperformance
Inspection
High
Rely
For each critical system, platform, application and database, obtain the password complexity rules and ensures that password controls are in effect and consider minimum security rules (where technically feasible): - Minimum password length of 8 characters, - Password complex composition is enforced: password must be composed of alpha-numeric characters at least (characters and digits). Additional complexity can be implemented (e.g. not words in dictionary, use of symbols), - Passwords are forced to be changed every 90 days at least (passwords of administrator accounts can have a one year validity), - Unsuccessful login attempts must be logged and reviewed. Complementary security practices can also be considered: - Initial log-on uses a one time password, - History of the last 6 passwords can not be used for password renewal, - 5 unsuccessful log on attempts allowed before lockout (where business continuity is not impacted), - Idle session time out after 10 minutes. Ensure that the review of password controls has been performed within the last 7 months and has been formally approved by the Security Officer and the CIO.
Inspection
Med.
Reperformance
- Obtain and inspect the policy defining retention periods, backup and storage terms of information. - Ensure that it defines backup terms (frequency, media, etc.), storage terms (on-site, off-site, access, etc.) and retention periods for information from critical systems, platforms, applications and databases (both data and parameters/configurations), as well as any information considered as sensitive in the company's data/information classification. - Ensure that the retention periods, backup and storage terms have been formally reviewed and approved by the CIO and the Legal or Regulatory Responsible within the last 7 months. - Based on professional judgement, select the sample for the period under review. - For each of the selected months, obtain and inspect the backup journals covering all days of the month to determine whether they have been formally reviewed and approved by the CIO. - Obtain and inspect the restore journals for the last 7 months. - Determine whether restore tests occurred for information from all critical systems, platforms, applications and databases (both data and parameters/configurations), as well as for any information considered as sensitive in the company's data/information classification. - Ensure that the restore tests were successful. - Ensure that the backup restoration journal and the corresponding restoration results have been formally reviewed and approved by the Critical Systems IT Responsible(s) and the CIO. - Obtain and inspect the list of authorized individuals allowed to access to the back-up media. - Determine whether access to backup media is commensurate with the function and/or profile of the authorized individuals. - Ensure that only formally authorized individuals can access the backup media (both on-site and off-site). - Ensure that the review of accesses to backups vs. the authorizations has been formally reviewed and approved by the CIO for the last quarter.
Inspection
Low
Rely
Inspection
High
Independent
Inspection
Med.
Reperformance
Inspection
Med.
Rely
- Based on professional judgment, select the sample for the period under review. - For each of the selected weeks, and for each critical system, platform, application, database and Firewall, obtain the logs of unauthorized activities. - For each unauthorized activity, ensure that it has been documented and reacted upon in an appropriate manner. - For each unauthorized activity, ensure that it has been formally reviewed and approved by the Critical Systems IT Responsible(s) and the Security Officer. - Based on professional judgement, select a 2 month sample for the period under review. - For each of the selected months, obtain and inspect the logs of unauthorized activities for network activity and for all critical platforms, systems, applications and databases. - Ensure that all unauthorized activities from the logs (including the actions taken) have been formally communicated to the CIO and GM. - Ensure that the monthly reports on unauthorized activities have been formally reviewed and approved by the CIO and the GM.
Inspection
High
Reperformance
Inspection
High
Reperformance
- Obtain and inspect the batch jobs schedules for each critical system, platform, application and database. - Based on professional judgement, select the sample for the period under review. - For each of the selected days, obtain and inspect the job scheduling checklists to ensure that batch jobs ran as per the job schedules for all critical systems, platforms, applications and databases. - Ensure that the batch jobs ran successfully to completion (or failure was explained and timely remediated). - Ensure that the job scheduling checklists and related results have been formally reviewed and approved by the Critical Systems IT Responsible(s).
25
10
Inspection
Med.
Rely
- Obtain the list of all critical systems, platforms, applications and databases. - For each critical system, platform, application and database, obtain and inspect the print copy of the catalogue and/or description of the testing environment. - Ensure that the testing environment is separated logically and/or physically from the production environment, that it allows adequate stress, unit and end-to-end testing, that it reflects as much as possible the live environment (data in kind and quantity), and that it is available for sufficient testing time. - Ensure that the print copy of the catalogue and/or description of the testing environment has been formally reviewed and approved by the CTO. - In case there is no separate testing environment for a critical system, platform, application or database, ensure that there are specific adequate procedures and guidelines in place for testing (including details of mitigating factors and measures in place to prevent negative impact of testing) and that they have been formally reviewed and approved by the CTO. - Obtain and inspect the list of changes to systems, platforms, applications and databases (logs if any), especially changes to critical ones. - Based on professional judgement, select a representative sample of changes for the period under review. - For each selected item, determine whether users and relevant stakeholders were informed of the change implementation.
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Obtain the Logical Access Management Policy (or Security Policy). - Determine whether the management of user accounts for joiners, job changes and job termination is part of the policy (for both employees and contractors, for local and remote access...). - Ensure that the Logical Access Management Policy (or Security Policy) has been formally reviewed and approved by the CTO within the last 7 months. - Obtain evidence that the Logical Access Management Policy (or Security Policy) has been formally communicated. - Obtain and inspect the backup policy to verify whether the backup terms are appropriate (all critical element considered in scope and backup frequency requirements). - Based on professional judgement, select the sample for the period under review. - For each of the selected days, obtain and inspect the Backup journals to ensure that backups were run as per the backup policy (at least daily for data and weekly for configurations) for all critical systems, platforms, applications and databases. - Ensure that the backups ran successfully to completion (or failure was explained and timely remediated). - Ensure that the backup journals have been formally reviewed and approved by the Critical Systems Technical Responsible(s). - Obtain and inspect the Disaster Recovery Plan. - Ensure that the DRP addresses the critical systems, platforms, applications and databases as a minimum requirement. Ensure that the DRP has been formally reviewed and approved by the CTO and GM within the last 7 months. - Obtain and inspect the Disaster Recovery Plan. - Obtain and inspect the DRP test results (if a real disaster occur and lead to the deployment of the plans, then this is considered as the sample item) - Verify that the DRP was tested within the last year. - Ensure that the DRP test results have been formally reviewed and approved by the CTO and GM. - Obtain and inspect the Incident and Problem Management Policy and Procedures. - Ensure that it defines handling, analysis and resolution mechanisms of non-standard events (incidents), including escalation procedures, supplier involvement if appropriate and clear description of the process. - Ensure that the Incident and Problem Management Policy and Procedures have been formally reviewed and approved by the CTO within the last 7 months. - Obtain evidence that the Incident and Problem Management Policy and Procedures have been formally communicated. - Obtain and inspect the Events and Incidents Journals for the period under review. - Based on professional judgement, select a representative sample of significant technical events or incidents and failures for the period under review. - For each of the selected events, incidents and failures, ensure that they have been formally reviewed and approved immediately by the Critical Systems Technical Responsible(s). - For each of the selected events, incidents and failures, ensure that it has been communicated and resolved in a timely manner. - Based on professional judgement, select the sample for the period under review. - For each of the selected months, obtain and inspect the Events and Incident's Journals. - Ensure that all significant technical events or incidents and failures of the Events and Incident's Journals (including the resolution activities and status) have been formally communicated to the CTO and GM. - Ensure that the Events and Incident's Journals have been formally reviewed and approved by the CTO and the GM. - Obtain and inspect the operating procedures. - Ensure that all operation procedures have been documented, updated and formally reviewed and approved by the CTO within the last 7 months. - Obtain and inspect the operating procedures. - Ensure that the listing of all potential suspicious activities have been updated and formally reviewed and approved by the CTO and the Security Officer within the last 7 months.
Inspection
non-key
Walkthrough
25
10
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
- Obtain and inspect the list of changes to systems, platforms, applications and databases (logs if any), especially changes to critical ones. - Based on professional judgement, select a representative sample of changes for the period under review. - For each selected item, obtain the corresponding change request form. - Determine whether the selected change was formally authorized by Business Owners, Stakeholders and the relevant Critical System Technical Responsible before the change had been processed.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Med.
Reperformance
- Obtain and inspect the list of changes to systems, platforms, applications and databases (logs if any), especially changes to critical ones. - Based on professional judgement, select a representative sample of changes for the period under review. - For each selected item, obtain the corresponding change request form. - Determine whether the selected change was subject to an impact analysis (in particular regarding controls that may be impaired). - Ensure that appropriate actions were taken to modify or redesign these controls (if necessary) to retain their integrity
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Rely
- Obtain and inspect the list of changes to systems, platforms, applications and databases (logs if any), especially changes to critical ones. - Based on professional judgement, select a representative sample of changes for the period under review. - For each selected item, obtain the corresponding change request form. - Determine whether the selected change was subject to the formalization of a test plan, a roll-out plan and a roll-back plan. - Ensure that these test plan, roll-out plan and roll-back plan had been formally reviewed and approved prior to implementation of the change.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Reperformance
- Obtain the list of all interfaces between critical systems, platforms, applications and databases. - For each interface, obtain the last testing results. - Ensure the testing results are no more than 3 years old. - Ensure that the test results confirm that data transmissions are complete, accurate and valid. - Ensure that the interface test results have been formally reviewed and approved by the Critical Systems Technical Responsible. - Obtain the list of individual changes that occurred on existing interfaces during the period under review. - Based on professional judgement, select a representative sample of changes to interfaces for the period under review. - For each selected item, obtain the interface test results. - Ensure that the test results confirm that data transmissions are complete, accurate and valid. - Ensure that the interface test results have been formally reviewed and approved by the Critical Systems Technical Responsible. - Obtain and inspect the list of changes to systems, platforms, applications and databases (logs if any), especially changes to critical ones. - Based on professional judgement, select a representative sample of changes for the period under review. - For each selected item, obtain the corresponding change request form including the test plan approved. - Determine whether the test plan was followed for testing the change. - Determine whether the test results were formally documented, reviewed and approved by Business Owners, Stakeholders and Critical Systems Technical Responsible before the change had been implemented (live in the production environment).
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - 1 every 3 years
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5 - 1 every 3 years
Inspection
Low
Rely
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
High
Reperformance
- Obtain and inspect the list of changes to systems, platforms, applications and databases (logs if any), especially changes to critical ones. - Based on professional judgement, select a representative sample of changes for the period under review. - For each selected item, obtain the corresponding change request form. - Determine whether the change results were reviewed by the Business Owner showing approval of the change implemented.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
High
Independent
- Obtain the list of all changes to critical systems, platforms, applications and databases. - Based on professional judgement, select a representative sample of changes for the period under review. - For selected changes, obtain and inspect the change requests and ensure that documentation impact assessment has been formalized. - If updated, ensure that documentation has been reviewed formally by the Business Owners and CIO.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Rely
- Obtain the list of all critical systems, platforms, applications and databases. - For each critical system, platform, application and database, obtain and inspect the list of available documentation and support service plan (including location) and ensure it is kept in the mentioned location. - Ensure that it has been formally reviewed and approved by the Business Owners and CTO.
Inspection
Low
Rely
- Obtain and inspect the list of emergency changes to systems, platforms, applications and databases (logs if any), especially emergency changes to critical ones. - Based on professional judgement, select a representative sample of emergency changes for the period under review. - For each selected item, obtain the corresponding emergency change form. - Determine whether the selected emergency change was formally reviewed and authorized by the CTO and the GM. - Obtain and inspect the list of joiners, job changes and job terminations, for employees, contractors, vendors and non-client personnel. - Based on professional judgement, select a representative sample of access request forms (provisioning and deprovisioning) for the period under review. - For each selected item, determine whether selected forms were adequately prepared, reviewed and approved by the Head of Department and the Human Resources Responsible. - Verify in the relevant systems, platforms, applications and databases that the access rights have been granted (in case of provisioning) or revoked (in case of deprovisioning) as per the details of the approved provisioning/deprovisioning form. - Obtain and inspect the access rights review performed. - Ensure that the scope of the access rights review is complete (i.e. at least all critical systems, platforms, applications and databases). - For each critical system, platform, application and database, ensure that the effective access rights (system capture) are in line with employee's position and responsibilities in the company (job description) and that these are still aligned with need-to-have and segregation of duties principles. - For each critical system, platform, application and database, ensure that all users have a unique user ID by which they can be identified (any exception to this rule must be well documented, rationalized and approved). - For each critical system, platform, application and database, identify temporary accounts, generic accounts, applicative accounts and ensure that they are legitimate and adequately supported by documentation and explanations. - Ensure that the access rights review has been reviewed and approved by each Critical Systems Technical Responsibles and the Security Officer. - Obtain and inspect the list of usernames (and corresponding persons) with privileged/powerful access rights to systems, platforms, applications and databases. - Ensure that this list is in line with the access actually implemented in systems (system capture). - Ensure that such privileged/powerful access rights are part of the job description of the persons using these usernames. - Ensure that access to powerful operating system commands is limited to the appropriate technical users. - Ensure that the list of usernames with privileged/powerful access rights to systems, platforms, applications and databases has been formally reviewed and approved by the Security Officer and the CTO.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Med.
Rely
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Med.
Reperformance
High
Independent
High
Independent
- Based on professional judgement, select the sample for the period under review. - For each selected month, obtain the reviewed list of vendors/contractors accounts and the related access rights (system capture). - Ensure that the scope of the list is complete (i.e. at least all critical systems, platforms, applications and databases). - Obtain the access request forms related to each vendor/contractor. - Verify whether each vendor/contractor access is limited in terms of access rights granted and time of activity defined in the access request form. - Verify whether each existing vendors/contractors account is legitimate vs. the provisioning and deprovisioning dates defined in the access request form. - Ensure that the list of vendors/contractors accounts and the related access rights has been formally reviewed and approved by the Human Resources Responsible, Security Officer and Critical Systems Technical Responsible(s). - Based on professional judgement, select the sample for the period under review. - For each selected month, obtain the list of user accounts with remote access capability granted to vendors, contractors and employees (system capture). - Ensure that the scope of the list is complete (i.e. at least all critical systems, platforms, applications and databases). - Obtain the remote connection request forms related to the vendors, contractors and employees who have remote connection capabilities. - Ensure that remote connection is appropriately limited in terms of time window of activity (e.g. no 24h/7d activation) in line with the need-to-have. - Ensure that only vendors, contractors and employees that currently need to access Tigo infrastructure remotely, can actually connect remotely. - Ensure that the list of user accounts with remote access capability granted to vendors, contractors and employees, has been formally reviewed and approved by the Human Resources Responsible, Security Officer and CTO. - Obtain the logs of remote connections for each critical system, platform, application and database. - Based on professional judgement, select a representative sample of remote accesses to these for the period under review. - For each selected item, ensure that the activities were adequately supported by a remote connection request form and the description of activities planned. - Ensure that the logs of activities from remote connections vs. planned activities have been formally reviewed and approved by the Critical System Technical Responsible. - Ensure that the logs of connections/disconnections to the VPN platforms have been formally reviewed and approved by the Critical System IT Responsible. - Based on professional judgement, select the sample for the period under review. - For each selected month, obtain the reports on remote connections/disconnections to critical systems, platforms, applications and databases, and ensure that they have been formally reviewed and approved by the Security Officer and the CIO. - Ensure that the reports contain details (and description of activities) related to all approved remote connection request forms, and ensure they have been formally reviewed and approved by the Security Officer and the CTO. For each critical system, platform, application and database, obtain the password complexity rules and ensures that password controls are in effect and consider minimum security rules (where technically feasible): - Minimum password length of 8 characters, - Password complex composition is enforced: password must be composed of alpha-numeric characters at least (characters and digits). Additional complexity can be implemented (e.g. not words in dictionary, use of symbols), - Passwords are forced to be changed every 90 days at least (passwords of administrator accounts can have a one year validity), - Unsuccessful login attempts must be logged and reviewed. Complementary security practices can also be considered: - Initial log-on uses a one time password, - History of the last 6 passwords can not be used for password renewal, - 5 unsuccessful log on attempts allowed before lockout (where business continuity is not impacted), - Idle session time out after 10 minutes. Ensure that the review of password controls has been performed within the last 7 months and has been formally approved by the Security Officer and the CTO.
Med.
Rely
Med.
Reperformance
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Med.
Independent
Inspection
Med.
Reperformance
Inspection
Med.
Reperformance
- Obtain and inspect the policy defining retention periods, backup and storage terms of information. - Ensure that it defines backup terms (frequency, media, etc.), storage terms (on-site, off-site, access, etc.) and retention periods for information from critical systems, platforms, applications and databases (both data and parameters/configurations), as well as any information considered as sensitive in the company's data/information classification. - Ensure that the retention periods, backup and storage terms have been formally reviewed and approved by the CTO and the Legal or Regulatory Responsible within the last 7 months. - Based on professional judgement, select the sample for the period under review. - For each of the selected months, obtain and inspect the backup journals covering all days of the month to determine whether they have been formally reviewed and approved by the CTO. - Obtain and inspect the restore journals for the last 7 months. - Determine whether restore tests occurred for information from all critical systems, platforms, applications and databases (both data and parameters/configurations), as well as for any information considered as sensitive in the company's data/information classification. - Ensure that the restore tests were successful. - Ensure that the backup restoration journal and the corresponding restoration results have been formally reviewed and approved by the Critical Systems Technical Responsible(s) and the CTO. - Obtain and inspect the list of authorized individuals allowed to access to the back-up media. - Determine whether access to backup media is commensurate with the function and/or profile of the authorized individuals. - Ensure that only formally authorized individuals can access the backup media (both on-site and off-site). - Ensure that the review of accesses to backups vs. the authorizations has been formally reviewed and approved by the CTO for the last quarter. - Based on professional judgment, select the sample for the period under review. - For each of the selected weeks, and for each critical system, platform, application an database, obtain the logs of unauthorized activities (including both successful and unsuccessful unauthorized attempts to connect to the network or to systems, platforms, applications and databases). - For each unauthorized activity, ensure that it has been documented and reacted upon in an appropriate manner. - For each unauthorized activity, ensure that it has been formally reviewed and approved by the Critical Systems Technical Responsible(s) and the Security Officer. - Based on professional judgement, select the sample for the period under review. - For each of the selected months, obtain and inspect the logs of unauthorized activities for network activity and for all critical platforms, systems, applications and databases. - Ensure that all unauthorized activities from the logs (including the actions taken) have been formally communicated to the CTO and GM. - Ensure that the monthly reports on unauthorized activities have been formally reviewed and approved by the CTO and the GM. - Obtain the list of new or revised interconnect agreements during the period under review. - For the sample selected, ensure they are signed by GM as per MIC Policy
Inspection
Low
Rely
Inspection
High
Rely
Inspection
Med.
Reperformance
Inspection
Med.
Rely
Inspection
High
Reperformance
Inspection
High
Rely
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
a) Review functional/ Technical documentation: Obtain and inspect the query used to generate alarms/exception report for the changes on all Switches and/or Interconnect billing system. b) Changes review: - Randomly select the appropriate sample of daily reports summarizing any provisioning changes to the settings of all Switches and/or interconnect billing system (i.e. destinations etc). - Ensure reports are reviewed and approved by the Billing Manager
25
10
Inspection
non-key
Walkthrough
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. b) EDRs rejection reports: - Based on a professional judgment, select the appropriate sample of daily rejection reports during the period under review. - For each report selected, ensure that the source of the rejection is identified (if possible) and the problem is resolved in order to prevent the event from happening in the future. - Ensure that rejected EDRs are recuperated if possible and obtain resolution evidence or confirmation of the resolution. - Ensure reports are reviewed by the Billing Staff. a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. - Ensure all Switches are included in the reconciliation. - In case of filtration rules defined based on Trunk Groups on Mediation Device, ensure it is included in the design of the exception report. b) Trunk Group / Reference data Reconciliation: - Based on a professional judgment, select 2 months reconciliation from the period under review. - Obtain reconciliation report of Trunk groups and gateway transit /reference data set ups in the Interconnect Billing system with the respective set up and reference data in the Switching platform. - Reperform reconciliation (by tracing data reconciled to supporting documents (data source and tick marks visible)) - Obtain documentation related to reconciliation differences identified and assess relevancy of differences explained. - Ensure reconciliation reports are signed-off on time by the Billing Manager. - Based on a professional judgment, select the appropriate sample of months (including all invoices from the sample period) from the period under review. - For selected invoices, obtain and review the delivery notes to ensure all Interconnect invoices were sent out to partners. - Ensure that in case of delivery failure, corrective actions are taken and documented. - Ensure the check list consolidating the dispatch of all Interconnect invoices of the month is reviewed and signed-off on time by the CFO-2. - Based on a professional judgment, select the sample from the period under review. - Obtain reports containing rejected EDRs which could not be corrected. - Review adequate reasoning on rejected CDRs which could not be processed. - Ensure selected reports are reviewed and signed-off by Billing manager, Local Revenue Assurance Manager and CFO. a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. - Obtain and review the SQL query used to perform the reconciliation. b) Mediation Output Vs Billing Input Vs Billing Output reconciliation reports: - Based on a professional judgment, select the appropriate sample of daily reports for reconciling Mediation output versus Interconnect Billing Input and Output. - Ensure that the reconciliation is done in terms on number of EDRs and in Minutes. - Ensure all discrepancies are investigated and explained. - Reperform reconciliation by tracing data reconciled to supporting documents (data source and tick marks visible) - Ensure reconciliation reports are signed-off on daily basis by the Billing Manager. Note: In case of filtering at the interconnect Billing System Input, ensure that the number of rejected EDRs and corresponding Minutes is clearly described in the reconciliation documentation. - Based on a professional judgment, select the appropriate sample of months (including all invoices from the sample period) from the period under review. - For selected months, obtain and review the interconnect revenue invoice for all Interconnect partners. - Ensure the validation is done in terms of the monetary values, minutes and events. - Ensure the invoices are reviewed against the MOU statement from Billing system. - Ensure that all discrepancies are investigated and explained (if any). - Ensure the check list consolidating all Interconnect invoices validation for the month is reviewed and signed-off on time by the CFO-1.
25
10
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of - If estimated yearly population > 50 --> select 10% of available population, up to 25 available population, up to 10 - If estimated yearly population < 50 --> select all population - If estimated yearly population < 50 --> select all population available, up to 5 available, up to 5
Reperformance
non-key
Walkthrough
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5 10
Inspection
Med.
Rely
25
Reperformance
Low
Reperformance
Inspection
Med.
Rely
- Based on a professional judgment, select the appropriate sample of months (including all invoices from the sample period) from the period under review. - For selected months, obtain and review reconciliation of usage reports with other operators (with the registered traffic sent to them). - Ensure the reconciliation is performed in terms of EDRs number, Minutes and value. - Ensure that if the figures deviate from a preset tolerance limit (threshold defined based on a regulation or a formalized agreement), a detailed analysis is performed (exchange of EDRs may be necessary in this case). - Ensure identified deviations for all Interconnect Partners are analyzed and signed-off on time by the Billing Manager. - Based on a professional judgment, select the appropriate sample of months (including all invoices from the sample period) from the period under review. - Ensure that payable invoices are validated by the Interconnect Manager against the reconciliation of Usage Reports done in SC9. - Based on a professional judgment, select the appropriate sample of months (including all invoices from the sample period) from the period under review. - Obtain all Interconnect invoices or the checklist (with all supporting invoices) and ensure they are signed-off by the GM and Interconnect Manager. - Ensure they have been approved by the GM and Interconnect Manager before payment. - Based on a professional judgment, select the appropriate sample of months from the period under review. - For selected months obtain all Journal Vouchers related to Interconnect costs and revenues. - Trace back the relevant bookings with invoices received and dispatched. For accruals, check against the Billing system traffic report. - Reperform reconciliation (by tracing data reconciled to supporting documents (data source and tick marks visible)) - Ensure the CFO-1 has reviewed and validated journal entries before posting. - Based on a professional judgment, select the appropriate sample of months from the period under review. - For selected month, obtain signed reconciliation report of interconnect revenue & cost booked in the accounting system with the revenue/cost from the interconnect billing system & the invoices sent out/received. - Reperform reconciliation ( by tracing data reconciled to supporting documents (data source and tick marks visible) - Obtain documentation related to reconciliation differences identified and assess relevancy of differences explanations - Ensure the reconciliation report is signed on time by the CFO
Inspection
High
Independent
Inspection
High
Independent
Inspection
Low
Rely
Reperformance
Low
Rely
Reperformance
Low
Rely
- Randomly select the appropriate sample of months from the period under review. - For selected months, obtain and inspect the netting validation report containing all Interconnect Partners. - Ensure the netting report is signed on time by the CFO-1. - Obtain the list of new or revised roaming agreements during the period under review. - For the sample selected, ensure they are signed by GM as per MIC Policy
Inspection
Med.
Rely
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this functionality b) Changes review: - Obtain the system log from Switch and Billing System (Service Ticketing System in case of TAP OUT generation done by Mach) in order to select the daily samples when changes occurred during the period under review - Ensure reports are reviewed and approved by the Category Manager. - In case of changes identified through the sample selected, ensure that adequate supporting documentation and approval is attached as part of the review. - Assess that for all opened items, corrective action is taken. - Select randomly the daily outbound roaming high usage reports. - Obtain the selected daily reports (including FDR and ER if NRTRDE is implemented). - Ensure each HUR, FDR and ER reports are reviewed and analysis and actions taken are formalized. - Ensure that outbound roaming HUR are reviewed on time by both Credit & Collection Manager -1 and Billing Manager -1 - Ensure adequate documentation/formalization is done for the review.
25
10
Reperformance
non-key
Walkthrough
25
10
Inspection
non-key
Walkthrough
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this functionality - Review the script to validate the criteria set as per Business requirements b) IMSI validation review: - Based on a professional judgement, select the daily samples during the period under review. - Ensure that the reconciliation is performed, reviewed and signed-off by the Billing Manager -1 and that all differences are investigated and documented. a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this functionality b) Reports review: - Randomly select the daily logs on the successful / failed TAP IN file uploads and conversions during the period under review. - Ensure TAP IN files were successfully uploaded. In case of failure, ensure it is investigated, corrected and uploaded successfully. - Review the adequacy of documentation for ensuring all TAP IN files are uploaded. - Ensure that the reports are reviewed and signed-off on time by the Billing Manager-1
25
10
Inspection
non-key
Walkthrough
25
10
Inspection
non-key
Walkthrough
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. b) EDRs rejection reports: - Based on a professional judgement, select the daily reports during the period under review. - For each report selected, ensure that the source of the rejection is identified (if possible) and the problem is resolved in order to prevent the event from happening in the future. - Ensure that rejected EDRs are recuperated if possible and obtain resolution evidence or confirmation of the resolution. - Ensure the reports are reviewed and signed-off on time by the Billing Staff. a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. b) EDRs rejection reports: - Based on a professional judgement, select the daily reports during the period under review. - For each report selected, ensure that the source of the rejection is identified (if possible) and that the problem is (being) resolved in order to prevent the event from happening in the future. - Ensure that rejected EDRs (during MBF files generation), are recuperated if possible and obtain resolution evidence or confirmation of the resolution. - Ensure that rejected EDRs (during TAP files generation, either internal or external), are recuperated if possible and obtain resolution evidence or confirmation of the resolution. - Ensure that the reports are reviewed and signed-off on time by the Billing Staff. a) HUR/NRTRDE not implemented: - Select randomly the daily inbound roaming high usage reports. - Ensure that each day, reports containing High Usage are reviewed by the Billing Manager and sent on time to the Clearing House / Roaming Partners. - Ensure that a threshold for HUR is defined, agreed and properly set in the system. b) NRTRDE compliant: - Select randomly the daily inbound roaming high usage reports. - Ensure that NRTRDE files are stored on MACH server every 4 hours meaning each EDR should be rated, converted and stored on MACH server. - Ensure that summary reports on NRTRDE files containing High Usage are reviewed and signed-off on time by the Billing Manager once per day. - Ensure that a threshold for NRTRDE is defined, agreed and set in the system. - Obtain the list of new or updated roaming tariff - For the sample selected, ensure they were sent to Mach at least 4 weeks before the agreed start date of application. Ensure processing confirmation from Mach has been received.
25
10
Inspection
non-key
Walkthrough
25
10
Inspection
non-key
Walkthrough
25
10
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this functionality b) Reconciliation reports: - Based on a professional judgement, select the appropriate sample of months in the period under review. - For selected months, check relevant base documents to review the reconciliation (roaming partners and related IMSI ranges defined). - Obtain and review the reconciliation and ensure identified discrepancies have been closed. - Obtain the adequate documentation related to their closure. - Ensure the reconciliation has been signed off by the Billing Manager a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this functionality b) Reconciliation reports: - Based on a professional judgement, select the appropriate sample of months in the period under review. - For selected months, check relevant base documents to review the reconciliation (roaming partners and related IMSI ranges defined). - Obtain and review the reconciliation and ensure identified discrepancies have been closed. - Obtain the adequate documentation related to their closure. - Ensure the reconciliation has been signed off by the Billing Manager a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this functionality b) Duplicate EDRs review: - Based on a professional judgement, select the daily samples during the period under review. - For selected days, obtain reports related to duplicate check on Outbound Roaming EDRs and ensure they are corrected, reviewed and signed-off by Billing staff. a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this functionality b) Validation of TAP IN sequence: - Based on a professional judgement, select the daily samples during the period under review. - For selected days, obtain validation reports and ensure all missing /sequence gaps are investigated and explained - Ensure all reports are signed-off by the Billing Manager -1. a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this functionality b) Rates reconciliation review: - Obtain the rates agreed and approved by management. (refer to agreements for tariffs/tariffs change request) - Ensure the scripts used to validate the rating process are using the correct rates. - Based on a professional judgement, select the daily samples during the period under review. - Obtain reports for selected days and ensure all differences are investigated and explained - Ensure all reports are signed-off by the Billing Manager -1. - Select randomly the months during the period under review. - Ensure that the validation of the SDR rate has been done on time based on an official source of information document attached (e.g. FMI ) - Ensure that the rate is correctly setup in Roaming Billing system (if any) or in MACH COM portal through print screen evidence. - Ensure that the currency conversion validation has been signed-off by the CFO-1. a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this functionality - Ensure both postpaid and prepaid records are included in the reconciliation in case of prepaid roaming. a) Outbound Roaming reconciliation review: - Select the sample during the period under review. - For selected items, obtain reconciliation reports done between the billing records contained in TAP IN records with the roaming records uploaded in the postpaid billing system and EDRs on prepaid system. Ensure that if Prepaid Roaming is offered for Out roamers, the reconciliation of TAP IN EDRs is reconciled with prepaid EDRs. - Ensure that all identified differences are investigated and explained. - Ensure the reports are reviewed and signed-off on time by the Billing Manager
Reperformance
Med.
Rely
Reperformance
Med.
Rely
25
10
Inspection
Low
Rely
25
10
Inspection
Low
Rely
25
10
Inspection
Med.
Reperformance
Inspection
Low
Rely
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Rely
- Select randomly the months during the period under review. - Obtain the reports containing the rejected EDRs which could not be corrected. - Ensure that the selected reports have been reviewed and signed-off by Billing manager, Local Revenue Assurance Manager and CFO. - Review adequate reasoning on rejected CDRs which could not be processed. - Select randomly the months during the period under review. - Obtain the reports containing the rejected EDRs which could not be corrected. - Ensure that the selected reports have been reviewed and signed-off by Billing manager, Local Revenue Assurance Manager and CFO. - Review adequate reasoning on rejected CDRs which could not be processed. a) Review functional/ Technical documentation: - Obtain and inspect the query used to check the sequential numbering of TAP OUT files. - In case of alarm report, obtain and review settings of the alarm. b) TAP OUT files sequence numbering review: - Select randomly the daily reports related to the check on TAP OUT files sequence numbering. - Ensure all sequence gaps in TAP OUT files are investigated and explained. - Ensure daily reports are signed off by a Billing Manager-1. - Based on a professional judgement, select the daily reports. - Obtain the approved rate list from the roaming team. (refer to agreements/tariffs change request) - Review the reconciliation of rates applied in all the TAP OUT files sent on that day vs. the agreed rates. - Ensure that all exceptions have been investigated and resolved. - Ensure that the reconciliation of rates has been formalized and signed-off by the Billing Manager-1. - Based on a professional judgement, select the daily reports. - Review the Mach IOT check report (Detail report). - Ensure that all exceptions have been investigated and resolved. - Ensure that the report has been signed-off by the Billing Manager-1. a) Review of documentation: - Obtain and review the SQL query used to perform the reconciliation. - Obtain functional/technical requirements related to an automated reconciliation b) Reconciliation reports: - Based on a professional judgement, select the daily reports reconciling Mediation output versus Roaming Billing Input and Output. - Ensure that the reconciliation is done in terms on number of EDRs, in Minutes and bytes. - Ensure all discrepancies are investigated and explained. - Reperform reconciliation by tracing data reconciled to supporting documents (data source and tick marks visible) - Ensure reconciliation reports are signed-off on daily basis by the Billing Manager. Note: In case of filtering at the Roaming Billing System Input, ensure that the number of rejected EDRs and corresponding Minutes is clearly described in the reconciliation documentation.
Inspection
Low
Reperformance
Inspection
Low
Reperformance
25
10
Inspection
Low
Rely
25
10
Reperformance
Med.
Rely
25
10
Reperformance
Med.
Rely
25
10
Reperformance
Low
Reperformance
a) Review of documentation: - Obtain and review the SQL query used to perform the reconciliation. - Obtain functional/technical requirements related to an automated reconciliation b) Reconciliation reports: - Based on a professional judgement, select the daily reports reconciling Mediation output versus created Mach TAP Out - Ensure that the reconciliation is done in number of EDRs, in Minutes and bytes between figures extracted at the mediation output vs. Mach Tap creation report for Revenue Assurance - Ensure that all discrepancies have been investigated and explained. - Ensure that the reconciliation reports have been signed-off by the Billing Manager. -Select randomly the days during the period under review. - For selected days, obtain the checklist on TAP OUT files received by the Clearing House. - Ensure that reasons of missing TAP OUT file were investigated and were finally received by the Clearing House. - Ensure that all TAP OUT files were sent on time. - Ensure that checklists were reviewed and signed-off on time by the Billing Manager -1. a) Review of documentation: - Obtain and review the SQL query used to perform the reconciliation. - Obtain functional/technical requirements related to an automated reconciliation b) Reconciliation reports: - Select randomly 2 monthly reports reconciling summary report sent by the Clearing House against the MIC subsidiarys own Tap IN & Tap OUT details. - Ensure that all discrepancies are investigated and explained. - Ensure that reconciliation reports are signed-off on time by the CFO-1. - Based on a professional judgement, select the sample during the period under review. - For the selected months obtain all Journal Vouchers related to Roaming costs and revenues. - Trace back the relevant bookings with invoices received and dispatched. For accruals, check against the Billing system traffic report. - Ensure that the CFO-1 reviewed and validated the journal entries before posting.
25
10
Reperformance
Low
Reperformance
25
10
Inspection
Low
Rely
Inspection
Med.
Rely
Reperformance
Low
Rely
- Based on a professional judgement, select the sample during the period under review. - For the selected months, obtain the signed reconciliation report of Roaming revenue & cost booked in the accounting system with MACH reports - Reperform the reconciliation ( by tracing data reconciled to supporting documents) - Obtain documentation related to reconciliation differences identified and assess relevancy of the explanations and investigations - Ensure that the reconciliation reports were signed on time by the CFO. - Select the quarterly reconciliation report. - Obtain the list of all active roaming agreements. - Ensure that about 25% of the roaming partners were considered for the reconciliation. - Ensure that the tariffs setup for rating the TAP OUT files are in line with the tariffs agreed in each AA14 for the corresponding roaming agreements. - Ensure that the validation has been reviewed and signed-off by the Billing Manager-1. - Verify whether all the active roaming agreements had been considered in such a reconciliation during the last year. a) Review functional/ Technical documentation: - Obtain and inspect the query used to obtain the list of new postpaid subscribers b) Credit check review: - Obtain the list of all new postpaid subscriber from the period under review - Based on a professional judgment, select an appropriate sample amongst the list of new postpaid subscribers - Ensure new accepted subscribers comply with the commercial policy and adequate documentation is done as per commercial policy for credit check. - For the sample selected obtain credit check form signed-off by the Credit and Collection Manager -1
Reperformance
Med.
Rely
Med.
Rely
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Obtain the list of the acceptance of new postpaid subscribers who do not comply with the Credit Policy during the period under review. - For the sample selected, obtain the credit assessment and exception subscriber acceptance forms signed-off by the Credit and Collection Manager.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Obtain the list of the discounts granted to postpaid subscribers during the period under review. - For the sample selected, obtain the exceptional discount acceptance form signed-off by the Credit and Collection Manager with adequate reasoning for doing so.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) Credit Limit review: - Based on a professional judgement, select the daily samples during the period under review. - For selected dates, obtain the report related to credit limit reports. - Ensure all exceptions to the Commercial Policy are explained. - Ensure they are reviewed and signed-off by the Credit and Collection Manager. a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) Credit Limit review: - Based on a professional judgement, select the daily samples during the period under review and obtain local definition of critical data for subscribers. - For selected dates, obtain the report related to changes to critical subscriber data (both in the Switch and Postpaid Billing systems) - Ensure that each provisioned change is matched with an approved change. All exceptions must be explained. - Ensure reports are reviewed and signed-off by the Consumer Manager.
25
10
Inspection
non-key
Walkthrough
25
10
Inspection
non-key
Walkthrough
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) Changes review: - Based on a professional judgement, select the daily reports summarizing any changes or addition of tariff of Postpaid Billing system - Whenever changes are identified, check adequate supporting documentation (e.g. tariff change request) is available. - Ensure reports are reviewed and approved on a daily basis by the Category Manager. a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. b) EDRs corruption reports: - Obtain the formal procedure/task description of reviewing and resolving rejected EDRs - Based on a professional judgment, select the daily reports during the period under review. - For each report selected, ensure that the source of the corruption is identified (if possible) and the problem is resolved in order to prevent the event from happening in the future. - Ensure that corrupted EDRs are recuperated if possible and obtain resolution evidence or confirmation of the resolution. - Ensure reports are reviewed by the Billing Staff. - Based on a professional judgment, select the daily samples during the period under review. - For each report selected, obtain the filter EDRs reports and ensure they are properly approved by the Billing Manager -1. - Ensure an appropriate reason is given for filtered-out EDRs. - Based on a professional judgment, select an appropriate sample amongst all bill runs done during the period under review. - For selected items, obtain reports containing corrupted EDRs which could not be corrected. - Review adequate reasoning on corrupted CDRs which could not be processed. - Ensure selected reports are reviewed and signed-off by Billing manager and CFO.
25
10
Inspection
non-key
Walkthrough
25
10
Inspection
non-key
Walkthrough
25
10
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Based on a professional judgment, select the sample from the period under review. - For selected months, obtain the Business Rule validation for filtering non-billable traffic - Obtain filtering rules done at the mediation and Billing system level - Ensure Business Rule validated by the management is reflecting implemented rules in systems. - Ensure Business Rules are validated and signed-off by the GM and Billing manager. a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report during the period under review. - In case of alarm report, obtain parameters of alarm set up and ensure that if the time gaps are too big (> threshold, e.g. no calls for more than half hour) the control sends out a critical alarm continuously. b) Time Gap analysis report: - Based on a professional judgment, select the sample of daily reports for time gap analysis during the period under review. - For selected items, obtain the exception / alarm reports or daily report. - Ensure reports are reviewed and signed-off by Billing staff. - Based on a professional judgement, select the sample during the period under review. - Review the guidelines for testing and ensure they are documented and approved. All tested calls are done based on the guideline. - For selected months, obtain the test call matrix related to the postpaid traffic. - Ensure that scenarios tested represent at least 90% of all transactions scenarios (including on-net traffic, offnet traffic, international, peak, off-peak, off-off-peak for all kind of postpaid subscription) - Ensure root cause analysis is performed and documented for any exception identified. - Ensure tests report have been signed off by the Billing Manager -1 on a monthly basis and whenever a change occurred. a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. b) EDRs rejection reports: - Based on a professional judgment, select the sample of daily rejection reports during the period under review. - For each report selected, ensure that the source of the rejection is identified (if possible) and the problem is resolved in order to prevent the event from happening in the future. - Ensure that rejected EDRs are recuperated if possible and obtain resolution evidence or confirmation of the resolution. - Ensure reports are reviewed by the Billing Staff.
Inspection
non-key
Walkthrough
25
10
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
25
10
Inspection
non-key
Walkthrough
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. - Ensure this report/alarm includes Postpaid and Prepaid traffic and is setup based on a threshold defined as per the High Usage Policy. b) High Usage reports: - Obtain and review the High Usage Policy. - Select the sample of daily high usage reports from the period under review. - Ensure each reports are reviewed by Credit and Collection Manager -1 and actions taken are written down - Ensure adequate documentation/formalization is done for the review. - Select the sample during the period under review - For selected items, check the outstanding amount and the aging movement of the test sim. - Choose 10 Items/Test SIM and check if proper authorization is given for the test SIM. Check if any follow up/corrective action is taken - Obtain the formal procedure that describes how the pre and post bill run are performed. - Based on a professional judgment, select an appropriate sample amongst all bill runs done during the period under review. - For selected items, obtain the sample of test reports - Ensure they have been approved by the Billing Manager. - Verify they contain relevant explanation for discrepancies. a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) Discount Reports review: - Based on a professional judgement, select the daily samples during the period under review. - For selected dates, obtain the discount reports. - Ensure all discounts granted which are not part of a discount plan are justified. - Ensure reports are reviewed signed-off by the Consumer Manager. - Based on a professional judgement, select the sample during the period under review. - For selected months, obtain the report of future movement schedule related to Postpaid revenue (e.g. connection fees). - Ensure that revenues from the connection fees are deferred and recognized ratably on a straight-line basis over the estimated life of the customer relationship, based on MIC Policy (Policy N 2.1 & 2.2) - Ensure that the reconciliation between the future movement schedule and the corresponding accounting entries is reviewed and signed-off by the CFO-1. a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) EDRs sequence numbering review: - Based on a professional judgement, select the reports related to the check on EDR sequence numbering in the Switch platform including nodes like SMSC, MMSC ... during the period under review. - For selected items, obtain signed-off exception report or daily report on missing sequence numbers. - Ensure that issues and actions taken have been documented and signed-off by the Billing Manager.
25
10
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
25
10
Inspection
Low
Reperformance
Inspection
Low
Rely
25
10
Inspection
Med.
Reperformance
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) Duplicate usage review: - Based on a professional judgement, select and obtain the sample of duplicated EDRs reports or alarms generated by the system - Ensure that exception are documented (obtain and trace to supporting documentation) - Ensure the reports are reviewed by the Billing staff. a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. - Obtain and review the SQL query used to perform the reconciliation. b) Mediation Input Vs Output reconciliation reports: - Based on a professional judgment, select the sample of daily reports for reconciling Mediation input versus output during the period under review. - Ensure that the reconciliation is done in terms on number of EDRs, Minutes and bytes. - Ensure all discrepancies are investigated and explained. - Reperform reconciliation by tracing data reconciled to supporting documents (data source and tick marks visible) - Ensure reconciliation reports are signed-off on daily basis by the Billing Manager. - Based on a professional judgment, select an appropriate sample amongst all bill runs done during the period under review. - For selected items, obtain reports containing rejected EDRs which could not be corrected. - Review adequate reasoning on rejected CDRs which could not be processed. - Ensure selected reports are reviewed and signed-off by Billing manager, Local Revenue Assurance Manager and CFO. a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. b) Revenue movements reports: - Based on a professional judgment, select an appropriate sample amongst all bill runs done during the period under review. - For selected items, ensure all pending subscription fee is included in the settlement invoice. - Ensure each reports are reviewed and signed-off by Billing Manager a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. b) Reconciliation reports: - Based on a professional judgment, select an appropriate sample amongst all bill runs done during the period under review. - For selected items, obtain the reconciliation between subscriber data against the subscribers covered by the bill runs - Ensure it contains relevant explanation for observed discrepancies and actions were taken accordingly if it was applicable. - Verify it has been reviewed by the Billing Manager. a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. b) Fixed bills validation report: - Based on a professional judgment, select an appropriate sample amongst all bill runs done during the period under review. - For selected items, obtain the signed reconciliation invoices generated for fixed bill customer and the fixed reload on their account in the Prepaid platform. - Reperform reconciliation by tracing data reconciled to supporting documents (data source and tick marks visible) - Obtain documentation related to reconciliation differences identified and assess relevancy of differences explanations - Ensure the reconciliation is reviewed and signed-off by the Billing Manager. a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. - Obtain and review the SQL query used to perform the reconciliation. b) Mediation Output Vs Billing Input Vs Billing Output reconciliation reports: - Based on a professional judgment, select the sample of daily reports for reconciling Mediation output versus Postpaid Billing Input and Output. - Ensure that the reconciliation is done in terms on number of EDRs, in Minutes and bytes. - Ensure all discrepancies are investigated and explained. - Reperform reconciliation by tracing data reconciled to supporting documents (data source and tick marks visible) - Ensure reconciliation reports are signed-off on daily basis by the Billing Manager. Note: In case of filtering at the interconnect Billing System Input, ensure that the number of rejected EDRs and corresponding Minutes is clearly described in the reconciliation documentation. a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. b) Reconciliation between invoices generated Vs invoices printed Vs sent out: - Based on a professional judgment, select an appropriate sample amongst all bill runs done during the period under review. - For selected items, obtain and review the reconciliation reports between invoices generated Vs invoices sent out. - Ensure that in case of delivery failure, corrective actions are taken and documented. - Ensure the reconciliation report is reviewed and signed-off by the Billing Manager. a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. b) Overdue subscriber status report: - Obtain and review the barring / dunning policy. - Based on a professional judgment, select the sample from the period under review. - For selected dates, obtain reports grouping all overdue customers. - Check if their status has been compared with the theoretical status they should have as per the barring / dunning policy. - Check that report and analysis have been signed off by Credit and Collection Manager. - In case of no follow up done for high outstanding customers, check adequate documentation is performed with reasoning. - Obtain MIC policy section on non billed subscribers - Based on a professional judgment, select an appropriate sample amongst all bill runs done during the period under review. - For selected items, obtain formal report of non-revenue generating traffic - Ensure it is compliant with MIC policy - Ensure it is reviewed and signed-off by Billing Manager and CFO-1
25
10
Inspection
Low
Reperformance
25
10
Reperformance
Med.
Reperformance
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Med.
Rely
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Rely
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Rely
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
Med.
Rely
25
10
Reperformance
Med.
Rely
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Rely
Inspection
Med.
Reperformance
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Rely
- Based on a professional judgment, select an appropriate sample amongst all bill runs done during the period under review. - For selected items, obtain all Journal Vouchers related to Postpaid costs and revenues. - Trace back the relevant bookings revenue reports extracted from the Postpaid Billing system. - Reperform reconciliation (by tracing data reconciled to supporting documents (data source and tick marks visible)) - Ensure the CFO-1 has reviewed and validated journal entries before posting.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
Low
Reperformance
- Based on a professional judgment, select an appropriate sample amongst all bill runs done during the period under review. - For selected items, obtain signed reconciliation report of Postpaid revenue & cost booked in the accounting system with the revenue/cost from the Postpaid billing system & the invoices sent out/received. - Reperform reconciliation ( by tracing data reconciled to supporting documents (data source and tick marks visible) - Obtain documentation related to reconciliation differences identified and assess relevancy of differences explanations - Ensure the reconciliation report is signed on time by the CFO a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. - Obtain and review the SQL query used to perform the reconciliation. b) Switch Output Vs Mediation Input reconciliation reports: - Based on a professional judgment, select the sample of daily reports for reconciling Switch output versus Mediation Input during the period under review. - Ensure that the reconciliation is done in terms on number of EDRs, Minutes and bytes. - Ensure all discrepancies are investigated and explained. - Reperform reconciliation by tracing data reconciled to supporting documents (data source and tick marks visible) - Ensure reconciliation reports are signed-off on daily basis by the CTO-1. - Obtain the list of new and changed tariffs that occurred during the period under review. - On the sample selected, ensure a feasibility and profitability analysis has been performed by Go-To-Market department for the sample selected. - Ensure the feasibility and profitability analysis has been reviewed and signed-off by Category Manager before the tariff implementation.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
Med.
Independent
25
10
Reperformance
Med.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Reperformance Walkthrough
- Obtain the list of new and changed tariffs that occurred during the period under review. - On the sample selected during the period under review, ensure a formal approval obtained for each new/changed tariff and that it is signed-off
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
a) Review functional/ Technical documentation: - Obtain and review the SQL query (or report technical documentation) used to extract manual changes to subscriber balance. - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) Review approval for adjustments: - Obtain the list of all balance changes done manually on the Prepaid Billing system during the period under review. - On the sample selected, obtain the related approval of balance changes done by Customer Support. The approval depends of the threshold amount and has to be in line with the MIC policy No.B4.3.2. - Ensure the approval is obtained and signed-off before the change of the balance in the Prepaid Billing system.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) Exception report on prepaid traffic: - Based on a professional judgement, select the sample from the period under review. - For selected months, obtain exception report related to traffic which can not be rated, and for which default rating was not successfully applied - Ensure it has been reviewed by Billing Manager on a monthly basis - Ensure adequate corrective actions are taken - Based on a professional judgement, select the appropriate sample of months during the period under review. - Review the guidelines for testing and ensure they are documented and approved. All tested transactions are done based on the guideline. - For selected months, obtain the test transactions matrix related to the prepaid traffic and other transactions. - Ensure that scenarios tested represent at least 90% of all transactions (including e-pin, on-net traffic, off-net traffic, international, peak, off-peak, off-off-peak for all kind of prepaid subscription) - Ensure root cause analysis is performed and documented for any exception identified. - Ensure tests report have been signed off by the Billing Manager -1 on a monthly basis and whenever a change occurred.
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) Forfeiture review: - Based on a professional judgement, select the appropriate sample of months during the period under review. - For selected months, obtain the report for de-activation / expiry of scratch card/e-pins - Ensure reports are the same as per the approved validity. - Ensure monthly reports are signed off by a Billing Manager.
Inspection
non-key
Walkthrough
- Obtain the list of all scratch card generation that occurred during the period under review from the Prepaid system. - For the sample selected, obtain the document supporting new PINs generation and ensure they are signed-off by the Category Manager before their generation.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Obtain the list of all scratch card generation that occurred during the period under review. - For the sample selected, obtain the approval request signed-off by the Warehouse Manager for each selected activation in the Prepaid Billing system. - Ensure the approval is obtained prior scratch cards activation.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Obtain the Commercial Policy during the period under review. - Ensure that it contains rules for accepting a dealer and acceptable commissions granted to dealers. - Ensure that the Commercial Policy is reviewed and formally approved. - Ensure that the Commercial Policy is up-to-date (updated after any change) and has been reviewed within the last 7 months.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Obtain the list of new dealers from the e-pin platform created during the period under review. - For the sample selected, obtain the credit assessment application form with a Yes/No indication on whether the dealer complies with the commercial policy or not (refer to P18 IC26) - Ensure the credit assessment form is reviewed and signed-off by the Credit and Collection Manager.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Obtain the list of the acceptance of new dealers who do not comply with the Commercial Policy during the period under review. - For the sample selected, obtain the credit assessment exception form signed-off by the GM & CFO
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) Commission parameter changes review: - Based on a professional judgement, select and obtain the appropriate sample of reports with all commission parameter changes during the period under review. - Ensure that reports are reviewed and signed-off by the Category Manager. a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) Commission parameter changes review: '- Obtain the list of all manual credit upload to the dealer balances during the period under review. - For the sample selected, obtain E-Pin request form signed-off by the Financial Responsible (CFO-1) or Consumer Manager - Ensure that commissions granted are in line with the Commercial Policy. - Ensure e-pin credit uploads are reconciled with the proof of the actual payment (e.g. bank statement, cash receipt, etc). - Observe whether the SMSC and prepaid platform (and if relevant the ePIN platform) verify the identity of the requestor, validity of the request and balance of the requestor before processing the request for a balance transfer. - Request system documentation or to ensure that the deduction of the e-Pin accounts happens prior to the additions to subscriber accounts.
25
10
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
a) Review functional/ Technical documentation: - Obtain and inspect the query used to perform the reconciliation. - Obtain functional/technical requirements related to an automated reconciliation b) Reconciliation reports: - Based on a professional judgement, select the appropriate sample of daily reconciliation reports in the period under review. - For selected reports, obtain the signed reconciliation report to ensure that the MSISDNs count, status and subscriber profiles in the Switch customer DB (HLR) and Billing system and Prepaid are reconciled on a daily basis. The subscriber profiles includes all services (e.g. Ring Back Tone, Roaming, SMS, MMS, GPRS, Voice Mail ...) and the type of subscription (i.e. prepaid or postpaid) - Reperform reconciliation by tracing data reconciled to supporting documents (data source and tick marks visible). - Obtain documentation related to reconciliation differences identified and assess relevancy of differences explanations - Ensure reports are reviewed and approved on a daily basis by the Billing Manager. "- Obtain the list of new and changed tariffs that occurred during the period under review. - On the sample selected, ensure an accounting impact analysis has been performed by Finance department as per current Pricing change approval policy and related templates. - Ensure the accounting impact analysis has been reviewed and signed-off by the CFO before the tariff implementation."
25
10
Reperformance
Low
Reperformance
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
High
Independent
a) Review functional/ Technical documentation: - Obtain and inspect the query used to generate changes or addition of tariff reports. In case of alarm report, obtain and review settings of the alarm. Make sure it does include tariff changes related to interconnect, roaming, postpaid, prepaid and wireless. - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) Changes review: - Based on a professional judgement, select the appropriate sample of daily reports summarizing any changes or addition of tariffs - Cross check changes with the tariff change request forms. - Ensure reports are reviewed and approved on a daily basis by the Category Manager a) Review functional/ Technical documentation: - Obtain and review the SQL query used to perform the reconciliation. - Obtain functional/technical requirements related to an automated reconciliation b) EDR Reconciliation reports: - Based on a professional judgement, select the appropriate sample of daily reconciliation reports for EDRs generated by the prepaid platform and the ones generated by the Switch - Ensure all types of events are reconciled: voice, SMS, MMS, GPRS, content events, etc - Ensure that the reconciliation is done in terms of number of EDRs, Minutes and Bytes. - Ensure all discrepancies are investigated and explained. - Ensure reconciliation reports are signed-off on time by the Billing Manager.
25
10
Inspection
Med.
Rely
25
10
Inspection
High
Independent
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) Review manual adjustments on Prepaid: - Based on a professional judgement, select the appropriate sample of daily reports during the period under review - For the sample selected, ensure the validation of all balance adjustments has been validated against corresponding approvals done by Customer Support. - Ensure that reports are signed on a daily basin by the Consumer Manager and CFO. a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) Review negative balance: - Based on a professional judgement, select the appropriate sample of weekly reports during the period under review - Ensure that these balances have been reviewed by the Billing Manager -1 on a weekly basis (This includes also the instances where customers would normally have a negative balance but received a 0 balance because the prepaid platform does not allow / cannot handle negative balances) - Ensure the adequate explanations are provided on identified negative balances with right supporting documentation. a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) Review free traffic, zero rated and default rated traffic: - Based on a professional judgement, select the appropriate sample of weekly reports during the period under review. - Obtain selected reports listing all free traffic, zero rated traffic and default rated traffic - Ensure all exceptions are investigated and adequate actions are taken. - Ensure it has been reviewed by Billing Manager
25
10
Inspection
Med.
Independent
Inspection
Med.
Rely
Inspection
Med.
Independent
- Based on a professional judgement, select the appropriate sample of month during the period under review. - For selected months, obtain the regular post hoc testing result report. - Obtain the approved tariff from the Go-To-Market Department - Ensure the re-rating is performed with correct tariff as per approved tariffs list. - Ensure the re-rating covers all type of traffic (all prepaid EDRs) for selected day - Ensure the report is signed-off on a monthly basis by the Billing Manager - Ensure adequate corrective actions are taken a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) CDRs sequence numbering review: - Based on a professional judgement, select the appropriate sample of reports related to the check on EDR sequence numbering in the Prepaid platform during the period under review. - For selected items, obtain signed-off exception report or daily report on missing sequence numbers. - Ensure that issues have been documented and signed-off by the Billing Manager.
Inspection
Low
Rely
25
10
Inspection
High
Independent
Reperformance
Med.
Rely
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) Expired revenue reconciliation: - Based on a professional judgement, select the appropriate sample of months during the period under review. - For selected months, obtain the non usage accounts and expired balance report from the Prepaid system. - For selected months, obtain the expired scratch cards and vouchers. - Review the forfeiture and corresponding subscriber's balances have been removed. - Ensure the reconciliation is reviewed and signed-off by the CFO and differences have relevant explanations 5 a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) IN integrity review: - Based on a professional judgement, select the appropriate sample of weeks during the period under review. - For selected weeks, obtain the reconciliation between prepaid usage and the delta of the opening and closing balance of accounts - Reperform the reconciliation with figures extracted based on the following model: the opening balance - usage (voice and data) + top-ups + promotional credits +/- subscriber balance adjustments - expired subscriber credit = closing balance. - Ensure any discrepancies have been identified and explained. Verify the quality and relevancy of the explanation - Ensure the reconciliation report is reviewed and signed-off by the Billing Manager and Finance Responsible (CFO-1) - Based on a professional judgement, select the appropriate sample of months during the period under review. - For selected months obtain all Journal Vouchers related to Prepaid. - Trace back the relevant bookings value with details from SC17. - Ensure the CFO-1 reviewed and validated journal entries before posting. - Based on a professional judgment, select the appropriate sample of months during the period under review. - For selected month, obtain signed reconciliation report of prepaid revenue in the accounting system with the revenue from the prepaid billing system. - Reperform reconciliation (by tracing data reconciled to supporting documents (data source and tick marks visible) - Obtain documentation related to reconciliation differences identified and assess relevancy of differences explanations - Ensure the reconciliation report is signed on time by the CFO - Ensure the Tigo Lends You platform report is included in the deferred revenue reconciliation. 3 Reperformance High Independent
Reperformance
Low
Rely
Reperformance
Low
Reperformance
- Obtain and review security controls on the process documentation describing the PIN/HRN life cycle from the creation to their printing. - Obtain the documentation of access rights & actual access security settings in system(s) and database(s) to ensure that the scratch card PINs / HRNs are protected by means of appropriate access security controls and/or encryption continuously. - Check the function of the persons that have access, ensure it is relevant and identify any possible segregation of duties issues. - Ensure only authorized employees own the key allowing to decrypt PIN code - Check that PIN/HRN policies and procedures have been reviewed on a bi-annually basis. - Obtain the related technical documentation
Inspection
Med.
Reperformance
Inspection
Med.
Rely
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) Reconciliation: - Obtain the list of all scratch card generation that occurred during the period under review. - For the sample selected, obtain the report to ensure all scratch cards defined on the prepaid platform are received. - Ensure the reconciliation is performed against the approved PIN/HRN requests (IC20) - Ensure that the Warehouse Manager performs this control, whilst the Financial Responsible (CFO-1) has to review and approve this reconciliation. a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) Duplicate usage review: - Based on a professional judgement, select and obtain the appropriate sample of duplicated scratch card reports or alarms generated by the system - Ensure that exception are documented (obtain and trace to supporting documentation) - Ensure review by Billing Manager a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) Commission parameter changes review: - Based on a professional judgement, select and obtain the appropriate sample of reports on e-pin credit given to the dealers in the e-pin platform - Ensure they are reconciled against money receipt in Billing System (Cash Management) - Ensure that any differences are explained. - Ensure that reconciliation reports are signed-off on a daily basis by the CFO-1. a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) E-Pin integrity review: - Based on a professional judgement, select the appropriate sample of days during the period under review. - For selected days obtain the reconciliation of all e-Pin account balances - Reperform the reconciliation with figures extracted based on the following model: Opening Balance minus transfer out plus transfer in plus/minus adjustments (if any) equals to the closing balance. - Ensure any discrepancies have been identified and explained. Verify the quality and relevancy of the explanation - Ensure the reconciliation report is reviewed and signed-off by the Billing Manager and Finance Responsible (CFO-1)
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Rely
25
10
Inspection
Med.
Reperformance
25
10
Inspection
High
Reperformance
25
10
Reperformance
High
Independent
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) E-Pin output is reconciled with Prepaid Platform Input: - Based on a professional judgement, select the appropriate sample of days during the period under review. - For selected days obtain the reconciliation between e-Pin output with Prepaid Platform Input. - Ensure the reconciliation is done at the account level. - Ensure any discrepancies have been identified and explained. Verify the quality and relevancy of the explanation. - Ensure the reconciliation report is reviewed and signed-off by the Billing Manager.
25
10
Inspection
Med.
Independent
a) Review functional/ Technical documentation: - Obtain and inspect the query used to obtain the list of new postpaid subscribers b) Credit check review: - Obtain the list of all new Postpaid Wireless subscriber from the period under review - Based on a professional judgment, select an appropriate sample amongst the list of new postpaid subscribers - Ensure new accepted subscribers comply with the commercial policy and adequate documentation is done as per commercial policy for credit check. - For the sample selected obtain credit check form signed-off by the Credit and Collection Manager -1
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Obtain the list of the acceptance of new Postpaid Wireless subscribers who do not comply with the Credit Policy during the period under review. - For the sample selected, obtain the credit assessment and exception subscriber acceptance forms signed-off by the Credit and Collection Manager.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Obtain the list of the discounts granted to Wireless Postpaid subscribers during the period under review. - For the sample selected, obtain the exceptional discount acceptance form signed-off by the Credit and Collection Manager with adequate reasoning for doing so.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) Discount Reports review: - Based on a professional judgement, select the daily samples during the period under review. - For selected dates, obtain the discount reports. - Ensure all discounts granted which are not part of a discount plan are justified. - Ensure reports are reviewed signed-off by the Consumer Manager. - Obtain the list of all new Wireless subscribers during the period under review. - Based on a professional judgment, select an appropriate sample amongst the list. - For selected items, obtain charging report for subscribers and ensure it is signed-off by the Billing team.
25
10
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) Credit Limit review: - Based on a professional judgement, select the daily reports in the period under review. - For selected reports, obtain the report related to changes to critical subscriber data (both in the Switch and Postpaid Billing systems) - Ensure that each provisioned change is matched with an approved change. All exceptions must be explained. - Ensure reports are reviewed and signed-off by the Consumer Manager
25
10
Inspection
non-key
Walkthrough
- Based on a professional judgment, select an appropriate sample amongst all bill runs done during the period under review. - For selected items, ensure that additional material taken by customers is charged.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Obtain the formal procedure that describes how the pre and post bill run are performed. - Based on a professional judgment, select an appropriate sample amongst all bill runs done during the period under review. - For selected items, ensure it has been approved by the Billing Manager. - Verify it contains relevant explanation for discrepancies.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. b) Reconciliation reports: - Based on a professional judgment, select an appropriate sample amongst all bill runs done during the period under review. - For selected items, obtain the reconciliation between subscriber data against the subscribers covered by the bill runs. - Ensure it contains relevant explanation for observed discrepancies. - Verify it has been reviewed basis by the Billing Manager. - Obtain the list of CPE moved out of the warehouse during the period under review - Based on a professional judgment, select an appropriate sample amongst the list of out movements - Obtain the copy of installation order done by the warehouse Manager (or the orignal one) for each selected movements - Ensure that each order were amended with the provided CPE and signed off by the Warehouse Manager
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Based on a professional judgment, select the sample from the period under review. - For selected dates, obtain signed reconciliation report of disconnection instructions and received CPEs in warehouse - Ensure allocation of charges for non received CPEs - Ensure the reconciliation is reviewed by Credit and Collection Manager - Ensure any discrepancies have been identified and explained. Verify the quality and relevancy of the explanation a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) Reconciliation reports: - Based on a professional judgement, select the daily reconciliation reports in the period under review. - For selected reports, obtain the signed reconciliation report to ensure that the subscriber numbers and profiles (including status) - Reperform reconciliation by tracing data reconciled to supporting documents (data source and tick marks visible). - Obtain documentation related to reconciliation differences identified and assess relevancy of differences explanations - Ensure reports are reviewed and approved on a daily basis by the Billing Manager.
Reperformance
non-key
Walkthrough
25
10
Reperformance
Low
Rely
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. b) Reconciliation between invoices generated Vs invoices printed Vs sent out: - Based on a professional judgment, select an appropriate sample amongst all bill runs done during the period under review. - For selected items, obtain and review the reconciliation reports between invoices generated Vs invoices printed Vs sent out. - Ensure that in case of delivery failure, corrective actions are taken and documented. - Ensure the reconciliation report is reviewed and signed-off by the Billing Manager. - Obtain MIC policy section on non billed subscribers - Based on a professional judgment, select the sample from the period under review. - For selected month, obtain formal report of non-revenue generating traffic - Ensure it is compliant with MIC policy - Ensure it is reviewed and signed-off by Billing Manager and CFO-1 - Based on a professional judgment, select an appropriate sample amongst all bill runs done during the period under review. - For selected items, obtain all Journal Vouchers related to Wireless costs and revenues. - Trace back the relevant bookings revenue reports extracted from the Wireless Billing system. - Reperform reconciliation (by tracing data reconciled to supporting documents (data source and tick marks visible)) - Ensure the CFO-1 has reviewed and validated journal entries before posting.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Rely
- If estimated yearly population > 50 --> select 10% of - If estimated yearly population > 50 --> select 10% of available population, up to 25 available population, up to 10 - If estimated yearly population < 50 --> select all population - If estimated yearly population < 50 --> select all population available, up to 5 available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Rely
Reperformance
Low
Rely
- Based on a professional judgment, select an appropriate sample amongst all bill runs done during the period under review. - For selected items, obtain signed reconciliation report of Postpaid Wireless revenue & cost booked in the accounting system with the revenue/cost from the Postpaid Wireless billing system. - Reperform reconciliation ( by tracing data reconciled to supporting documents (data source and tick marks visible) - Obtain documentation related to reconciliation differences identified and assess relevancy of differences explanations - Ensure the reconciliation report is signed on time by the CFO a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. b) Overdue subscriber status report: - Obtain and review the barring / dunning policy. - Based on a professional judgment, select the sample from the period under review. - For selected dates, obtain reports grouping all overdue customers. - Check if their status has been compared with the theoretical status they should have as per the barring / dunning policy. - Check that report and analysis have been signed off by Credit and Collection Manager. - Obtain a list of new Local Senior Management and Regional equivalents hired during the period under review. - Select the number of employees to be tested. - For each selected employee obtain both hiring package and contract. - Verify that each package of new GM/GM-1 has been reviewed and formally approved. - Verify contract data are in line with approved package (i.e. employee details, salary, bonus amount/percentage, etc.). - Obtain a list of all new employees other than Local Senior Management and Regional equivalents hired during the period under review. - Select the number of employees to be tested. - For each selected employee obtain the contract. - Verify that the contract has been reviewed and formally approved.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
Med.
Rely
Inspection
Low
Rely
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Obtain a list of all employees which were subject to annual performance evaluation (some employees hired too recently may not be subject yet to evaluations). - Select the number of employees to be tested. - For each selected employee obtain the annual performance evaluation form. - Ensure it was reviewed and formally approved before promotion period.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- For each selected month obtain the reports including commissions and other variable pay elements (overtime, paid off, sickness, holidays, absence, personal expenses). - Ensure they are reviewed and formally approved. - Obtain the list of all Local Senior Management and Regional equivalents. - Select the number of employees to be tested. - For each selected employee obtain the calculation of effective bonus and related supporting documentation (i.e.: assessment of individual performance and general bonus performance criteria communicated by headquarters). - Ensure arithmetical accuracy. - Ensure each calculation was reviewed and formally approved.
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
non-key
Walkthrough
- Obtain the list of all employees other than Local Senior Management and Regional equivalents. - Select the number of employees to be tested. - For each selected employee obtain the calculation of effective bonus and related supporting documentation (i.e.: assessment of individual performance and general bonus performance criteria communicated by headquarters). - Ensure arithmetical accuracy. - Ensure each calculation was reviewed and formally approved.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
non-key
Walkthrough
- Obtain the quarterly mapping between job positions within the company and related cost center code. - Reperform the mapping to ensure that: a) All identical job positions bear the same cost center code. b) All the job positions included in the list are active (no expired or inactive positions must be included) c) All the cost center codes included in the list are active (no expired or inactive codes must be included) - Ensure that any discrepancy is properly explained and that corrective action has been taken. - Ensure mapping was reviewed and formally approved.
Reperformance
Low
Rely
- For each selected month, obtain the returns kept on file (taxes and social security) and communicated by the third party service provider. - Ensure that any unusual item has been properly investigated and explained. - Verify the returns have been reviewed and formally approved.
Inspection
non-key
Walkthrough
- For each selected month, obtain the analytical review between current month payroll accounts and previous month. - Ensure that the analytical review includes all the costs related to employees: not only salaries, also other personnel expenses, etc. - Verify that all variations equal or above 10% have been properly investigated and explained. - In case of errors, ensure that corrective actions have been taken and documented. - Ensure that the analytical review has been reviewed and formally approved. 1) For each selected month, obtain a list of the Payroll System changes made during the month: a) Recruitments (employees added to payroll database). b) Dismissals (employees removed from payroll database). c) Changes in variable pay elements (overtime, paid off, sickness, holidays, absence, personnel expenses). d) Changes in salary and benefits. e) Changes in deduction rates (social payments and others). f) Changes due to employee's complaints. 2) Select 10% of the changes made during the month (sample must include all above categories). 3) For each change selected, obtain the personnel action form or any document evidencing HR Responsible approval (or Head of Performance and Reward approval for changes related to Local Senior Management and Regional equivalents) 4) Ensure that the above mentioned changes were reviewed and formally approved before being communicated to the third party service provider.
Inspection
non-key
Walkthrough
Inspection
Low
Reperformance
- For each selected month, obtain the 3 pay slips that have been reconciled with personal data (in total, obtain 6 pay slips). - Ensure that reconciliation between pay slip communicated by third party service provider and personal data of the employee has been properly evidenced (existence of tick marks and/or cross references). - Ensure that any discrepancy has been investigated and explained. - Reperform the reconciliation to ensure clerical accuracy. - Ensure reconciliation has been reviewed and formally approved.
Reperformance
Med.
Reperformance
- Obtain the computation of the bonus accrual for each selected quarter and related supporting documentation. - Verify arithmetical accuracy and reasonableness of calculation. - Tie out the accrual's computation vs. accounting records. - Ensure computation has been reviewed and formally approved.
Reperformance
non-key
Walkthrough
- For each selected month, obtain the reconciliation performed between individual pay slip, fund request details and total cash disbursement related to payroll payment. - Ensure reconciliation has been properly evidenced (existence of tick marks and/or cross references). - Ensure that any discrepancy has been investigated and explained. - Reperform the reconciliation to ensure clerical accuracy. - Ensure reconciliation has been reviewed and formally approved.
Reperformance
non-key
Walkthrough
- For each selected month, obtain the fund request form. - Ensure the fund request form has been reviewed and formally approved by both the Human Resources department (GM-1 or GM-2) and CFO before transfer of cash to the payroll bank account. - Obtain the list of subscriber billing complaints during the period under review. - For sample selected complaints, ensure they are reveiwedby the Billing Manager. - Ensure corrective actions are taken.
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. b) Billing adjustments review: - Obtain the list of billing adjustments during the period under review. - For sample selected adjustments, ensure they are validated and signed-off by the Billing Manager. - Obtain the list of Interconnect/Roaming billing adjustments during the period under review. - For sample selected adjustments, ensure they are validated and signed-off by the Billing Manager and CFO.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Obtain the audit log recording all massive billing adjustments which occurred during the period under review. - For sample selected adjustments, ensure they are validated and signed-off by the GM and Customer Manager. - Check there is adequate documentation and logs evidence for a massive adjustment.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Based on a professional judgment, select the sample from the period under review. - For selected month, obtain reconciliation of billing adjustments with their approvals signed-off - Reperform reconciliation ( by tracing data reconciled to supporting documents (data source and tick marks visible) - Obtain documentation related to reconciliation differences identified and assess relevancy of differences explanations - Ensure the reconciliations are reviewed and signed-off by the CFO. a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. b) Billing adjustments review: - Obtain the list of billing adjustments during the period under review. Ensure the inclusion of all the revneue streams. - For the sample selected, ensure they are validated and signed-off based on MIC Policy. - Based on a professional judgment, select the sample from the period under review. - For selected month, obtain the Journal Voucher related to Billing adjustments to be executed into the accounting system - Check it has been reviewed by the CFO-1 - Based on a professional judgment, select the sample from the period under review. - For selected month, obtain the signed reconciliation report to ensure that the reconciliation is performed between the credit and debit notes in the different billing systems and the credit and debit notes recorded in the accounting system on a monthly basis. - Reperform reconciliation ( by tracing data reconciled to supporting documents (data source and tick marks visible) - Obtain documentation related to reconciliation differences identified and assess relevancy of differences explanations - Check it has been reviewed by the CFO-1 - Check the list of report/batch changes during the period under review. - Obtain the MIC Policy. - For the sample selected, obtain functional/technical requirements, test results and end-user approval on the development of this exception report. - Ensure the report for the subscriber reporting is designed in order to be in line with the MIC Policy. - Ensure the functional description and the alignment of this description with the MIC policy are signed-off.
Reperformance
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Reperformance
Inspection
Low
Rely
Reperformance
Med.
Reperformance
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Based on a professional judgment, select the sample from the period under review. - For selected weeks obtain the Reporting Package and ensure section related to subscriber numbers has been reviewed by GM (COO if existing) and CFO - Obtain Supporting documentation (Both in Billing Systems) and check for number accuracy against original numbers reported.
Reperformance
non-key
Walkthrough
- Obtain the list of report/batch changes during the period under review. - Obtain the MIC Policy. - For the sample changes selected, obtain functional requirements and check it has been approved by IT Responsible and Consumer Manager and CFO or Finance Responsible (CFO-1) - Check it is in line with accounting principles
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. b) Validation of the number of subscribers : - Check the list of number of subscribers recording during the period under review. - Obtain the MIC Policy. - For sample recording selected, obtain subscriber number report and check it has been reviewed by Consumer Manager - Obtain drafted recording of the number of subscribers and ensure they are approved by the CFO or Finance Responsible (CFO-1). - Check validation has been performed prior to disclosure. - For the period under review obtain a General Ledger report. - Identify all the invoices related to intercompany transactions / accounts. - Select the sample to be tested and obtain the related invoices. - Ensure that each invoice has been reviewed and formally approved.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
-For the sample selected, obtain the approved "Intercompany reconciliation". - Obtain the Trial Balance. - Obtain valid documentation in order to confirm all the intercompany balances (e-mails from counterparty, etc.) - Reperform the reconciliation by noting that all intercompany disclosures must be supported by valid documentation (Note that amounts and concepts have been completely and correctly disclosed in the reconciliation as per TB and supporting documents). - Ensure that any differences identified have been investigated and resolved. - Ensure reconciliation is reviewed and formally approved before Consolidation process takes place.
Reperformance
non-key
Walkthrough
- From the contracts database, obtain the list of all new contracts / agreements issued during the period under review. - Filter the contracts by selecting only the ones referring to Intercompany transactions (loans and TSF). - Select in this list the samples to be tested and obtain the related contracts (Note that sample must include agreements where the Operation is the charging company and agreements where the Operation is the charged company). - Verify for each sample selected that the contract was reviewed and formally approved.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Med.
Reperformance
- For the sample selected, obtain the approved fair value calculation of unquoted securities. - Verify that the model to perform such calculation has been properly reviewed by Accounting responsible, tying each input in the model against valid support documentation. - Verify arithmetical accuracy. - Ensure that the fair value calculation of unquoted securities has been reviewed and formally approved. - For the sample selected, obtain the approved fair value computation. - Verify that each assumption for all unquoted financial assets has been properly reviewed by CFO to correctly assess their fair value. - Ensure that the fair value computation has been reviewed and formally approved. - For each sample selected, obtain the list of installations completed during the month; - Ensure the list has been reviewed and formally approved (check sign-off and date); - Ensure the list is communicated to the AMNET Region accounting department (i.e. e-mail, memo, etc) before closing the month. - Obtain a list of all new IRU agreements such as IRU agreements which have been changed over the period under review; - Select in this list the samples to be tested and for each one obtain the conclusions on IRU classification (classification as a service agreement or as a lease); - Ensure that the classification is in line with MIC Policy Manual; - Ensure appropriate supporting documents exist to support the conclusions and ensure proper review and approval of the conclusions before booking of the IRU (check sign-off and date). - Obtain a list of all new IRU agreements such as IRU agreements which have been changed over the period under review, classified as a lease; - Select in this list the samples to be tested and for each one obtain the conclusions on lease classification (classification as a financial lease or an operating lease); - Ensure that the classification is in line with IAS 17; - Ensure appropriate supporting documents exist to support the conclusions and ensure proper review and approval of the conclusions before booking of the IRU (check sign-off and date). - Obtain a list of all new IRU agreements such as IRU agreements which have been changed over the period under review, classified as a financial lease; - Select in this list the samples to be tested and for each one obtain the "Leasing amortization table"; - Review the accuracy of the discounted value and all data as per the lease amortization table by reperforming their computation and ensuring compliance with the terms and conditions of the financial lease agreements; - Verify that the amounts computed in the "Leasing amortization table" tie with the accounting records; - Ensure that the "Leasing amortization table" has been reviewed and formally approved before booking (check sign-off and date).
Inspection
non-key
Walkthrough
Inspection
Low
Reperformance
Inspection
Low
Rely
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Med.
Reperformance
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Med.
Rely
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
Med.
Rely
- Obtain a list of all new IRU agreements such as IRU agreements which have been changed over the period under review, classified as an operating lease; - Select in this list the samples to be tested and for each one obtain the "computation of the straight line rent"; - Review the accuracy of all data as per the computation of the straight line rent and ensure compliance with the terms and conditions of the operating lease agreements; - Verify that the amounts as per the "computation of the straight line rent" tie with the accounting records; - Ensure that the "computation of the straight line rent" has been reviewed and formally approved before booking (check sign-off and date).
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
Low
Rely
- Obtain a list of all changes to existing IRU / Network capacity agreements, over the period under review; - Select in this list the samples to be tested and for each one obtain an evidence that the change such as related assumptions in terms of IRU accounting (classification as a service agreement or as a lease, classification as an operating lease or as a financial lease) have been reviewed and formally approved.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Med.
Rely
- For the sample selected, obtain the list of IRU assets that are impaired / no longer in use; - Ensure the list has been reviewed and formally approved (check sign-off and date) before booking or updating any data in the accounting records (if applicable). - For each sample selected obtain the monthly reconciliation between accounting and lease amortization table; - Reperform the reconciliation by tying the IRU's GBV, NBV and depreciation charge as per the accounting system with the amortization table data; - Ensure that any discrepancy has been properly explained and investigated; - Ensure that the reconciliation was reviewed and formally approved (check sign-off and date). - For each sample selected obtain the Cost allocation sheet; - Ensure that the Cost allocation sheet has been reviewed and formally approved (check sign-off and date) before recharge to each country.
Inspection
Low
Rely
Reperformance
Low
Rely
Inspection
Low
Rely
- Based on the samples selected for SC1, obtain the "Installations' requirements forms". - Ensure that these forms have been reviewed and formally approved (check sign-off and date). - Obtain an evidence that they were communicated to the Local Technical area (i.e. e-mail, memo, etc).
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Otain a list of all agreements regarding Programming Contents (issued during the period under review). - Select from this list the samples to be tested and for each one review that an agreement exists - Ensure that Content agreements have been properly approved
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Rely
- For each sample selected, obtain the schedule approved for the month. - Ensure the list has been properly approved (check sign-off and date). - Obtain an evidence that the list is communicated to the Regional Programming Department (e.g. e-mail, memo, etc)
Inspection
Med.
Rely
- For each sample selected, obtain the "cost computation report". - Ensure that the calculation made by the Programming department is accurate by tying the primary elements of the calculation to the agreement's' terms and conditions (e.g. number of subscribers per type of package, country, cost per subscriber, etc.). - Ensure that any difference identified has been investigated and resolved before approval. - Ensure arithmetical accuracy. - Ensure final computation is duly reviewed and approved (e.g. tick marks, sign-off, date, etc.). - For the sample selected, monthly accrual needs to be compared with the actual invoice for that month received from programmers - Variations between accrual and invoice above 10% need to be explained - Ensure the accrual was properly approved (check sign-off and date). - For each sample selected obtain the monthly reconciliation between programmers invoices and payments made - Reperform all reconciliations by tying the primary elements invoices, payments and calculations. - Ensure differences have been identified, investigated and corrected. - Verify that all reconciliations were reviewed and formally approved (check sign-off and date).
Reperformance
Med.
Rely
Reperformance
Med.
Independent
Reperformance
Med.
Reperformance
- Obtain the list of new and changed tariffs that occurred during the period under review. - On the sample selected, ensure a feasibility analysis (including cost/benefit analysis, a market study, a comparison with the competitors, etc) has been performed by Go-To-Market department for the sample selected. - Ensure the feasibility analysis has been reviewed and signed-off by Category Manager before the tariff implementation. - Obtain the list of new and changed cable TV product, tariff and/or promotion that occurred during the period under review. - On the sample selected during the period under review, ensure a formal approval obtained for each new/changed tariff and that it is signed-off by GM and CFO.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
a) Review functional/ Technical documentation: - Obtain and inspect the query used to obtain the list of new corporate cable TV subscriber, new residential cable TV subscriber with a digital cable TV package b) Credit check review: - Obtain the list of all new corporate cable TV subscribers and residential cable TV subscriber with a digital cable TV package and Pay-Per-View (Pay Per View) option for the period under review. - Based on professional judgment, select an appropriate sample amongst the list of new cable TV subscribers - Ensure new accepted subscribers comply with the commercial policy and adequate documentation is done as per commercial policy for credit check. - For the sample selected obtain credit check form signed-off by the Credit and Collection Manager -1
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report - Obtain the commercial policy and ensure the report is in line with defined rules. b) Exception to the Credit Check Cable TV subscriber review: - Obtain the list of the acceptance of new subscribers who do not comply with the Credit Policy during the period under review. - For the sample selected, obtain the credit assessment exception form signed-off by the Credit and Collection Manager and ensure it was done before acceptance a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) Discount and free usage review: - Obtain the list of the discounts or free usage given to the corporate subscriber during the period under review. - For the sample selected, ensure they are part of the report containing all discounts or free usage which is signed-off by the Credit and Collection Manager with adequate reasoning for doing so.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) Outstanding work orders Review: - Based on a professional judgement, select the daily reports in the period under review. - For selected reports, ensure that they contains all outstanding cable TV work orders. - Ensure reports are reviewed and signed-off by the Installations Head - Obtain the list of all new /changed cable TV subscriber during the period under review. - Based on a professional judgment, select an appropriate sample amongst the list. - For selected items, ensure that all additional material used at the installation time was part of the charging report for subscribers and ensure it is signed-off by the Billing team.
25
10
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) Changes to Subscriber data review: - Based on a professional judgement, select the daily reports in the period under review. - For selected reports, obtain the report related to changes to critical subscriber data (in the television billing system and the television network platform) - Ensure that each provisioned change is matched with an approved change. All exceptions must be explained. - Ensure reports are reviewed and signed-off by the Consumer Manager
25
10
Inspection
non-key
Walkthrough
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. b) EDRs rejection reports: - Based on a professional judgment, select the sample of daily rejection reports during the period under review. - For each report selected, ensure that the source of the rejection is identified (if possible) and the problem is resolved in order to prevent the event from happening in the future. - Ensure that rejected usage records are recuperated if possible and obtain resolution evidence or confirmation of the resolution. - Ensure reports are reviewed by the Billing Staff. - Obtain the formal procedure that describes how the pre and post bill run are performed. - Based on a professional judgment, select an appropriate sample amongst all bill runs done during the period under review. - Verify it contains relevant explanation for discrepancies. - For selected items, ensure that sample tests report has been approved by the Billing Manager.
25
10
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Based on a professional judgment, select the sample from the period under review. - For selected dates, obtain the reconciliation report performed between received disconnection work orders with CPEs received in the warehouse. - Ensure that in case of exception, corrective actions are taken and documented. - Check that report and analysis have been signed off by Credit and Collection Manager. a) Review functional/ Technical documentation: - Obtain and inspect the query used to generate changes and addition of cable TV products/tariffs/promotions reports from Billing system. In case of alarm report, obtain and review settings of the alarm. b) Changes review: - Based on a professional judgement, select the appropriate sample of daily reports summarizing any changes or addition of products/tariffs/promotions of Billing system - Cross check changes with the products/tariffs/promotions change request forms. - Ensure reports are reviewed and approved on a daily basis by the Category Manager. - Obtain the list of changes and addition of cable TV products, tariffs and/or promotions (including bundled offers) that occurred during the period under review. - On the sample selected, ensure an accounting impact analysis has been performed by Finance department as per current Pricing change approval policy and related templates. - Ensure the accounting impact analysis has been reviewed and signed-off by the CFO before the tariff implementation. a) Review functional/ Technical documentation: - Obtain and inspect the query used to perform the reconciliation. - Obtain functional/technical requirements related to an automated reconciliation b) Reconciliation reports: - Based on a professional judgement, select the appropriate sample of daily reconciliation reports in the period under review. - For selected reports, obtain the signed reconciliation report to ensure that the subscriber numbers and profiles in television network platform and television billing system are reconciled on a daily basis. The subscriber profiles includes all services (e.g. PPV) and the type of subscription. - Reperform reconciliation by tracing data reconciled to supporting documents (data source and tick marks visible). - Obtain documentation related to reconciliation differences identified and assess relevancy of differences explanations - Ensure reports are reviewed and approved on a daily basis by the Billing Manager. a) Review functional/ Technical documentation: - Obtain and review the SQL query used to perform the reconciliation. - Obtain functional/technical requirements related to an automated reconciliation b) EDR Reconciliation reports: - Based on a professional judgement, select the appropriate sample of daily reconciliation reports for Pay Per View usage records generated by the television billing system and the ones generated by television network platform. - Ensure all discrepancies are investigated and explained. - Ensure reconciliation reports are signed-off on time by the Billing Manager. - Based on a professional judgment, select an appropriate sample amongst all bill runs done during the period under review. - Obtain the commercial policy. - For selected items, ensure that additional material (as per the commercial policy) required during the installation which was not included in the basic fee is charged.
Inspection
non-key
Walkthrough
25
10
Inspection
Low
Rely
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Med.
Reperformance
25
10
Reperformance
Low
Rely
25
10
Inspection
Low
Rely
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Rely
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. b) Reconciliation reports: - Based on a professional judgment, select an appropriate sample amongst all bill runs done during the period under review. - For selected items, obtain the reconciliation between subscriber data against the subscribers covered by the bill runs. - Ensure it contains relevant explanation for observed discrepancies. - Verify it has been reviewed by the Billing Manager. - Based on a professional judgment, select the sample from the period under review. - Obtain reports containing rejected EDRs which could not be corrected. - Review adequate reasoning on rejected EDRs which could not be processed. - Ensure selected reports are reviewed and signed-off by Billing manager, Local Revenue Assurance Manager and CFO.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Rely
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Med.
Rely
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. b) Reconciliation between invoices generated Vs invoices printed Vs sent out: - Based on a professional judgment, select an appropriate sample amongst all bill runs done during the period under review. - For selected items, obtain and review the reconciliation reports between invoices generated Vs invoices printed Vs sent out. - Ensure that in case of exception, corrective actions are taken and documented. - Ensure the reconciliation report is reviewed and signed-off by the Billing Manager. - Based on a professional judgment, select an appropriate sample amongst all bill runs done during the period under review. - For selected items, obtain all Journal Vouchers related to Cable TV costs and revenues. - Trace back the relevant bookings revenue reports extracted from the TV Billing Platform - Reperform reconciliation (by tracing data reconciled to supporting documents (data source and tick marks visible)) - Ensure the CFO-1 has reviewed and validated journal entries before posting.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Rely
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
Low
Rely
- Based on a professional judgment, select an appropriate sample amongst all bill runs done during the period under review. - For selected items, obtain signed reconciliation report of Cable TV revenue & cost booked in the accounting system with the revenue/cost from the television billing system. - Reperform reconciliation ( by tracing data reconciled to supporting documents (data source and tick marks visible) - Obtain documentation related to reconciliation differences identified and assess relevancy of differences explanations - Ensure the reconciliation report is signed on time by the CFO a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. b) Overdue subscriber status report: - Obtain and review the collection / barring policy. - Based on a professional judgment, select the sample from the period under review. - For selected dates, obtain reports grouping all overdue customers. - Check if their status has been compared with the theoretical status they should have as per the barring / dunning policy. - Check that report and analysis have been signed off by Credit and Collection Manager.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
Low
Reperformance
Inspection
Med.
Independent
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Inspection
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
- Obtain the list of all critical systems, platforms, applications and databases. - For each critical system, platform, application and database, obtain and inspect the print copy of the catalogue and/or description of the testing environment. - Ensure that the testing environment is separated logically and/or physically from the production environment, that it allows adequate stress, unit and end-to-end testing, that it reflects as much as possible the live environment (data in kind and quantity), and that it is available for sufficient testing time. - Ensure that the print copy of the catalogue and/or description of the testing environment has been formally reviewed and approved. - In case there is no separate testing environment for a critical system, platform, application or database, ensure that there are specific adequate procedures and guidelines in place for testing (including details of mitigating factors and measures in place to prevent negative impact of testing) and that they have been formally reviewed and approved. - Obtain and inspect the list of changes to systems, platforms, applications and databases (logs if any), especially changes to critical ones. - Based on professional judgement, select a representative sample of changes for the period under review. - For each selected item, determine whether users and relevant stakeholders were informed of the change implementation.
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Obtain the Logical Access Management Policy (or Security Policy). - Determine whether the management of user accounts for joiners, job changes and job termination is part of the policy (for both employees and contractors, for local and remote access...). - Ensure that the Logical Access Management Policy (or Security Policy) has been formally reviewed and approved within the last 7 months. - Obtain evidence that the Logical Access Management Policy (or Security Policy) has been formally communicated. - Obtain and inspect the formal inventory of personal data and sensitive information. - Ensure that security means are enabled to protect the integrity and privacy of these personal data and sensitive information. - For the last quarter, ensure that the security set-up has been adequately and formally reviewed and approved. - Obtain and inspect the backup policy to verify whether the backup terms are appropriate (all critical element considered in scope and backup frequency requirements). - Based on professional judgement, select the sample for the period under review. - For each of the selected days, obtain and inspect the Backup journals to ensure that backups were run as per the backup policy (at least daily for data and weekly for configurations) for all critical systems, platforms, applications and databases. - Ensure that the backups ran successfully to completion (or failure was explained and timely remediated). - Ensure that the backup journals have been formally reviewed and approved. - Obtain and inspect the Disaster Recovery Plan. - Ensure that the DRP addresses the critical systems, platforms, applications and databases as a minimum requirement. Ensure that the DRP has been formally reviewed and approved within the last 7 months. - Obtain and inspect the Disaster Recovery Plan. - Obtain and inspect the DRP test results (if a real disaster occur and lead to the deployment of the plans, then this is considered as the sample item) - Verify that the DRP was tested within the last year. - Ensure that the DRP test results have been formally reviewed and approved. - Obtain and inspect the Incident and Problem Management Policy and Procedures. - Ensure that it defines handling, analysis and resolution mechanisms of non-standard events (incidents), including escalation procedures, supplier involvement if appropriate and clear description of the process. - Ensure that the Incident and Problem Management Policy and Procedures have been formally reviewed and approved within the last 7 months. - Obtain evidence that the Incident and Problem Management Policy and Procedures have been formally communicated.
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
25
10
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
- Obtain and inspect the Events and Incidents Journals for the period under review. - Based on professional judgement, select a representative sample of significant IT events or incidents and failures for the period under review. - For each of the selected events, incidents and failures, ensure that they have been formally reviewed and approved immediately. - For each of the selected events, incidents and failures, ensure that it has been communicated and resolved in a timely manner. - Based on professional judgement, select a 2 month sample for the period under review. - For each of the selected months, obtain and inspect the Events and Incident's Journals. - Ensure that all significant IT events or incidents and failures of the Events and Incident's Journals (including the resolution activities and status) have been formally communicated. - Ensure that the Events and Incident's Journals have been formally reviewed and approved. - Obtain and inspect the document defining and listing authorized, tolerated and unauthorized software. - Ensure that the list of authorized, tolerated and unauthorized software has been formally reviewed and approved within the last 7 months. - Ensure that the list of authorized, tolerated and unauthorized software has been formally communicated throughout the company. - Obtain and inspect the document defining and listing authorized, tolerated and unauthorized software. - Obtain and inspect the document which formalized the review of software installed and used. - Ensure that the review addresses all the computers and machines (user PCs and servers). - Ensure that any unauthorized software installed has been reported and reacted upon. - Ensure that the review of software installed and used has been formally reviewed and approved. - Based on professional judgement, select the sample for the period under review. - For each of the selected months, obtain and inspect the job scheduling checklists of all critical systems, platforms, applications and databases to determine whether they have been formally reviewed and approved. - Obtain and inspect the operating procedures. - Ensure that all operation procedures have been documented, updated and formally reviewed and approved within the last 7 months.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
- Obtain and inspect the operating procedures. - Ensure that the listing of all potential suspicious activities have been updated and formally reviewed and approved within the last 7 months.
Inspection
non-key
Walkthrough
- Obtain and inspect the list of changes to systems, platforms, applications and databases (logs if any), especially changes to critical ones. - Based on professional judgement, select a representative sample of changes for the period under review. - For each selected item, obtain the corresponding change request form. - Determine whether the selected change was formally authorized by before the change had been processed.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Med.
Reperformance
- Obtain and inspect the list of changes to systems, platforms, applications and databases (logs if any), especially changes to critical ones. - Based on professional judgement, select a representative sample of changes for the period under review. - For each selected item, obtain the corresponding change request form. - Determine whether the selected change was subject to an impact analysis (in particular regarding controls that may be impaired) reviewed . - Ensure that appropriate actions were taken to modify or redesign these controls (if necessary) to retain their integrity
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Rely
- Obtain and inspect the list of changes to systems, platforms, applications and databases (logs if any), especially changes to critical ones. - Based on professional judgement, select a representative sample of changes for the period under review. - For each selected item, obtain the corresponding change request form. - Determine whether the selected change was subject to the formalization of a test plan, a roll-out plan and a roll-back plan. - Ensure that these test plan, roll-out plan and roll-back plan had been formally reviewed and approved prior to implementation of the change. - Obtain the list of all interfaces between critical systems, platforms, applications and databases. - For each interface, obtain the last testing results. - Ensure the testing results are no more than 3 years old. - Ensure that the test results confirm that data transmissions are complete, accurate and valid. - Ensure that the interface test results have been formally reviewed and approved. - Obtain the list of individual changes that occurred on existing interfaces during the period under review. - Based on professional judgement, select a representative sample of changes to interfaces for the period under review. - For each selected item, obtain the interface test results. - Ensure that the test results confirm that data transmissions are complete, accurate and valid. - Ensure that the interface test results have been formally reviewed and approved. - Obtain and inspect the list of changes to systems, platforms, applications and databases (logs if any), especially changes to critical ones. - Based on professional judgement, select a representative sample of changes for the period under review. - For each selected item, obtain the corresponding change request form including the test plan approved. - Determine whether the test plan was followed for testing the change. - Determine whether the test results were formally documented, reviewed and approved before the change had been implemented (live in the production environment).
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Rely
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - 1 every 3 years
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5 - 1 every 3 years
Inspection
Low
Rely
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
High
Independent
- Obtain and inspect the list of changes to systems, platforms, applications and databases (logs if any), especially changes to critical ones. - Based on professional judgement, select a representative sample of changes for the period under review. - For each selected item, obtain the corresponding change request form. - Determine whether the change results were reviewed by the Business Owner showing approval of the change implemented.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
High
Independent
- Obtain the list of all changes to critical systems, platforms, applications and databases. - Based on professional judgement, select a representative sample of changes for the period under review. - For selected changes, obtain and inspect the change requests and ensure that documentation impact assessment has been formalized. - If updated, ensure that documentation has been reviewed and formally approved.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Reperformance
- Obtain the list of all critical systems, platforms, applications and databases. - For each critical system, platform, application and database, obtain and inspect the list of available documentation and support service plan (including location) and ensure it is kept in the mentioned location. - Ensure that it has been formally reviewed and approved.
Inspection
Low
Reperformance
- Obtain the list of all end-user applications. - Based on professional judgement, select a representative sample of changes for the period under review. - For selected changes, obtain and inspect the change requests and ensure that documentation impact assessment has been formalized. - If updated, ensure that documentation has been reviewed and approved.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Rely
- Obtain the list of all end-user applications. - For each end-user application, obtain and inspect the list of available documentation and support service plan (including location) and ensure it is kept in the mentioned location. - Ensure that it has been formally reviewed and approved. - Obtain and inspect the list of emergency changes to systems, platforms, applications and databases (logs if any), especially emergency changes to critical ones. - Based on professional judgement, select a representative sample of emergency changes for the period under review. - For each selected item, obtain the corresponding emergency change form. - Determine whether the selected emergency change was formally reviewed and authorized. - Obtain the list of all positions/functions in the company and the related job descriptions. - Verify that each job description specifies the profiles/accesses to be allocated to the corresponding position/function. - Obtain and inspect the matrix of profiles to determine whether all positions/functions have been considered. - Verify whether the matrix of profiles is in line with all the job descriptions and roles in the organization. - Ensure that it has been reviewed within last 7 months. - Ensure that it has been formally reviewed and approved.
Inspection
Low
Rely
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Med.
Rely
Med.
Reperformance
- Obtain and inspect the list of joiners, job changes and job terminations, for employees, contractors, vendors and non-client personnel. - Based on professional judgement, select a representative sample of access request forms (provisioning and deprovisioning) for the period under review. - For each selected item, determine whether selected forms were adequately prepared, reviewed and approved. - Verify in the relevant systems, platforms, applications and databases that the access rights have been granted (in case of provisioning) or revoked (in case of deprovisioning) as per the details of the approved provisioning/deprovisioning form. - Based on professional judgement, select the appropriate sample of month for the period under review. - For each selected month, obtain the list of transfers and leavers from Human Resources Department. - For each transfer and leaver of the list, obtain systems' evidences that the access rights have been updated accordingly (modified for transfers or revoked/suspended for leavers). - For each selected month, ensure that the review of transfers and leavers has been formally reviewed and approved.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Med.
Rely
Med.
Rely
- Obtain and inspect the access rights review performed. - Ensure that the scope of the access rights review is complete (i.e. at least all critical systems, platforms, applications and databases). - For each critical system, platform, application and database, ensure that the effective access rights (system capture) are in line with employee's position and responsibilities in the company (job description) and that these are still aligned with need-to-have and segregation of duties principles. - For each critical system, platform, application and database, ensure that all users have a unique user ID by which they can be identified (any exception to this rule must be well documented, rationalized and approved). - For each critical system, platform, application and database, identify temporary accounts, generic accounts, applicative accounts and ensure that they are legitimate and adequately supported by documentation and explanations. - Ensure that the access rights review has been reviewed and approved.
High
Independent
- Obtain and inspect the access rights review related to the migration of new/modified systems, platforms, applications and databases. - Ensure that the scope of the access rights review is complete (i.e. at least all critical systems, platforms, applications and databases). - Based on effective access rights (system capture), determine which accounts are authorized migrate new/modified systems, platforms, applications and databases into the production environment. - Determine whether the job descriptions of the personnel capable to migrate new/modified systems, platforms, applications and databases into the production environment, specify such an authority for these positions/functions. - Ensure that these personnel (authorized to migrate new/modified systems, platforms, applications and databases into the production environment) are not authorized to perform any development, in order to comply with Segregation of Duties principles. - Ensure that the access rights review related to the migration of new/modified systems, platforms, applications and databases has been formally approved. - Obtain and inspect the list of usernames (and corresponding persons) with privileged/powerful access rights to systems, platforms, applications and databases. - Ensure that this list is in line with the access actually implemented in systems (system capture). - Ensure that such privileged/powerful access rights are part of the job description of the persons using these usernames. - Ensure that access to powerful operating system commands is limited to the appropriate IT users. - Ensure that the list of usernames with privileged/powerful access rights to systems, platforms, applications and databases has been formally reviewed and approved.
High
Reperformance
High
Reperformance
- Obtain the updated list of end-user computing tools. - For each end-user computing tool (such as spreadsheets and other end-user programs), obtain the user access rights related to it (e.g. access rights to the directory/folder where it is stored and used from the system capture). - Ensure that the list of user access rights to end-user computing tools has been formally reviewed and approved.
Med.
Reperformance
- Based on professional judgement, select the appropriate sample for the period under review. - For each selected month, obtain the reviewed list of vendors/contractors accounts and the related access rights (system capture). - Ensure that the scope of the list is complete (i.e. at least all critical systems, platforms, applications and databases). - Obtain the access request forms related to each cotracto. - Verify whether each vendor/contractor access is limited in terms of access rights granted and time of activity defined in the access request form. - Verify whether each existing vendors/contractors account is legitimate vs. the provisioning and deprovisioning dates defined in the access request form. - Ensure that the list of vendors/contractors accounts and the related access rights has been formally reviewed and approved. - Based on professional judgement, select the appropriate sample for the period under review. - For each selected month, obtain the list of user accounts with remote access capability granted to vendors, contractors and employees (system capture). - Ensure that the scope of the list is complete (i.e. at least all critical systems, platforms, applications and databases). - Obtain the remote connection request forms related to the vendors, contractors and employees who have remote connection capabilities. - Ensure that remote connection is appropriately limited in terms of time window of activity (e.g. no 24h/7d activation) in line with the need-to-have. - Ensure that only vendors, contractors and employees that currently need to access Tigo infrastructure remotely, can actually connect remotely. - Ensure that the list of user accounts with remote access capability granted to vendors, contractors and employees, has been formally reviewed and approved. - Obtain the logs of remote connections for each critical system, platform, application and database. - Based on professional judgement, select a representative sample of remote accesses to these for the period under review. - For each selected item, ensure that the activities were adequately supported by a remote connection request form and the description of activities planned. - Ensure that the logs of activities from remote connections vs. planned activities have been formally reviewed and approved.
Med.
Rely
Med.
Rely
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Med.
Reperformance
- Based on professional judgement, select the appropriate sample for the period under review. - For each selected month, obtain the reports on remote connections to critical systems, platforms, applications and databases. - Ensure that the reports contain details (and description of activities) related to all approved remote connection request forms. - Ensure that the reports have been formally reviewed and approved. - Obtain and inspect the security setup review for critical protected areas. - Ensure that critical password files, authorization tables, communications software, encryption keys and critical installation programs are stored in logically protected areas or otherwise protect from read-and-write access. - Ensure that the security setup documentation has been formally reviewed and approved and access to critical protected areas is granted to authorized users only.
Inspection
Med.
Reperformance
Inspection
High
Rely
For each critical system, platform, application and database, obtain the password complexity rules and ensures that password controls are in effect and consider minimum security rules (where technically feasible): - Minimum password length of 8 characters, - Password complex composition is enforced: password must be composed of alpha-numeric characters at least (characters and digits). Additional complexity can be implemented (e.g. not words in dictionary, use of symbols), - Passwords are forced to be changed every 90 days at least (passwords of administrator accounts can have a one year validity), - Unsuccessful login attempts must be logged and reviewed. Complementary security practices can also be considered: - Initial log-on uses a one time password, - History of the last 6 passwords can not be used for password renewal, - 5 unsuccessful log on attempts allowed before lockout (where business continuity is not impacted), - Idle session time out after 10 minutes. Ensure that the review of password controls has been performed within the last 7 months and has been formally approved.
Inspection
Med.
Reperformance
- Obtain and inspect the policy defining retention periods, backup and storage terms of information. - Ensure that it defines backup terms (frequency, media, etc.), storage terms (on-site, off-site, access, etc.) and retention periods for information from critical systems, platforms, applications and databases (both data and parameters/configurations), as well as any information considered as sensitive in the company's data/information classification. - Ensure that the retention periods, backup and storage terms have been formally reviewed and approved within the last 7 months. - Based on professional judgement, select the sample for the period under review. - For each of the selected months, obtain and inspect the backup journals covering all days of the month to determine whether they have been formally reviewed and approved. - Obtain and inspect the restore journals for the last 7 months. - Determine whether restore tests occurred for information from all critical systems, platforms, applications and databases (both data and parameters/configurations), as well as for any information considered as sensitive in the company's data/information classification. - Ensure that the restore tests were successful. - Ensure that the backup restoration journal and the corresponding restoration results have been formally reviewed and approved. - Obtain and inspect the list of authorized individuals allowed to access to the back-up media. - Determine whether access to backup media is commensurate with the function and/or profile of the authorized individuals. - Ensure that only formally authorized individuals can access the backup media (both on-site and off-site). - Ensure that the review of accesses to backups vs. the authorizations has been formally reviewed and approved for the last quarter.
Inspection
Low
Rely
Inspection
High
Independent
Inspection
Med.
Reperformance
Inspection
Med.
Rely
- Based on professional judgment, select the sample for the period under review. - For each of the selected weeks, and for each critical system, platform, application, database and Firewall, obtain the logs of unauthorized activities. - For each unauthorized activity, ensure that it has been documented and reacted upon in an appropriate manner. - For each unauthorized activity, ensure that it has been formally reviewed and approved.
Inspection
High
Reperformance
- Based on professional judgement, select a 2 month sample for the period under review. - For each of the selected months, obtain and inspect the logs of unauthorized activities for network activity and for all critical platforms, systems, applications and databases. - Ensure that all unauthorized activities from the logs (including the actions taken) have been formally communicated. - Ensure that the monthly reports on unauthorized activities have been formally reviewed and approved. - Obtain and inspect the batch jobs schedules for each critical system, platform, application and database. - Based on professional judgement, select the sample for the period under review. - For each of the selected days, obtain and inspect the job scheduling checklists to ensure that batch jobs ran as per the job schedules for all critical systems, platforms, applications and databases. - Ensure that the batch jobs ran successfully to completion (or failure was explained and timely remediated). - Ensure that the job scheduling checklists and related results have been formally reviewed and approved.
Inspection
High
Reperformance
25
10
Inspection
Med.
Rely
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 2
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
Professional judgement
Reperformance
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Professional judgement
a
2 Inspection Professional judgement
Reperformance
Professional judgement
Reperformance
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 1
Inspection
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 2 (scratch cards : 5)
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 2
Professional judgement
Professional judgement a
Inspection
Professional judgement
Reperformance
Professional judgement
Reperformance
Professional judgement
2 (scratch cards : 5)
Reperformance
Professional judgement
Inspection
Professional judgement
1 1
Inspection Inspection
Reperformance
Professional judgement
Reperformance
Professional judgement
1 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 1 Inspection
Inspection
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 2
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 1
Reperformance
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated population > 50 -> select 10% of available population, up to 25 - If estimated population < 50 -> select all population available, up to 5
Inspection
Professional judgement
Inspection
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5 if control automated: 1 If control manual: 5
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5 2
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5 - if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 1
Reperformance
Professional judgement
Reperformance
Professional judgement
Inspection
Professional judgement
Reperformance
Professional judgement
Inspection
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5 2
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 2
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 2
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Reperformance
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5 1
Inspection
Professional judgement
Inspection
Professional judgement
25
Reperformance
Professional judgement
If weekly: 5 If daily: 25
Reperformance
Professional judgement
Reperformance
Professional judgement
Inspection
Professional judgement
Reperformance
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 2
Inspection
Professional judgement
Reperformance
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 2 Reperformance
Professional judgement
Professional judgement
Reperformance
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
Professional judgement
Reperformance
Professional judgement
Reperformance
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 Quarterly: 1 Ad hoc: - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Professional judgement
Reperformance
Professional judgement
25
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 Quarterly: 1 Annually: 1 Ad hoc: - If estimated population > 50 -> select 10% of available population, up to 25 - If estimated population < 50 -> select all population available, up to 5
Inspection
Professional judgement
Reperformance
Professional judgement
Reperformance
Professional judgement
Reperformance
Professional judgement
Reperformance
Professional judgement
Inspection
Professional judgement
Reperformance
Professional judgement
Inspection
Professional judgement
Reperformance
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5 1
Inspection
Professional judgement
Professional judgement
Professional judgement
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
a) Inspection
Professional judgement
b) Inspection
Inspection
Professional judgement
25
Reperformance
Professional judgement
25
Reperformance
Professional judgement
Inspection
Professional judgement
Reperformance
Professional judgement
Reperformance
Professional judgement
Reperformance
Professional judgement
Inspection
Professional judgement
Reperformance
Professional judgement
Reperformance
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 1
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
25
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Professional judgement a
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - 1 every 3 years
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 1 Inspection
Professional judgement
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 1
Inspection
Professional judgement
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5
Professional judgement
Professional judgement
1 Note: test may be performed via Walkthrough test Obtain the list of user access rights to determine whether they have been quarterly reviewed by the IT Responsible.
Professional judgement
All IT Staff Note: test may be performed via Walkthrough test - Obtain list of access rights (IT staff) - Review users with access rights to migrate systems, ensure that the function of the person in the company is relevant for the granted access
Professional judgement
All IT Staff Note: test may be performed via Walkthrough test - Obtain list of access rights (IT staff) - Review users with access rights to migrate systems, ensure that the function of the person in the company is relevant for the granted access 1
Professional judgement
Professional judgement
Professional judgement
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5
Inspection
Professional judgement
Inspection
Professional judgement
1 Note: test may be performed via Walkthrough test Obtain and inspect the security setup for critical protected areas to determine whether (a) security setup documentation has been signed by the IT Responsible and (b) access to critical protected areas is granted to authorized users only.
Inspection
Professional judgement
1 Note: test may be performed via Walkthrough test Obtain and inspect the security setup for critical network and systems to determine whether (a) security setup documentation has been signed by the IT Responsible and (b) access to critical network and systems is granted to authorized users only.
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
1 Note: test may be performed via Walkthrough test Obtain and inspect the list of IT user access rights to determine whether (a) they have been signed off by the Security Officer and (b) access to issue access to the back-up is limited to the appropriate IT users. 5
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
25
Inspection
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 1
Inspection
Professional judgement
Inspection
Professional judgement
25
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 2
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Professional judgement a
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Professional judgement
1 Note: test may be performed via Walkthrough test On a sample basis, obtain and inspect selected changes (especially changes to systems and applications providing control over financial reporting) to determine whether such changes have been tested, reviewed and approved by (a) the appropriate person and (b) business owner before being introduced into the production environment.
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - 1 every 3 years
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5
Inspection
Professional judgement
Professional judgement
Professional judgement
1 Note: test may be performed via Walkthrough test Obtain the list of user access rights to determine whether they have been quarterly reviewed by the IT Responsible.
Professional judgement
Professional judgement
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5
Inspection
Professional judgement
Inspection
Professional judgement
All IT Staff Note: test may be performed via Walkthrough test - Obtain list of access rights (IT staff) - Review users with access rights to migrate systems, ensure that the function of the person in the company is relevant for the granted access
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 25
Inspection
Professional judgement
Inspection
Professional judgement
25
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Examine supporting documentation to validate reliability of exception report + inspect 25 exception reports (+ select a sample of items in each selected report for further investigation; document total samples examined in working papers)
Reperformance
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Reperformance
Professional judgement
Reperformance
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 25
Inspection
Professional judgement
Inspection
Professional judgement
25
Inspection
Professional judgement
25
Inspection
Professional judgement
25
Inspection
Professional judgement
25
Inspection
Professional judgement
10
Professional judgement
25
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 2 Reperformance
Professional judgement
Professional judgement
Professional judgement
25
Inspection
Professional judgement
25
Inspection
Professional judgement
25
Inspection
Professional judgement
Inspection
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5
Inspection
Professional judgement
Inspection
Professional judgement
Professional judgement a
25
Inspection
Professional judgement
25
Reperformance
Professional judgement
10
Professional judgement a
Examine supporting documentation to validate reliability of exception report + inspect 25 exception reports (+ select a sample of items in each selected report for further investigation; document total samples examined in working papers)
Reperformance
Professional judgement
10
Professional judgement
25
Inspection
Professional judgement
Inspection
Professional judgement
Reperformance
Professional judgement
Reperformance
Professional judgement
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 25
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
25
Inspection
Professional judgement
25
Inspection
Professional judgement
25
Inspection
Professional judgement
25
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 2
Inspection
Professional judgement
Inspection
Professional judgement
25
Inspection
Professional judgement
Inspection
Professional judgement
25
Inspection
Professional judgement
25
Inspection
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 25
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
25
Reperformance
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5 - if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5
Inspection
Professional judgement
Inspection
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5
Inspection
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5
Reperformance
Professional judgement
25
Reperformance
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5
Inspection
Professional judgement
Inspection
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5
Inspection
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5
Reperformance
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5
Reperformance
Professional judgement
10
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 1
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 25
Inspection
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Professional judgement
Inspection
Professional judgement
25
Reperformance
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5 25
Inspection
Professional judgement
Inspection
Professional judgement
25
Inspection
Professional judgement
25
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Reperformance
Professional judgement
10
Reperformance
Professional judgement
Reperformance
Professional judgement
Reperformance
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Professional judgement
25
Inspection
Professional judgement
25
Inspection
Professional judgement
25
Reperformance
Professional judgement
25
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 25
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 25
Inspection
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Professional judgement
Professional judgement
25
Reperformance
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5
Inspection
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, - if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5
Inspection
Professional judgement
Reperformance
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5
Reperformance
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 2
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
Professional judgement
Reperformance
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Reperformance
Professional judgement
Reperformance
Professional judgement
Reperformance
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Reperformance
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Professional judgement
Inspection
Professional judgement
Reperformance
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Professional judgement
Reperformance
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 2
Inspection
Professional judgement
Reperformance
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 Inspection
Professional judgement
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 1
Reperformance
Professional judgement
Professional judgement
Professional judgement
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 2
Professional judgement
Professional judgement
Professional judgement
Professional judgement
Professional judgement
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Professional judgement
Professional judgement
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Professional judgement
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Professional judgement
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 25
Professional judgement
Professional judgement
25
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Professional judgement
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Professional judgement
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Professional judgement
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Professional judgement
Professional judgement
Professional judgement
Professional judgement
Professional judgement
Professional judgement
Professional judgement
Professional judgement
a 1
Professional judgement
a
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 Professional judgement
Professional judgement
Professional judgement
Professional judgement
Professional judgement
Professional judgement
Professional judgement
Professional judgement
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 1 Inspection
Professional judgement
Professional judgement
Professional judgement
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 1
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
a
25 Inspection Professional judgement
Inspection
Professional judgement
a
1 Inspection Professional judgement
a
1 Inspection Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 2
Inspection
Professional judgement
Inspection
Professional judgement
a
1 Inspection Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
a
1 Inspection Professional judgement
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Professional judgement
Inspection
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - 1 every 3 years
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 1 Inspection
Professional judgement
Professional judgement
a
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 1 Inspection Professional judgement
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5
Professional judgement
Professional judgement
1 Note: test may be performed via Walkthrough test Obtain the list of user access rights to determine whether they have been quarterly reviewed by the IT Responsible.
Professional judgement
All IT Staff Note: test may be performed via Walkthrough test - Obtain list of access rights (IT staff) - Review users with access rights to migrate systems, ensure that the function of the person in the company is relevant for the granted access
Professional judgement
All IT Staff Note: test may be performed via Walkthrough test - Obtain list of access rights (IT staff) - Review users with access rights to migrate systems, ensure that the function of the person in the company is relevant for the granted access 1
Professional judgement
Professional judgement
Professional judgement
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5
Inspection
Professional judgement
Inspection
Professional judgement
1 Note: test may be performed via Walkthrough test Obtain and inspect the security setup for critical protected areas to determine whether (a) security setup documentation has been signed by the IT Responsible and (b) access to critical protected areas is granted to authorized users only.
Inspection
Professional judgement
1 Note: test may be performed via Walkthrough test Obtain and inspect the security setup for critical network and systems to determine whether (a) security setup documentation has been signed by the IT Responsible and (b) access to critical network and systems is granted to authorized users only.
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
a
1 Inspection Professional judgement
1 Note: test may be performed via Walkthrough test Obtain and inspect the list of IT user access rights to determine whether (a) they have been signed off by the Security Officer and (b) access to issue access to the back-up is limited to the appropriate IT users. 5
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
25
Inspection
Professional judgement
SC Med. Rely
Indep. Reperf.
Low Rely
Reperf.
Rely
IC non-key Walkthr.
P01 Payroll P1b Payroll Outsourced P02 Inventory Management P03 Purchasing and Assets Management P04 P05 P06 P07 P08 P09 P10 P11 P12 P13 P14 P15 P16 P17 P18 P19 P20 P21 P22 P23 P24 P25 P26 P27 P28 P29 Cash Management Debt Management Prepayment Taxes Assets Impairment Bad debts Contract Management Commitment and Contingencies
13 14 21 33 18 6 2 10 1 4 4 7
3 3 10 22 9 2 1 3 1 4 1 7
10 11 11 11 9 4 1 7 3 15 11 5 9 16 14 11 5 4 2 1 1 11 15 187 8 52
7 3 2 7 9 7 2 6 9
1 1 4 10 4 2 1 1 1 1 4 3 14 10 3 8 8 9 1 1 1 4 4 3 14 113
2 2 6 5 2 1 3 3 2 8 6 4 11 8 5 5 2 1 5 1 8 8 98
6 2 1 2 1 2 6 7 5 2 2 6 1 2 2 1 -
2 2 3 9 3 1 1 1
1 1 7 7 4 -
10 11 11 11 9 4 1 7 3 15 11 5 9 16 14 11 5 4 2 1 1 11
P1 P1b P2 P3 P4 P5 P6 P7 P8 P9 P10 P11 P12 P13 P14 P15 P16 P17 P18 P19 P20 P21 P22 P23 P24 P25 P26 P27 P28 P29
3 2 2 5 7 4 2 5 7 37
3 1 2 2 1 1 2 12
1 2 3
3 1 1 2 1 1 2 1 1 2 2 1 18 -
1 1 2 5 2 1 1 1 1
2 2 2 2 4 3 2 4 3 3 1 1 1 4 34 -
1 1 1 1
1 1 5 4 2
10 11 11 11 9 4 1 7 3 15 11 5 9 16 14 11 5 4 2 1 1 11 15 187
1 1 2
2 1 2 6 5 1 5 5 3 4 2 3 1 6 -
2 1 2 4 14 8 4 10 6 8 2 1 1 3 1 3
2 3 2 10 10 3 9 8 6 4 2 4 2 7
Financial Statements Close 12 12 IT General Controls Procedure 46 31 Network General Controls Procedure 34 23 Bill and Collect for Interconnect/other operators 14 9 Bill and Collect for Sales (Roaming) 28 19 Bill and Collect for Sales (Postpaid) 32 16 Bill and Collect for Sales (Prepaid) 34 20 Bill and Collect for Sales (wireless) 17 6 Adjustments 8 3 Recording of Subscribers Numbers 4 Intercompany 3 1 Accounting for Financial Assets other than pledge deposits 2 1 Indefeasible Rights of Use (IRU) 9 9 Managing Programming Costs 6 5 Bill and Collect for Sales (Cable TV) 22 11 Hedging Tower Lease Back Technology General Controls Procedure 46 31 Total Controls (TLC) Average (Critical) Controls per Cycle 404 17 263 11
7 55 25%
14 106 48%
10 102 46%
15 187
2 10 6 1 4 3 5 1 1 1 1 1 10 61
2 1 3 6 3 2 1
1 2 2 2 33
6 65
This testing strategy is applicable for ICFR developing countries: Amnet operations PY Honduras Senegal DRC Chad
71%
23%
6%
16%
54%
Testing (color scheme used in sheet "Test Strategy"): * note: Walkthroughs are to be performed for ALL controls (both SC and IC) Independent testing - PwC to independently test control based on testing strategy defined in worksheet "Test Strategy" Reperformance of management testing - PwC to obtain management's testing support for management's sample and reperform test of control Rely / Observation/Walkthrough - PwC to independently observe if the control is being performed with the Control Owner, and to confirm the result Criteria used for: Low risk: Not Pervasive; Routine; Low degree of judgement involved; ok for objective testing; low potential for mgt override Medium/High risk: More complex IT Application Controls (ITACs); Higher risk; highly judgemental or complex controls; potential for mgt override SoX controls are allocated in 3 buckets (High, Medium, Low) depending on risk rating. !!! change !!! compared to 2010: Controls risk rating has been aligned with overall risk assessment by process. PY SoX results Test Results 06: Significant deficiencies were noted in the controls surrounding taxes/deferred taxation, fixed assets/CWIP and the Financial Statement Preparation (IFRS) process. No material weaknesses were identified. No SUD or SAAD items identifed. Test Results 07: No significant deficiencies or material weaknesses were identified. No SUD or SAAD items identifed. Test Results 08: No significant deficiencies or material weaknesses were identified. No SUD item identifed. 1 SAAD item recorded (Tax accrual in Tanzania). Test Results 09: Two significant deficiencies, Consolidation Close process at the HQ and Prepaid revenue in Chad Test Results 10: No significant deficiencies or materlal weaknesses were identified. No SUM item identifed. 4 SAM items recorded. Group environment: Backbone V3.1: rationalisation of controls based on local management comments. Mainly clarification of controls responsible and testing procedures. Management testing will use V3.1 as from Q1_2011. => Assessment of Management testing to perform based on Q2_2011 CSA Peer review results.
Controls Description
P# P01 Payroll Procedure C# IC01 Control Name Personnel additions (Local Senior Management and Regional equivalents) are approved Control Description Responsible Type Category Preventive Frequency Control Formalization E/O X V/M C R/O PD
Subsequent to the approval of RAR, the package for the new Local Senior Management and Regional equivalents is approved.
Each new recruitment of Packages related to the hiring of Local Senior Management new Local Senior Management and Regional equivalents and Regional equivalents are reviewed and formally approved and related contracts are in line with approved packages.
P01
Payroll
IC02
Personnel additions (other than Local Senior Management and Regional equivalents) are approved
Subsequent to the approval of RAR, the package for employees other than Local Senior Management and Regional equivalents is approved.
Manual
Preventive
Each new recruitment of employee different than Local Senior Management and Regional equivalents
Contracts with new employees, other than Local Senior Management and Regional equivalents, are reviewed and formally approved.
P01
Payroll
IC03
Performance evaluation forms The Head of Department reviews and approves the are approved by Head of evaluation forms of his/her team and sends the evaluation Departments forms to HR Responsible.
Head of Department
Manual
Preventive
Annually
Annual performance evaluation forms are reviewed and reviewed and formally approved.
P01
Payroll
IC04
Business Owner reviews the commissions and other variable pay elements (overtime, paid off, sickness, holidays, absence, personnel expenses).
Manual
Preventive
Monthly
Commissions and other variable pay elements reports are reviewed and formally approved. Calculation of effective bonuses allocated to the Local Senior Management and Regional equivalents is reviewed and formally approved.
P01
Payroll
IC05
Effective bonuses and related Calculation is made based on bonus performance criteria CEO and Head of Manual calculation are approved agreed and communicated by Headquarters. The Performance and Reward performance of the operation is calculated and communicated by Headquarters, the individual performance discussed and agreed at operation level. Calculation of effective bonuses for Local Senior Management and Regional equivalents is prepared locally and reviewed by the Regional Manager and approved by Head of Performance and Reward. Effective bonuses and related Calculation is made based on bonus performance criteria calculation are approved agreed and communicated by Headquarters. The performance of the operation is calculated and communicated by Headquarters, the individual performance discussed and agreed at operation level. Calculation of effective bonuses for employees below Local Senior Management and Regional equivalents is prepared locally and reviewed and approved by GM. Payroll Coding Assignments are reviewed by department GM Manual
Preventive
Annually
P01
Payroll
IC06
Preventive
Annually
Calculation of effective bonuses allocated to people below the Local Senior Management and Regional equivalents is reviewed and formally approved.
P01
Payroll
IC10
The mapping between the job positions within the company Human Resources and related cost center code is reviewed by the Human department (GM-2) Resources department (GM-1 or GM-2).
Manual
Preventive
Quarterly
Mapping between job positions and related cost center code is reviewed and formally approved.
P01
Payroll
IC11
Monthly payroll activity is Human Resources Staff analyses payroll monthly report Human Resources compared to previous periods against payroll report of previous period (variance > 10% is Responsible (GM-1) supported by explanation).
Manual
Detective
Monthly
Analytical review with explanation for variance >10% is reviewed and formally approved.
P01
Payroll
IC12
Returns are reviewed for reasonableness and unusual items prior being filled with the authorities. Note: All the Employee (Direct, Indirect, Consultants) related Taxes and Social Security commitments must be calculated. Employee Taxes (PAYE, WHT, etc) of Local as well as Expatriate employees must be calculated.
Manual
Preventive
Each Filling
Copies of the returns kept on file are reviewed and formally approved.
P01
Payroll
IC13
P01
Payroll
SC07
Review the follow up of recorded conflicts of employee Changes in employment status and variable pay elements are approved before input in the payroll database
HR Responsible reviews and ensures follow up of cases for recorded complaints of employees.
Manual
Preventive
Monthly
Complaint book is properly reviewed and approved. - Status change request documents ('Personnel action' form) are reviewed and formally approved. - All other variable pay elements and related files to be entered into the Payroll System are approved - Printed copy of discount rate's file is approved X X X
1) HR Responsible reviews and authorizes the following Human Resources changes in employee status/package (salary, variable pay Responsible (GM-1) elements, benefits, etc) before they are input into the Payroll System: - Changes due to employee dismissal / termination (removal of the employee from the employee list) - Changes due to employee recruitment (formalization of new employee contracts) - Changes due to annual performance evaluation (approval of annual performance evaluation forms) - Changes due to employee promotion - Changes due to employee leveling - Changes due to employee move from one department to another 2) HR Responsible reviews the commissions and other variable pay elements (e.g.overtime, sickness, holidays, absence, personnel expenses and bonuses). 3) Deduction rates, as well as rates for external requirements such as social payments and others, are reviewed every time there is a change, to identify changes or errors in the rates.
Manual
Preventive
Monthly
P01
Payroll
SC08
Payroll monthly reports are reconciled with payroll fixed and variable data
Human Resources Staff reconciles payroll monthly report against documents approved by HR Responsible during control SC7 in order to identify mistakes, inconsistency or duplication. In addition, the Human Resources Staff ensures that the number of employees in the monthly payroll report equals the total number of employees.
Manual
Detective
Monthly
P01
Payroll
SC09
Bonus accrual computation is The Human Resources department prepares the bonus reviewed accrual computation based on expected performance.
Manual
Preventive
Quarterly
P02
Inventory Management
IC01
Supply Chain Department must assess and decide if the need to order is relevant. Decision must be documented and based on the inventory review/monitoring performed at warehouse level and formally approved.
GM for Handsets and Manual Customer Premises Equipment; Supply Chain Manager for SIM cards, Scratch cards and other Accessories.
Preventive
Weekly
P02
Inventory Management
IC02
Stock Order Form/Dispatch Note is completed Warehouse Supervisor Manual (Nature/Destination/Origin) reviewed and formally (Head of Supply Chain-2) approved by the Sending Warehouse Responsible. This document is completed at destination and reviewed and formally approved by the receiving party (i.e. confirmation of appropriate stock quantity received). When transfer has been done, the Stock Order Form / Dispatch Note is returned to the sending party who ensures that the stock delivered was equal to the stock sent. Any differences are investigated and explained; any corrective actions are taken and documented.
Preventive
Each delivery
P02
Inventory Management
IC03
The list of goods in transit are reviewed. Any old Warehouse Responsible outstanding goods in transit (for which no approved Stock (GM-2) Order Form/Dispatch Note has been received) are investigated; any required corrective actions are taken and documented. Final analysis is reviewed. The SCM-3 reviews the stock order form for quantity, amount and credit limit and approves the form. Head of Supply Chain-3 (SCM-3)
Manual
Detective
Monthly
P02
Inventory Management
IC04
Manual
Preventive
P02
Inventory Management
IC05
All sales prices included in the invoicing system are reviewed against the approved price list.
Manual
Preventive
P02
Inventory Management
IC06
Quantity reconciliation Stock quantity from the invoicing system is reconciled with between invoice and Dispatch the stock quantity indicated in the Stock Order Note / Stock Order Form Form/Dispatch Note. Any differences are investigated and explained; any corrective actions are taken and documented.
Manual
Detective
Each change and at least Prices list extracted from the quarterly invoicing system reviewed and formally approved. Each stock sale Reconciliation reviewed and formally approved.
P02
Inventory Management
IC10
Warehouse Supervisor reviews Stock Return Form (description of inventory item returned detailing the accessories, quantity received, reason for return) and approves it.
Detective
Each return
P02
Inventory Management
IC11
The credit note is reviewed based on Stock Return Form and approved.
CFO-2
Manual
Preventive
P02
Inventory Management
IC12
CFO-2
Manual
Detective
P02
Inventory Management
IC19
Sales to Dealers above the approved credit limit must be formally approved
CFO
Manual
Preventive
P02
Inventory Management
IC20
A list of Dealers which have monthly balances above their authorized credit limit is printed and reviewed.
CFO
Manual
Detective
Monthly
List summarizing dealers with balances above their credit limited is reviewed and formally approved Cost of sale calculation methodology and criterias reviewed and formally approved. Reconciliation reviewed and formally approved. X X X
P02
Inventory Management
SC07
Accounting methodology for stock is documented by the accounting team and reviewed.
CFO
Manual
Preventive
Annually
P02
Inventory Management
SC08
Reconciliation is performed between sales from the accounting system and sales report from the invoicing system. Any differences are investigated and explained; any corrective action is taken and documented.
Manual
Detective
Monthly
P02
Inventory Management
SC09
Reconciliation is performed between the value of total inventory from the accounting system and from inventory module. Any differences are investigated and explained; any corrective action is taken and documented. Reconciliation is performed between the stock count and the inventory report / list of obsolete items. Explanations and corrective actions are formalized by accounting team and reviewed.
Manual
Detective
Monthly
P02
Inventory Management
SC13
Manual
Detective
P02
Inventory Management
SC14
Assumptions for obsolete inventory and slow-moving items reviewed List of obsolete items approved Obsolete items identified
Guidelines to determine obsolete and slow moving items are documented and reviewed.
CFO
Manual
Preventive
P02 P02
SC15 SC16
CFO and GM
Manual Manual
Detective Preventive
Quarterly Quarterly
Based on the list of obsolete items reviewed by the GM and Warehouse Responsible CFO, the Warehouse Responsible clearly identifies and separates those items. Accounting Responsible (CFO-1)
List reviewed and formally approved. List identifying the obsolete items reviewed and formally approved.
X X
X X
P02
Inventory Management
SC17
Manual
Detective
Quarterly
P02
Inventory Management
SC18
- If stock remeasurement test is not performed, an explanation is documented in a memorandum. - If a stock remeasurement test is performed, the conclusions are documented in a memorandum.
Manual
Detective
Quarterly (quarter-end)
P02 P03
SC21 IC01
Billing system parameters that affects the invoicing process IT Critical System are reviewed. Responsible CFO ensures all major fixed assets purchases are CFO approved by the Board.
Manual Manual
Detective Preventive
Quarterly Each request for new major fixed-assets acquisition List of approved CAR by the Board reviewed and formally approved. X
P03
IC02
The Purchasing Responsible checks the supplier estimate Purchasing Responsible for goods/services vs. the Capital Application Request (GM-2) Form to ensure purchases are within the approved amount for the CAR.
Manual
Preventive
P03
IC03
The Vendor Master File is reviewed. In particular, inactive suppliers are identified and blocked.
Manual
Preventive
Catalogue of master file including status of suppliers reviewed and formally approved. Checklist reviewed and formally approved.
P03
IC04
Manual
Preventive
Each contract
P03
IC07
Credit Note received by supplier is reviewed by GM-3 to validate the transaction before booking.
Manual
Preventive
P03
IC11
When an advance payment has been made, at the time Accounting Responsible the goods/service is received, a booking to reverse the (CFO-3) advance payment must be made. Amount of the reversal is received before booking.
Manual
Preventive
P03
IC17
Timesheets reviewed
Timesheets detailing the cell-site commissioning team working on site under construction and the time spent per project / sites is reviewed by CTO.
CTO
Manual
Preventive
Monthly
P03
IC20
List of assets to be capitalized List of assets (including tag number) to be capitalized is approved approved when site starts generating revenue or project is completed.
GM-2
Manual
Preventive
P03
IC27
When asset is received by the Receiving Department, ATN Receiving Department is signed-off. (GM-4)
Manual
Preventive
Each transfer
P03
IC29
P03
IC32
The FA Responsible prepares by assets owner a list of all assets under their custody. This document is sent to all Head of Department for confirmation. - Asset Disposal Note is completed by Finance Responsible (CFO-2) based on User Department information and ATN. - Receipt of sale proceed is attached. - ARO computation is documented. - Realized gain or loss is documented. CFO reviews the ADN and signs it for approval.
Detective
Quarterly (not necessarily Lists of assets signed off at quarter end) Each transfer ADN reviewed and formally approved.
Preventive
P03
SC05
CAPEX/OPEX/Inventory check
Head of Department reviews the transaction type (CAPEX, Head of Department OPEX or inventory) which is inputted in the purchase request
Manual
Preventive
P03
SC06
PO approved
Manual
Preventive
Each PO
P03
SC08
2-way match
PO module
Automatic
Preventive
System Parameters
P03
SC09
Accounting team (preferably the AP Responsible) extracts Accounting Responsible from the accounting system the open CAPEX accrual (CFO-2) transactions and summarizes them by supplier. Analysis per supplier is then performed to ensure accuracy of data (including existence, review of duplication, and explanation on aged accruals balances over 6 months etc.)
Manual
Detective
Monthly
P03
SC10
Accruals checklist is completed by CFO-2 and reviewed. In Accounting Responsible particular, CFO-1 reviews the list for completeness, (CFO-1) explains reasons for current accruals booked, indicates whether there was an accrual last month and the total amount booked in the accounts (for each accrual type). Accounting team (best AP Responsible) extracts from the Accounting Responsible accounting system the open advances and summarizes (CFO-2) them by supplier. Analysis per supplier is then performed to ensure accuracy of data (appropriate reversal performed).
Manual
Detective
Monthly
P03
SC12
Manual
Detective
Monthly
P03
SC13
Invoices approved
Manual
Preventive
Each invoice
P03
SC14
3-way match
PO module prevents to record invoice quantity and price higher than the PO and the GRN/SDN.
PO module
Automatic
Detective
System Parameters
P03
SC15
FA Responsible ensures that when assets are capitalized, a final tagging is applied which follows the assets coding communicated by the HQ and at the latest 8 weeks after the date of transfer from CWIP to FA.
Preventive
Each asset
P03
SC16
Based on the key terms of the contract summarized in a memorandum, CFO-1 documents the accounting treatment of transactions linked to the turnkey project and CFO reviews and approves.
CFO
Manual
Preventive
P03
SC18
Based on the information received from the CTO, Human Resource values the time spent by the cell-site commissioning team for the construction of sites. This analysis is signed-off and communicated to Accounting Department.
Manual
Preventive
Monthly
P03
SC19
CWIP register is prepared and includes at minimum assets Fixed Assets Responsible Manual identification (can be serial number or any other mean), (GM-2) date of receipt, PO reference, value, expected date of capitalization, location and asset description. Fixed Assets Responsible reviews the CWIP register for completeness and reconciles it to the CWIP accounts in the Accounting System. Any discrepancy is investigated and solved. ARO provision calculation is prepared by CFO-1 and reviewed by CFO. CFO Manual
Detective
Monthly
P03
SC21
Preventive
P03
SC22
Costing (including assets, ARO, interests, services, freight, Accounting Responsible duties, etc.) prepared by Fixed Assets Responsible (CFO- (CFO-1) 2) is reviewed by CFO-1. System print-out evidencing the accounts update is attached and reviewed.
Manual
Preventive
Each capitalization
Costing sheet reviewed and formally approved attached with the system update
P03
SC23
The License Summary Sheet (Part I) relating to the capitalization rule is completed (including deferred costs) by the Accounting Responsible (CFO-1) and reviewed by CFO.
CFO
Manual
Preventive
P03
SC24
Depreciation rates comply with Based on the FAR, Fixed Assets Responsible (CFO-2) MIC Accounting Policy extracts details of all assets. A summary by assets category is prepared showing depreciation rate used. Those rates are checked against the MIC Accounting Policy (including assets with no depreciation rate). Any discrepancy is investigated and correction documented and booked into the FAR. CFO ensures that the FA Responsible has properly performed his review. Assets with negative net book Fixed Assets Register is extracted from the fixed assets value reviewed module. Any asset with a negative net book value is reviewed and corrected.
CFO
Manual
Detective
Quarterly (quarter-end)
P03
SC25
Detective
Monthly
P03
SC26
Asset new useful life reviewed When depreciation period needs to be modified, new asset CFO useful life is reviewed by CFO and communicated to GFC for review.
Manual
Preventive
P03
SC28
Based on the sequential numbering of ATN, a list is created and updated for each transfer performed. This list should include the transfer date, receipt date and fixed assets register update date. Once a month, the list is reviewed and any missing ATN is investigated to ensure all transfers were properly updated in the Fixed Assets Register. 1) FA Responsible (CFO-2) reconciles the count with the Fixed Assets Register. All differences are investigated, corrective actions performed and documented. 2) List of obsolete items is summarized, investigated, accounting adjustment booked and documented. 3) Final documents are reviewed by the CFO-1.
Detective
Monthly (not necessarily at Cut-off report reviewed and month-end) formally approved.
P03
SC30
Detective
All assets to be counted at Reconciliation reviewed and least once a year formally approved.
P03
SC31
1) FA Responsible (CFO-2) reconciles the CWIP schedule Fixed Assets Responsible Manual with the count or any relevant supporting documentation (GM-2) (civil work, loan interest, custom duties and freight). All differences are investigated, corrective actions performed and documented. 2) Final document is reviewed by the CFO-1. Realized gain or loss calculation is prepared by CFO-1 and CFO reviewed by CFO. Manual
Detective
All assets to be counted at Reconciliation reviewed and least once a year formally approved.
P03
SC33
Preventive
Each disposal
P04
Cash Management
IC01
In case where a supplier requests an advance payment above a threshold (predefined in MIC policy manual) and that no bank guarantees are given, the Purchasing Dept must request a service provider to assess the existence, quality and solvability of such supplier. A report must be obtained summarizing what the basis for the assessment was. The report must be reviewed internally by the Purchasing Dept and forwarded to the CFO for approval. Vendor complaints are summarized by the Purchasing Department in a log book and communicated once a month to the Accounting Responsible (CFO-1) for review (appropriate provision booked).
CFO
Manual
Preventive
Each time a new supplier requests an advance payment and no guarantees are given
P04
Cash Management
IC03
Manual
Detective
Monthly
P04
Cash Management
IC05
Before initiating a payment, the vendor balance is reviewed Treasurer to ensure that no credit note exists and that previous invoices were paid.
Manual
Preventive
Each payment
P04
Cash Management
IC11
Customer Service Responsible prepares the log of complains. The log must be maintained and reviewed monthly by the CFO to ensure appropriate provision has been booked. The log must include actions taken and current status of the complaint. Before the first submission of the monthly financial data, a bank reconciliation summary sheet is prepared by CFO-1 and includes for all bank accounts the status of the reconciliation and in case of incomplete reconciliation, the remaining unexplained amounts and the action plan to explain / correct those differences. This summary is then reviewed by CFO.
CFO
Manual
Detective
Monthly
P04
Cash Management
IC14
CFO
Manual
Detective
Monthly
P04
Cash Management
IC15
Supporting documents for All petty cash advances are authorized. petty cash advances approved
Manual
Preventive
Each advance
P04
Cash Management
IC16
Manual
Preventive
Each advance
P04
Cash Management
IC17
The responsible manager reviews the original invoices supporting the cash expended and ensures that it was used for legitimate business purpose.
Manual
Preventive
Each advance
P04
Cash Management
IC18
Petty cash safe content must be counted at least once a CFO-1 or CFO-2 month (using specific form for the reconciliation). Any discrepancy with the Petty Cash Register maintained by the Petty Cash Custodian must be investigated and escalated.
Manual
Detective
Monthly
P04
Cash Management
SC02
P04
Cash Management
SC04
Aging balance report reviewed The payable aging balance report is extracted and CFO-1 reviewed. In particular, all unpaid amounts for more than 6 months are analyzed and cleared. Reconciliation of vendor a) All vendors should be checked once a year (ongoing Finance Responsible statements with accounts (CFO-1) program - at least 1/12 of the supplier database a payable month) b) List of 20 top suppliers is obtained. CFO-3 prepares circularization letter and sends them to the selected suppliers. When answers are received from suppliers, a reconciliation is performed with the A/P. Differences are investigated, explained and actions are taken. If no answer is received within the following 2 weeks of the sent request, a reminder is sent to the supplier and any action performed to obtain the information is documented on a summary sheet listing the 20 suppliers selected.
Manual
Detective
Monthly
Payable aging balance report reviewed and formally approved. Reconciliation reviewed and formally approved.
Manual
Detective
a) Monthly b) Quarterly
P04
Cash Management
SC06
Payment voucher / instructions Payment voucher / instruction / cheque is signed based on Responsible according to / cheque authorized approved supporting documents. approved authority matrix
Manual
Preventive
Each payment
P04
Cash Management
SC07
CFO reviews the list of authorized direct debit obtained from financial institutions and ensures that they were all approved and valid.
CFO
Manual
Detective
Quarterly
P04
Cash Management
SC08
Confirmation from financial institution of the cash deposit and of electronic payment reconciled with sales report Cash reconciliation between billing and accounting system
The treasurer or collection department reconciles the sales Treasurer or Collection report obtained from the billing system with the cash Responsible (GM-3) received confirmed by the financial institution (cash deposited and electronic payment confirmed). Cash report from the billing system is reconciled to the accounting system. Any discrepancy is investigated, explained and actions are taken. Treasurer or CFO-1
Manual
Detective
Daily
P04
Cash Management
SC09
Manual
Detective
P04
Cash Management
SC10
Reconciliation between banking summary and bank statements (dealers indirect sales force)
Upon receipt of the bank statements from the central cash Accounting Responsible account, the accounting department must reconcile the (GM-3) statements to the banking summary reports provided by the dealers. Any discrepancy must be investigated, documented and actions taken.
Manual
Detective
Weekly
P04
Cash Management
SC12
CFO-1 verifies that any blocked deposits are properly identified in the accounts (versus cash free of encumbrance).
CFO-1
Manual
Detective
Quarterly
Extract of cash accounts from accounting system reviewed and formally approved with evidence of proper segregation X
P04
Cash Management
SC13
For all cash accounts, a reconciliation with bank statement Accounting Responsible is performed by CFO-2. All reconciled items are (CFO-1) investigated, explained and corrective actions booked if any. This analysis includes also: - the clearing of old outstanding unreconciled items (above 2 months). - the review of zero-balance accounts (account in the accounting system should be blocked) - the review of uncashed cheques - the review of unapplied cash accounts All reconciliation are reviewed by CFO-1. Note: in case some reconciled items are not explained before end of the closing period, their investigation should continue the following month and be closed before the start of the next closing period.
Manual
Detective
Monthly for each Bank Reconciliation reviewed and account but formally approved. recommended weekly for high usage accounts
P05
Debt Management
IC01
Loan Summary Form (including all loans terms and conditions) is completed by the Financial Responsible (CFO-1), reviewed and approved by CFO and HQ (Corporate Finance).
CFO
Manual
Preventive
P05
Debt Management
IC02
Cash receipt is matched against loan agreement to ensure Treasury responsible that correct amount was received. (CFO-2)
Manual
Detective
P05
Debt Management
IC05
When a breach is identified, debt covenants computation is Finance Responsible sent to HQ (Corporate Finance) for review. Evidence of this (CFO-1) review is obtained by the CFO-1. All new loans and lines of credit in excess of USD 500,000 Treasury responsible are to be discussed and agreed with Corporate Treasury (CFO-2) before the operation enters into such agreements.
Manual
Detective
Debt covenants computation reviewed and formally approved by HQ. Approval received from HQ.
P05
Debt Management
IC06
New loans and lines of credit in excess of USD 500K are approved by Corporate Treasury.
Manual
Preventive
P05
Debt Management
SC03
Interest and loan classification Interest as per calculation sheet is reconciled with the reviewed accounts and loan classification between long-term and short-term is reviewed.
Manual
Detective
Monthly
P05
Debt Management
SC04
All covenants are computed by the Finance Responsible CFO (CFO-1) based on current data and based on the company 12 months forecast. Breaches are identified and documented. Analysis is then reviewed by the CFO.
Manual
Detective
Covenants computation and breach identification memo reviewed and formally approved.
P06
Prepayment
IC01
After the accounting team has inputted the data related to Accounting Responsible / Manual prepayment into the Fixed Assets Register, an Accounting Supervisor (CFO-2) Responsible / Supervisor (CFO-2) reviews the prepayment parameters with the contract summary sheet.
Detective
Prepayment parameters sheet from FAR reconciled, reviewed and formally approved.
P06
Prepayment
SC02
Accounting Responsible (CFO-2) recomputes manually the monthly prepayment amortization, compares it to the amount automatically recorded in the accounting system and checks prepayment closing balance. Any discrepancies are investigated and explained. This analysis is then reviewed by the Accounting Responsible (CFO-1). Current and deferred taxes accruals are prepared by the Accounting Responsible (CFO-3) and reviewed by the CFO-2. CFO reviews and approves tax return prior filling.
Manual
Detective
Monthly
P07
Taxes
IC01
Manual
Preventive
Monthly
P07
Taxes
IC02
CFO
Manual
Preventive
P07
Taxes
IC05
Tax booked in the accounts is compared to quarterly tax provision calculation or to tax assessment if any. The difference is identified and approved.
Manual
Preventive
P07
Taxes
IC06
Creation or update of tax parameters related to customer / Customer Care supplier / product or service are reviewed before input in Responsible (GM-3) and system. Accounting Responsible (CFO -2) Tax advisor (internal / external) documents in a memo the current tax status of all taxes applicable to the entity and specifically notes the recent tax changes. The memo is then reviewed by the CFO. Customer Care Responsible (up to GM-3) and/or Accounts Payable/Receivable Responsible review any change made in the parameters of any customer or supplier, including supporting documentation for the change. CFO reviews and approves tax return prior filling. CFO
Manual
Preventive
P07
Taxes
IC07
Manual
Preventive
P07
Taxes
IC08
Customer Care Manual Responsible (up to GM-3) and/or Accounts Payable/Receivable Responsible (CFO-2) CFO Manual
Detective
Monthly
P07
Taxes
IC10
Preventive
P07
Taxes
SC03
Tax advisors (internal / external) performs the following activities: a) ensures that all direct taxes have been considered by using a checklist listing all required direct taxes, b) reviews the tax calculation including tax rate, c) reviews uncertain tax position, d) reviews the loss carry forward analysis prepared, e) reviews, if any, the tax assessment received from the Tax Administration. This analysis is then sent to CFO for review. Accounting Responsible (CFO-1) prepares the reconciliation between the accounting base and the tax base and the one between the effective tax rate and the statutory tax rate. Both reconciliations are reviewed by the CFO. Tax advisor (internal / external) performs the following activities: a) ensures that all indirect taxes have been considered by using a checklist listing all required indirect taxes, b) performs a rationalization test per indirect taxes rate for indirect taxes payable and receivable, c) reviews, if any, the tax assessment on indirect taxes received from the Tax Administration. In case of discrepancies, adjustment to be booked is clearly documented. Analysis performed is sent to CFO-1 for review. The conclusion of the impairment test and computation of any impairment loss is reviewed by the CFO and GFC. Reports programmed are controlled under IT general control environment.
CFO
Manual
Detective
P07
Taxes
SC04
Reconciliation between accounting and income tax base and between statutory and effective income tax rates reviewed Internal / external tax advisor review on indirect tax approved
CFO
Manual
Detective
Quarterly
P07
Taxes
SC09
Manual
Detective
P08
Assets Impairment
SC01
Manual
Preventive
Quarterly
P09
Bad debts
SC01
Preventive
Continuous
P09
Bad debts
SC02
Total accounts receivable from the ageing balance is reconciled by the accounting team to the account receivables as per the general ledger. Purpose is to validate the adequacy of the aging balance reporting. Reconciliation is reviewed by Accounting Responsible (CFO-1).
Manual
Detective
Quarterly
P09
Bad debts
SC03
Interconnect and roaming partners, dealers and overdue Accounting Responsible postpaid subscribers (financial stress customers identified (CFO-1) and Head of during the dunning process) are reviewed on an individual Region basis. For customers or partners facing financial stress, an additional provision is determined and reviewed by CFO-1. For balances above 120 days, the absence of a bad debt provision has to be reviewed and approved by Head of Region.
Manual
Detective
Quarterly
Calculation (and absence of a bad debt provision if any) reviewed and formally approved.
P09
Bad debts
SC04
Bad debt calculation reviewed Based on the aging balance (postpaid subscriber only), the Accounting Responsible bad debt provision is calculated using the rule defined in (CFO-1) the Policy Manual. Contract details reviewed
Manual
Detective
Quarterly
P10
Contract Management
IC01
Contract is reviewed by legal department in order to ensure Legal Responsible (GM-2) Manual adequacy of the general terms and conditions.
Preventive
Each contract
P10
Contract Management
IC02
Signed contract is reviewed by the legal team in order to Legal Responsible (GM-2) Manual ensure that the contract has been signed by the other party and according to the authorized signatory as per the approved authority matrix.
Preventive
P10
Contract Management
IC03
Contract summary form is prepared by the requesting department and reviewed by Legal Responsible who includes a sequential contract reference number.
Preventive
Each contract
P10
Contract Management
SC04
Based on the contract and contract summary form, the accounting team determines the appropriate accounting treatment (as per MIC Accounting Policy Manual) and details any required calculation (pre-requisites for the journal entries booking). Final analysis is reviewed by Accounting Responsible (CFO-1).
Manual
Preventive
Each contract
P11
SC01
CAPEX open PO list reviewed A list of all CAPEX purchase commitments is reviewed by the Purchasing Responsible to ensure accuracy of listed items and completeness.
Manual
Detective
Quarterly
P11
SC02
The list of pending litigation and lawsuits is reviewed by Legal Expert (Internal Legal Expert to ensure the accuracy of the description, Legal Counsel and/or status and estimated loss. In addition, he confirms/updates External Provider) the probability of occurrence, based on his expert opinion. List of pledged assets is prepared and reviewed. CFO
Manual
Preventive
Quarterly
P11
SC03
Manual
Preventive
Quarterly
List reviewed and formally approved. Compliance Memo reviewed and formally approved.
P11
SC04
License agreement Compliance of license and agreements with terms and compliance analysis reviewed conditions is monitored.
Manual
Preventive
Quarterly
P11
SC05
Based on a review of all contracts, a list is prepared Financial Responsible summarizing all leasing contracts (financial and operating). (CFO-1) This list is reviewed for accuracy and completeness.
Manual
Preventive
Quarterly
P11
SC06
Summary of tax commitments List of tax commitments and contingencies is prepared and Tax Responsible (GM-2) and contingencies reviewed reviewed.
Manual
Preventive
Quarterly
P11
SC07
List of other commitments and contingencies and their supporting document reviewed
In order to capture all commitments and contingencies, a template is provided to all department heads in order to document any commitments or contingencies they would be aware of.
Detective
Quarterly
P12
SC01
Accounting Responsible (CFO-1) extracts from the accounting system a report listing the accounting parameters and reviews them for accuracy.
Manual
Preventive
P12
SC02
The Accounting System is configured for double-entry accounting and prevents the entry of duplicate journal numbers.
Automated
Preventive
Continuous
System parameterization
P12
SC03
Standard JE approval
Standard journal entries are - prepared by Accounting Responsible (CFO-3), - reviewed by Accounting Responsible (CFO-2), - authorized by Accounting Responsible (CFO-2) below a threshold predefined according to the approved authority matrix and by Accounting Responsible (CFO-1) above this threshold, - posted by Accounting Responsible (CFO-2 or CFO-1 depending on the threshold). Non-standard journal entries are - prepared by Accounting Responsible (CFO-3), - reviewed by Accounting Responsible (CFO-2), - authorized by Accounting Responsible (CFO-2) below a threshold predefined according to the approved authority matrix and by Accounting Responsible (CFO-1) above this threshold, - posted by Accounting Responsible (CFO-2 or CFO-1 depending on the threshold). End of month, a list of all the non-standard JEs is summarized by Accounting Responsible (CFO-1) and reviewed and approved by CFO.
Manual
Preventive
Standard journal entries and supporting documents reviewed and formally approved.
P12
SC04
Non-standard JE approval
Manual
Preventive
Non-standard journal entries and supporting documents reviewed and formally approved.
P12
SC05
CFO
Manual
Detective
Monthly
P12
SC06
Closing binder is prepared by the accounting team and CFO includes all the evidences related to the month-end controls. A checklist is completed to ensure completeness and accuracy of controls performed and signed-off by the CFO. After the import into the IFRS ledger, CFO-2 reconciles the Accounting Responsible local and IFRS ledgers. Any discrepancies are investigated (CFO-2) and corrected.
Manual
Detective
Monthly
- Closing checklist reviewed and formally approved. - Closing binder including all supporting documents
P12
SC07
Manual
Detective
Monthly
P12
SC08
Manual
Detective
Monthly
P12
SC09
In the consolidation system, the transfer of data from the local accounting system is reviewed: in the promotion screen, the pass/fail box and the validation box need to be marked as ok. If it is not the case, the blocking validation screen is reviewed to detect the error. In specific situations and based on approved supporting documents, the manual journal entries to be booked in the consolidation system are prepared, reviewed, authorized and posted.
Automated
Detective
Monthly
P12
SC10
Preventive
Monthly
P12
SC11
Reporting binder is prepared by the Accounting Responsible (CFO-1) and includes all the documents supporting each reporting pack disclosure (a clear link should be evidenced between the reporting pack disclosure and the related supporting documents). Binder is then reviewed by CFO.
CFO
Manual
Detective
Quarterly
P12
SC12
CFO ensures the reporting pack has been approved by HQ CFO (consolidation) by reviewing the promotion level For all critical systems, platforms, applications and databases, there is a testing environment: - separated logically and/or physically from the production environment, - which allows adequate stress, unit, end-to-end testing - which reflects as much as possible the live environment (data in kind and quantity), - which is available for sufficient testing time CIO
Manual
Detective
Monthly
P13
IC04
Testing for systems, platforms, applications and databases is performed in a testing environment
Manual
Preventive
Print copy of the catalogue and/or description of the testing environments are reviewed and formally approved
P13
IC10
Implementation of change/project is communicated to all Critical Systems IT relevant parties (end-users, stakeholders) to ensure they Responsible(s) are aware of the change and its related impacts
Manual
Preventive
P13
IC11
The Logical Access Management policy (or security policy) CIO is reviewed and approved to check that the management of user accounts for joiners, job changes and job termination is part of the policy (for both employees and contractors, for local and remote access...)
Manual
Preventive
Bi-annually (period of 5 to Logical Access Management 7 months required Policy (or Security Policy) is between control reviewed and formally approved executions)
P13
IC26
Personal data and sensitive information are inventoried and adequately protected to ensure data confidentiality Backup execution is reviewed
Personal data and sensitive information are adequately protected to ensure data confidentiality
Manual
Preventive
Quarterly
Security set-up for personal data and sensitive information privacy is reviewed and formally approved
P13
IC28
Backup execution results are documented in the backup journal and validated to ensure that backups are carried out on critical systems, platforms, applications and databases at least daily for data and weekly for configuration setups
Manual
Detective
Daily
P13
IC32
The formalized DRP is reviewed and approved Note: DRP and BCP plans should be updated whenever there is a large change implemented.
CIO and GM
Manual
Preventive
Bi-annually (period of 5 to The DRP is reviewed and formally 7 months required approved between control executions) Annually The test results of the DRP are reviewed and formally approved
P13
IC33
CIO and GM
Manual
Preventive
P13
IC34
The Incident and Problem Management Policy and Procedures is reviewed to check that non-standard events are analyzed and resolved in a timely manner, including escalation procedures, supplier involvement if appropriate and a clear description of the process (flowchart for example)
CIO
Manual
Preventive
Bi-annually (period of 5 to The Incident and Problem 7 months required Management Policy is reviewed between control and formally approved executions)
P13
IC35
Significant IT events or incidents and failures are Critical Systems IT monitored, communicated and resolved in a timely manner Responsible(s)
Manual
Detective
P13
IC36
CIO and GM
Manual
Detective
Monthly
P13
IC39
The list of authorized software The list of authorized, tolerated and unauthorized software CIO permitted for use by is formalized and reviewed employees is documented and communicated
Manual
Preventive
Bi-annually (period of 5 to List of authorized, tolerated and 7 months required unauthorized software is reviewed between control and formally approved executions)
P13
IC40
The list of software installed is The list of software installed and used on each computer reviewed and server is reviewed and reacted upon
Security Officer
Manual
Detective
Quarterly
P13
IC42
The results of scheduled jobs Summary of the batch jobs executions is communicated executions are communicated and approved to ensure batch jobs run properly and approved The operating procedures are Formalized operating procedures are in place and reviewed and approved documented
CIO
Manual
Detective
Monthly
The job scheduling checklist and related results are reviewed and formally approved Operating procedures are reviewed and formally approved
P13
IC43
CIO
Manual
Preventive
P13
IC44
An inventory listing all potential suspicious activities should be maintained to allow the monitoring of unauthorized activities Change requests are authorized
An inventory listing all potential suspicious activities for CIO and Security Officer each system should be maintained to allow the monitoring of unauthorized activities. This list should be updated based on experience and used to review unauthorized activities (P13.SC37). Change request forms are completed, reviewed and approved Business Owners and Stakeholders and Critical Systems IT Responsible(s)
Manual
Preventive
Bi-annually (period of 5 to 7 months required between control executions) Bi-annually (period of 5 to 7 months required between control executions)
P13
SC01
Manual
Preventive
P13
SC02
Existing controls are identified, Existing controls (which may be affected by the design tested and redesigned if and implementation of changes) are identified and necessary reported in the change request. Testing of the existing controls impacted is documented as part of the test plans in the change request. Change acceptance tests performed by Business Owners and Stakeholders include the testing of these controls. Appropriate actions are taken to modify or redesign these controls, if necessary, to retain their integrity Change requests (including Test plan, roll-out plan and roll-back plan are formalized, changes to critical end-user reviewed and approved prior to implementation of the computing tools) have a test change plan, a roll-out plan and a rollback plan developed prior to implementation
Manual
Preventive
Impact analysis of existing controls, and if appropriate tests results, are reviewed and formally approved
P13
SC03
Manual
Preventive
Test plan, roll-out plan and fallback plan are reviewed and formally approved
P13
SC05
Testing of interfaces between Interface test results are formalized and reviewed to systems and the confirm that data transmissions are complete, accurate corresponding results are and valid and that interfaces are working properly reviewed
Manual
Preventive
At least every 3 years, and Interfaces' test results are before a new or changed reviewed and formally approved interface is put into production
P13
SC06a
Test results are reviewed and Changes are tested, test results are reviewed and decision approved before going live to go live in production is approved with the change in the production environment
Manual
Preventive
P13
SC06b
Implementation results are reviewed and approved after going live with the change in the production environment
Business Owners
Manual
Detective
P13
SC07a
Impact of change on the documentation and support service plans of critical systems, platforms, applications and databases is assessed and the documentation is updated if necessary Documentation and support service plans for critical systems, platforms, applications and databases is reviewed Impact of change on the documentation and support service plans of end-user computing tools is reviewed and the documentation is updated if necessary Documentation and support service plans for end-user computing tools is reviewed
Changes in a critical system, platform application or database are subject to an impact analysis of the related documentation (user and operation procedures, manuals, technical documentation, support service plans, training materials, ) which is updated if necessary
Preventive
Documentation (including location) for changed critical systems, platforms, applications and databases is reviewed and formally approved
P13
SC07b
The documentation of critical systems, platforms, applications and databases (user and operation procedures manuals, technical documentation, support service plans, training materials, ) is reviewed to ensure sufficiency against business needs Changes to end-user computing tools are subject to an impact analysis of the related documentation (user and operation procedures, manuals, technical documentation, training materials, ) which is updated if necessary
Detective
List of available documentation (including location) for critical systems, platforms, applications and databases is reviewed and formally approved Documentation (including location) for changed end-user computing tools is reviewed and formally approved
P13
SC08a
Business Owners
Manual
Preventive
P13
SC08b
The documentation of end-user computing tools (user and Business Owners operation procedures manuals, technical documentation, training materials, ) is reviewed to ensure sufficiency against business needs Emergency changes are reviewed to assess legitimacy and compliance with change management policies and procedures CIO and GM
Manual
Detective
Bi-annually (period of 5 to 7 months required between control executions) Every emergency changes
List of available documentation (including location) for end-user computing tools is reviewed and formally approved Emergency changes documentation is reviewed and formally approved
P13
SC09
Manual
Detective
P13
SC12
Matrix of profiles (and related rights) are reviewed and mapped to job descriptions
The profiles/roles in the systems, platforms, applications Business Owners/Critical and databases are mapped to each job description (up-to- Systems Responsibles date), to ensure that related access rights granted via the and Human Resources. profiles are commensurate with job/position responsibilities
Manual
Preventive
The profiles matrix (and related rights) related to each job description are reviewed and formally approved
P13
SC14
Provisioning / deprovisioning forms are reviewed and approved to grant users only the access they need
The logical access request forms for joiners, job changes and job terminations for employees, contractors, vendors and non-client personnel are: - prepared and approved by the Head of Department (of the employee or contracting a third-party), - reviewed and approved by the Human Resources Responsible vs. the job description for legitimacy and segregation of duties purposes, - processed by the IT Staff Human Resources prepares a monthly list of all transfers and leavers which is used by the Security Officer to verify that the relevant access rights have been modified or revoked
Manual
Preventive
P13
SC15
Accesses to systems, platforms, applications and databases is reviewed against the list of all transfers and leavers
Detective
Monthly
Review of accesses vs. The list of transfers and leavers is formally approved
P13
SC16
Access rights to systems, platforms, applications and databases that are granted (through profiles) are reviewed, updated if necessary and approved
The complete access rights (granted through allocation of profiles) are reviewed to check that: - access rights are in line with employee's position and responsibilities in the company (job description) and that these are still aligned with need-to-have and segregation of duties principles - all users of systems, platforms, applications and databases receive a unique user ID by which they can be uniquely identified (any exception to this rule must be well documented, rationalized and approved) - temporary accounts, generic accounts, applicative accounts are legitimate and adequately supported by documentation
Manual
Detective
Quarterly
P13
SC17
Access for migrating new/modified systems, platforms, applications and databases into the production environment is restricted
User access rights are reviewed and approved to check that: - only authorized personnel has access for migrating new/modified systems, platforms, applications and databases into the production environment; - user access rights are in line with job description; - this personnel is not authorized to perform any development.
Manual
Detective
Quarterly
User access rights related to the migration of new/modified systems, platforms, applications and databases are reviewed and formally approved
P13
SC18
Privileged access (admin, super users) to systems, platforms, applications and databases is reviewed and approved
The list of usernames (and corresponding persons) with privileged/powerful access rights to systems, platforms, applications and databases is reviewed to ensure that capability to issue powerful commands is limited to appropriate individuals
Manual
Detective
Quarterly
List of usernames (and corresponding persons) granted with privileged/powerful access rights to systems, platforms, applications and databases is reviewed and formally approved
P13
SC19
End-user computing tools are End-user computing tools (such as spreadsheets and secured from unauthorized other end-user programs) are placed on secured access and use directories, for which the list of usernames (and corresponding persons) with access to these, is reviewed to ensure that accesses respect the need-to-have principles Note: End-user computing tools are all tools created by business department personnel not limited to only spreadsheets (e.g. Excel Macro, Excel reconciliation spreadsheets, MS Access tools) that are used to compute or control figures of Financial Statement.
Manual
Detective
Quarterly
User access rights list to end-user computing tools is reviewed and formally approved
P13
SC20
Access rights granted to The access rights granted to providers (including generic, vendors and contractors are application and maintenance accounts) are reviewed to strictly limited in terms of time assess the need-to-be of active vendors' accounts and profile (need-to-have basis)
Human Resources Manual Responsible and Security Officer and Critical Systems IT Responsible(s)
Detective
Monthly
The vendors/contractors accounts and related access rights are reviewed and formally approved
P13
SC21
Remote access connection capability from vendors, contractors and employees is adequately limited
The timeframe and business requirements for remote access granted to vendors, contractors and employees is reviewed
Detective
Monthly
The list of user accounts with remote access capability is reviewed and formally approved
P13
SC22
Remote access connections Activities on network components performed during remote Critical Systems IT from vendors, contractors and access are monitored by the Critical Systems Technical Responsible(s) employees is monitored Responsible through review and documentation of the activity logs (connection, tasks performed, disconnection) to ensure they are in line with the planned remote activities. The monitoring of connection/disconnection to the VPN platform (if any) is the responsibility of the Critical System IT Responsible. The reports on remote connections are communicated and approved Remote connections and the related activities performed are reported Security Officer and CIO
Manual
Detective
The logs of activities from remote connections vs. planned activities are reviewed and formally approved
P13
SC23
Manual
Detective
Monthly
Reports on remote connections and activities performed are reviewed and formally approved
P13
SC24
The security set-up for the critical information is reviewed to ensure that only authorized users are in the list
Password files, authorization tables, communications Security Officer and CIO software, encryption keys and critical installation programs are stored in logically protected areas or otherwise protect from read-and-write access
Manual
Detective
Quarterly
P13
SC25
The set-up for passwords of each system, platform, application and database is reviewed
Password controls to critical network and systems, platforms, applications and databases are in effect and consider minimum security rules (where technically feasible)
Manual
Preventive
Security rules implemented in the systems, platforms, applications and databases (print screens, ) are reviewed and formally approved
P13
SC27
Storage and backup principles Retention periods, backup and storage terms are defined CIO and Legal or are formalized and approved for documents, data, programs, reports and messages, as Regulatory Responsible well as the data (keys, certificates) used for their encryption and authentication, while considering the classification of company data/information sensitivity
Manual
Preventive
Bi-annually (period of 5 to Retention periods and storage 7 months required terms are reviewed and formally between control approved executions)
P13
SC29
P13
SC30
The backup journal is reviewed to ensure that backups are CIO carried out on critical systems, platforms, applications and databases at least daily for data and weekly for configuration setups The backup restore journal is reviewed to verify the results Critical Systems IT of the restore tests Responsible(s) and CIO
Manual
Detective
Monthly
Manual
Preventive
Bi-annually (period of 5 to The restore journal is reviewed 7 months required and formally approved between control executions)
P13
SC31
Only authorized individuals have access to the back-up data and media
The list of individuals able to access the backups CIO (physically and logically, on media and on logical drives, onsite and off-site) is reviewed vs. the authorizations
Manual
Detective
Quarterly
The review of accesses to backups vs. the authorizations is reviewed and formally approved
P13
SC37
Unauthorized activities attempts recorded in audit trails (logs) on key systems and network components are reviewed
Unauthorized activities attempts (successful and Critical Systems IT unsuccessful) done at network, systems, platforms, Responsible(s) and applications and databases level are identified and reacted Security Officer upon in an appropriate way. It does include a review of firewall / IDS logs to detect any hacking intrusion attempt. Unauthorized activities and their resolution and status are reported CIO and GM
Manual
Detective
Weekly
The security logs and unauthorized activities highlighted are reviewed and formally approved
P13
SC38
Manual
Detective
Monthly
P13
SC41
The daily job scheduling checklists and corresponding results are reviewed
Batch jobs are scheduled and monitored to ensure they run as needed and to completion
Manual
Detective
Daily
The job scheduling checklist and related results are reviewed and formally approved
P14
IC04
Testing for systems, platforms, applications and databases is performed in a testing environment
For all critical systems, platforms, applications and databases, there is a testing environment: - separated logically and/or physically from the production environment, - which allows adequate stress, unit, end-to-end testing - which reflects as much as possible the live environment (data in kind and quantity), - which is available for sufficient testing time
CTO
Manual
Preventive
Print copy of the catalogue and/or description of the testing environments are reviewed and formally approved
P14
IC09
Implementation of change/project is communicated to all Critical Systems Technical Manual relevant parties (end-users, stakeholders) to ensure they Responsible(s) are aware of the change and its related impacts
Preventive
P14
IC10
The Logical Access Management policy (or security policy) CTO is reviewed and approved to check that the management of user accounts for joiners, job changes and job termination is part of the policy (for both employees and contractors, for local and remote access...)
Manual
Preventive
Bi-annually (period of 5 to Logical Access Management 7 months required Policy (or Security Policy) is between control reviewed and formally approved executions)
P14
IC20
Backup execution results are documented in the backup journal and validated to ensure that backups are carried out on critical systems, platforms, applications and databases at least daily for data and weekly for configuration setups
Detective
Daily
P14
IC24
The formalized DRP is reviewed and approved Note: DRP and BCP plans should be updated whenever there is a large change implemented.
CTO and GM
Manual
Preventive
Bi-annually (period of 5 to The DRP is reviewed and formally 7 months required approved between control executions) Annually The test results of the DRP are reviewed and formally approved
P14
IC25
CTO and GM
Manual
Preventive
P14
IC26
The Incident and Problem Management Policy and Procedures is reviewed to check that non-standard events are analyzed and resolved in a timely manner, including escalation procedures, supplier involvement if appropriate and a clear description of the process (flowchart for example)
CTO
Manual
Preventive
Bi-annually (period of 5 to The Incident and Problem 7 months required Management Policy is reviewed between control and formally approved executions)
P14
IC27
Significant NW events or incidents and failures are Critical Systems Technical Manual monitored, communicated and resolved in a timely manner Responsible(s)
Detective
P14
IC28
CTO and GM
Manual
Detective
Monthly
P14
IC31
The operating procedures are Formalized operating procedures are in place and reviewed and approved documented
CTO
Manual
Preventive
P14
IC32
An inventory listing all potential suspicious activities should be maintained to allow the monitoring of unauthorized activities Change requests are authorized
An inventory listing all potential suspicious activities for CTO and Security Officer each system should be maintained to allow the monitoring of unauthorized activities. This list should be updated based on experience and used to review unauthorized activities (P14.SC29). Change request forms are completed, reviewed and approved Business Owners and Stakeholders and Critical Systems Technical Responsible(s)
Manual
Preventive
Bi-annually (period of 5 to 7 months required between control executions) Bi-annually (period of 5 to 7 months required between control executions)
P14
SC01
Manual
Preventive
P14
SC02
Existing controls are identified, Existing controls (which may be affected by the design tested and redesigned if and implementation of changes) are identified and necessary reported in the change request. Testing of the existing controls impacted is documented as part of the test plans in the change request. Change acceptance tests performed by Business Owners and Stakeholders include the testing of these controls. Appropriate actions are taken to modify or redesign these controls, if necessary, to retain their integrity Change requests (including Test plan, roll-out plan and roll-back plan are formalized, changes to critical end-user reviewed and approved prior to implementation of the computing tools) have a test change plan, a roll-out plan and a rollback plan developed prior to implementation
Manual
Preventive
Impact analysis of existing controls, and if appropriate tests results, are reviewed and formally approved
P14
SC03
Preventive
Test plan, roll-out plan and fallback plan are reviewed and formally approved
P14
SC05
Testing of interfaces between Interface test results are formalized and reviewed to systems and the confirm that data transmissions are complete, accurate corresponding results are and valid and that interfaces are working properly reviewed
Preventive
At least every 3 years, and Interfaces' test results are before a new or changed reviewed and formally approved interface is put into production
P14
SC06a
Test results are reviewed and Changes are tested, test results are reviewed and decision approved before going live to go live in production is approved with the change in the production environment
Manual
Preventive
P14
SC06b
Implementation results are reviewed and approved after going live with the change in the production environment
Business Owners
Manual
Detective
P14
SC07a
Impact of change on the documentation and support service plans of critical systems, platforms, applications and databases is assessed and the documentation is updated if necessary
Changes in a critical system, platform application or database are subject to an impact analysis of the related documentation (user and operation procedures, manuals, technical documentation, support service plans, training materials, ) which is updated if necessary
Manual
Preventive
Documentation (including location) for changed critical systems, platforms, applications and databases is reviewed and formally approved
P14
SC07b
Documentation and support service plans for critical systems, platforms, applications and databases is reviewed Emergency changes are reviewed
The documentation of critical systems, platforms, applications and databases (user and operation procedures manuals, technical documentation, support service plans, training materials, ) is reviewed to ensure sufficiency against business needs Emergency changes are reviewed to assess legitimacy and compliance with change management policies and procedures
Manual
Detective
List of available documentation (including location) for critical systems, platforms, applications and databases is reviewed and formally approved Emergency changes documentation is reviewed and formally approved
P14
SC08
CTO and GM
Manual
Detective
P14
SC11
Provisioning / deprovisioning forms are reviewed and approved to grant users only the access they need
The logical access request forms for joiners, job changes and job terminations for employees, contractors, vendors and non-client personnel are: - prepared and approved by the Head of Department (of the employee or contracting a third-party), - reviewed and approved by the Human Resources Responsible vs. the job description for legitimacy and segregation of duties purposes, - processed by the Technical Staff The complete access rights (granted through allocation of profiles) are reviewed to check that: - access rights are in line with employee's position and responsibilities in the company (job description) and that these are still aligned with need-to-have and segregation of duties principles - all users of systems, platforms, applications and databases receive a unique user ID by which they can be uniquely identified (any exception to this rule must be well documented, rationalized and approved) - temporary accounts, generic accounts, applicative accounts are legitimate and adequately supported by documentation The list of usernames (and corresponding persons) with privileged/powerful access rights to systems, platforms, applications and databases is reviewed to ensure that capability to issue powerful commands is limited to appropriate individuals
Manual
Preventive
P14
SC12
Access rights to systems, platforms, applications and databases that are granted (through profiles) are reviewed, updated if necessary and approved
Detective
Quarterly
P14
SC13
Privileged access (admin, super users) to systems, platforms, applications and databases is reviewed and approved
Manual
Detective
Quarterly
List of usernames (and corresponding persons) granted with privileged/powerful access rights to systems, platforms, applications and databases is reviewed and formally approved
P14
SC14
Access rights granted to The access rights granted to providers (including generic, vendors and contractors are application and maintenance accounts) are reviewed to strictly limited in terms of time assess the need-to-be of active vendors' accounts and profile (need-to-have basis)
Human Resources Manual Responsible and Security Officer and Critical Systems Technical Responsible(s)
Detective
Monthly
The vendors/contractors accounts and related access rights are reviewed and formally approved
P14
SC15
Remote access connection capability from vendors, contractors and employees is adequately limited
The timeframe and business requirements for remote access granted to vendors, contractors and employees is reviewed
Detective
Monthly
The list of user accounts with remote access capability is reviewed and formally approved
P14
SC16
Remote access connections Activities on network components performed during remote from vendors, contractors and access are monitored by the Critical Systems Technical employees is monitored Responsible through review and documentation of the activity logs (connection, tasks performed, disconnection) to ensure they are in line with the planned remote activities. The monitoring of connection/disconnection to the VPN platform (if any) is the responsibility of the Critical System IT Responsible The reports on remote connections are communicated and approved
Critical Systems Technical Manual Responsible(s) and Critical System IT Responsible(s) (if applicable)
Detective
The logs of activities from remote connections are reviewed and formally approved
P14
SC17
Activities performed on network components during remote Security Officer, CTO and Manual access are reported and reviewed by the Security Officer CIO (if applicable) and the CTO. Remote connections to the VPN platform (if any) are reported and reviewed by the Security Officer and the CIO
Detective
Monthly
Reports on remote connections and activities performed are reviewed and formally approved
P14
SC18
The set-up for passwords of each system, platform, application and database is reviewed
Password controls to critical network and systems, platforms, applications and databases are in effect and consider minimum security rules (where technically feasible)
Manual
Preventive
Security rules implemented in the systems, platforms, applications and databases (print screens, ) are reviewed and formally approved
P14
SC19
Storage and backup principles Retention periods, backup and storage terms are defined CTO and Legal or are formalized and approved for documents, data, programs, reports and messages, as Regulatory Responsible well as the data (keys, certificates) used for their encryption and authentication, while considering the classification of company data/information sensitivity
Manual
Preventive
Bi-annually (period of 5 to Retention periods and storage 7 months required terms are reviewed and formally between control approved executions)
P14
SC21
P14
SC22
The backup journal is reviewed to ensure that backups are CTO Manual carried out on critical systems, platforms, applications and databases at least daily for data and weekly for configuration setups The backup restore journal is reviewed to verify the results Critical Systems Technical Manual of the restore tests Responsible(s) and CTO
Detective
Monthly
Preventive
Bi-annually (period of 5 to The backup restore journal is 7 months required reviewed and formally approved between control executions)
P14
SC23
Only authorized individuals have access to the back-up data and media
The list of individuals able to access the backups CTO (physically and logically, on media and on logical drives, onsite and off-site) is reviewed vs. the authorizations
Manual
Detective
Quarterly
The review of accesses to backups vs. the authorizations is reviewed and formally approved
P14
SC29
Unauthorized activities attempts recorded in audit trails (logs) on key systems and network components are reviewed
Unauthorized activities attempts (successful and Critical Systems Technical Manual unsuccessful) done at network, systems, platforms, Responsible(s) and applications and databases level are identified and reacted Security Officer upon in an appropriate way. It does include a review of firewall / IDS logs to detect any hacking intrusion attempt.
Detective
Weekly
The security logs and unauthorized activities highlighted are reviewed and formally approved
P14
SC30
CTO and GM
Manual
Detective
Monthly
P15
IC01
Terms & conditions set out in the interconnect agreement must be reviewed for their technical/financial terms by the relevant departments.
GM
Manual
Preventive
P15
IC02
All provisioned changes to trunks and routing data are reported and reviewed on a daily basis.
A report (based on a predefined query) summarizes any changes to the settings of the Switch and/or interconnect billing system ( i.e. destinations etc). This report is reviewed and approved by the Billing Manager. This is either done based on a report that runs daily or based on an exception / alarm report that is issued upon occurrence.
Billing Manager
Daily
- Description and system documentation (technical / functional description) on how the alarm / exception report works. - Upon occurrence, exception / alarm reports are reviewed and formally approved OR if a daily report comes out, daily report is reviewed and formally approved
P15
IC03
Identify the source of the rejection (if possible) and try to resolve the problem in order to prevent the event from happening in the future. Furthermore, the rejected EDRs are recuperated where possible. This process occurs continuously and the events that happen the most are tackled first.
Billing Staff
Daily
- Formal procedure / task description of reviewing and resolving rejected EDRs. - Exception / reject reports are reviewed and formally approved
P15
IC04
Reconciliation of reference data (e.g. trunk groups and gateway transit routes) in the Switch, Mediation and interconnect billing system
Reference data (i.e. Trunk and gateway transit routes) Billing Manager needs to be reconciled between Switch and Interconnect Billing System per operator. I.e. validating that the operator trunk code and gateway transit routes are linked to the correct operator by the interconnect billing system. The reconciliation should include the mediation in case of filtration rules defined based on Trunk Groups on Mediation Device.
Manual
Detective
Reconciliation report of reference data in Switch, Mediation and interconnect Billing system is reviewed and formally approved
P15
IC08
Check whether all the invoices generated are sent out to the relevant operators.
CFO-2
Manual
Detective
Monthly
Check list of invoices generated and sent out is reviewed and formally approved
P15
SC05
All rejected EDRs are formally EDRs not corrected are reviewed by CFO and Local reported during the Revenue Assurance Manager before clearing them from interconnect bill run the Billing System (based on delegation of authority and local regulations).
P15
SC06
Mediation output is reconciled Reconciliation of output from the Mediation device with the Billing Manager with Interconnect billing input input into the Interconnect Billing System and its output (or and output support system such as a database or data warehouse) in number of EDRs and in number of minutes. This is a standard MIC input / output report.
Daily
Reconciliation report (Mediation output with Interconnect Billing input and output) is reviewed and formally approved
P15
SC07
Detailed interconnect revenue The monetary values, the minutes and events in the invoice validation interconnect revenue invoices are checked for their accuracy.
CFO-1
Manual
Detective
Monthly
Check list of interconnect revenue invoice validation is reviewed and formally approved
P15
SC09
Usage Report (EDRs Count, Minutes etc) from other operators are reconciled with the registered traffic sent to them
Usage Report ( EDRs Count, Minutes etc) received from Billing Manager the other operators are reconciled with the output from the Interconnect Billing system by the Billing Manager. If the figures deviate from a preset tolerance limit (threshold), a detailed analysis is needed (exchange of EDRs may be necessary in this case).
Manual
Detective
Monthly
Analysis report of the deviations (Interconnect usage figures) is reviewed and formally approved
P15
SC10
P15
SC11
Payable invoices from other operators are reconciled with the Usage Report reconciliation All payable invoices that are accepted are subject to approval
Payable interconnect invoices received from the other Interconnect Manager operators by the Interconnect Manager are reconciled with the Usage Report ( EDRs Count, Minutes etc) reconciliation done in SC9. All payable invoices of interconnect operators that are GM and Interconnect accepted are subject to an approval of the Interconnect Manager Manager and GM.
Manual
Detective
Monthly
Analysis report of the deviations (Interconnect invoices) is reviewed and formally approved Invoices of Interconnect operators are reviewed and formally approved before payment
Manual
Detective
Monthly
P15
SC12
All the accounting records in relation to interconnection revenue & cost are verified by the CFO-1 before posting into the GL.
CFO-1
Manual
Preventive
Monthly
P15
SC13
Revenue and cost data in the Comparison of interconnect revenue & cost booked in the CFO interconnect billing system accounting system with the revenue/cost from the (both accruals and invoices) is interconnect billing system & the invoices sent out/received. reconciled with the accounting system
Manual
Detective
Monthly
Reconciliation report (interconnect costs/revenues in Billing system and Accounting systeml) is reviewed and formally approved
P15
SC14
Netting of invoices is reviewed Validation of the invoices netted off and the resulting by the CFO-1 values.
CFO-1
Manual
Detective
Monthly
Interconnect netting validation report is reviewed and formally approved Roaming agreement is reviewed and formally approved
P16
IC01
Formal review and approval of Terms & conditions set out in the roaming agreement must GM all roaming agreements be reviewed for their technical/financial terms by the relevant departments.
Manual
Preventive
P16
IC03
All provisioned roaming changes on the Switch and Roaming Billing system are reported (by means of a predefined query) and reviewed on a daily basis. This is done based on a report that runs daily.
If the TAP OUT files generation is outsourced to Mach, validation over Mach changes reported by Mach are reviewed. Changes done at Mach side are available and should be reviewed through their 'Service Ticketing System'.
Category Manager
Daily
Report on all changes done on the Switch and Roaming Billing System / Mach Platform (via 'Service Ticketing System') are reviewed and formally approved
P16
IC05
Credit & Collection Roaming high usage reports received from visited Manager -1 and Billing operators are reviewed by the Credit & Collection Manager -1 Manager-1 on a daily basis. Any actions taken based on this report should be communicated to and executed by the Billing Manager -1. If NRTRDE is implemented, High Usage Reports have to be reported through use of Fraud detection system handling the NRTRDE files. The File Delivery Report (FDR) from Mach has also to be used to ensure that all files that were sent have been received, and to identify any missing file. In addition, the Error Report (ER), listing any errors encountered by the HPMN to process the NRTRDE records, should be reviewed and appropriate actions should be taken together with Mach to prevent future errors. Billing Manager -1
Daily
High usage reports with documentation of corrective actions and underlying reasons are reviewed and formally approved. For NRTRDE (Near Real Time Roaming Data Exchange ), NRTRDE High Usage reports should be reviewed including FDR and ER
P16
IC09
Validation on whether the All the A numbers contained in the Outbound Roaming IMSI, MIN, ... numbers belong records are compared with the subscribers database, in to your subscribers order to verify whether the record pertains to your subscribers Outbound Roaming.
Manual
Detective
Daily
Reconciliation report (A numbers in TAP IN vs subscribers database) is reviewed and formally approved
P16
IC10
The upload and conversion of TAP IN files is followed up and reported on a daily basis.
Billing Manager -1
Manual
Detective
Daily
Report on the successful / failed TAP IN file uploads and conversions is reviewed and formally approved
P16
IC13a
Analyze and resolve rejected Identify the source of the rejection (if possible) and try to Inbound Roaming EDRs at the resolve the problem in order to prevent the event from Billing System happening in the future. Furthermore, the rejected EDRs should be recuperated if possible. This process occurs continuously and the events that happen the most are tackled first.
Billing Staff
Daily
Rejected EDRs report (Billing system level) is reviewed and formally approved
P16
IC13b
Analyze and resolve Inbound Roaming EDRs rejected during the MBF and TAP OUT generation
Identify the source of the rejection (if possible) and try to Billing Staff resolve the problem in order to prevent the event from happening in the future. Furthermore, the rejected EDRs should be recuperated if possible. This process occurs continuously and the events that happen the most are tackled first. Rejections are investigated from two sources: - during MBF files generation; - during MACH TAP OUT files generation. Rejected EDRs are listed in MACH COM portal (Rejected, CDR Details Report) including the reason of their rejection. These rejections have to be investigated and corrected if possible together with Mach support. The Billing Manager verifies that the Billing system/Fraud Billing Manager system generates and sends out the high usage report for subscribers visiting your network each day. In case of NRTRDE files are stored on MACH server every 4 hours.
Daily
Rejected EDRs reports (Mediation and MACH level) are reviewed and formally approved
P16
IC15
Daily review of the high usage reporting + validation of the sending of any existing high usage reports
Manual
Detective
Daily
High usage reports is reviewed and formally approved In case of NRTRDE files are stored on MACH server every 4 hours (All such reports can be reviewed on a subsequent day from occurrence)
P16
IC24
IOT updates and rating information for new roaming partners are sent to MACH at least 4 weeks before the agreed start date of application.
Billing Manager
Manual
Preventive
P16
SC02a
Reconciliation of inbound roaming settings in the Switch and corresponding settings in the inbound roaming Billing System and Mediation device (if required)
There is a reconciliation between the inbound roaming settings (IMSI ranges per operator) on the Switch against the corresponding settings in the roaming Billing System and Mediation Device. The reconciliation report should include the underlying reasons of discrepancies and corrective actions.
Billing Manager
Monthly
Inbound roaming settings reconciliation report (Switch vs. Mediation vs. Roaming Billing System) is reviewed and formally approved
P16
SC02b
Reconciliation of inbound roaming settings in the Switch and corresponding settings in the Mediation device.
There is a reconciliation between the inbound roaming Billing Manager settings (IMSI ranges per operator) on the Switch against the corresponding settings in the Mediation device. The reconciliation report should include the underlying reasons of discrepancies and corrective actions.
Monthly
Inbound roaming settings reconciliation report (Switch vs. Mediation device) is reviewed and formally approved
P16
SC06
Duplicate check on Outbound The TAP IN processor (or the postpaid billing system) Roaming EDRs checks for duplicates based on certain fields in a call record that are equal. This is either done based on a report that runs daily or based on an exception / alarm report that is issued upon occurrence.
Billing Staff
Daily
P16
SC07
Billing Manager -1
Manual
Detective
Daily
P16
SC08
Reconciliation of rates applied There is reconciliation between the rates applied in the Billing Manager -1 in the records in the TAP IN records from the TAP IN files with rates agreed upon. This file with rates agreed upon. reconciliation may be performed on a relevant sample of TAP IN files if the control is performed completely manual. It is however preferred to perform the reconciliation on all TAP IN files.
Daily
Reconciliation report (rates applied in TAP IN file with those agreed upon) is reviewed and formally approved
P16
SC11
Validation of currency conversion rates used to convert SDR values in local currency values
The currency conversion from SDR values in the TAP IN records to local currency is timely updated and performed by the Billing Manager and reviewed by the CFO-1.
CFO-1
Monthly
Validation report of the currency conversion from SDR values is reviewed and formally approved
P16
SC12
Reconciliation of Billing records contained in TAP IN files with the Roaming records in the Billing System or Prepaid EDRs
There is a reconciliation between the billing records contained in TAP IN records with the roaming records uploaded in the postpaid billing system. Note: Wherever Prepaid Camel is offered for Out roamers a reconciliation of TAP IN EDRs (received for Prepaid roaming) should be reconciled with prepaid EDRs.
Billing Manager
Reconciliation report (TAP IN vs Postpaid Billing system and Prepaid platform for Camel) is reviewed and formally approved
P16
SC14a
All rejected Inbound Roaming Prepare a report on all Inbound Roaming records, together Billing Manager, Local EDRs in Billing System are with relevant explanations at the TAP OUT file generation. Revenue Assurance formally reported during the Manager and CFO TAP OUT file generation All Inbound Roaming EDRs rejected during MBF generation are formally reported All Inbound Roaming EDRs rejected during both MBF and Billing Manager, Local TAP OUT generation (Rejected Process Summary Report) Revenue Assurance are formally reported Manager and CFO
Manual
Detective
Monthly
Rejected (and not corrected) EDRs report is reviewed and formally approved
P16
SC14b
Manual
Detective
Monthly
Rejected (and not corrected) EDRs report is reviewed and formally approved
P16
SC16
Sequential numbering of TAP All TAP out files have a unique sequential identification OUT file number. There is a validation on the sequence number.
Billing Manager -1
Daily
P16
SC17a
Detailed validation on the correctness of the rating of the records in the TAP OUT file.
Billing Manager -1
P16
SC17b
Review the exception report on the IOT check (Detail Report) provided by Mach. All exceptions have to be investigated together with Mach. Reconciliation of Mediation output with the Inbound Roaming Billing System output in number of EDRs and in number of minutes / bytes. This is a standard MIC input / output report.
Billing Manager -1
Daily
Exception report on the IOT check (Detail Report) is reviewed and formally approved Reconciliation report (Mediation vs Billing system) is reviewed and formally approved X
P16
SC18a
The output from the Mediation is reconciled with the Inbound Roaming Billing System output (with all the sub steps)
Billing Manager
Daily
P16
SC18b
The output from the Mediation Reconciliation of Mediation output (MBF files or raw CDRs) Billing Manager is reconciled with the Mach with the Mach 'TAP creation report for Revenue Assurance' TAP creation report in number of EDRs and in number of minutes / bytes.
Daily
Reconciliation report (Mediation vs Mach 'TAP creation report for Revenue Assurance') is reviewed and formally approved
P16
SC19
Validation with Clearing House Check whether the Clearing House has received the TAP of TAP OUT file sent Out files sent by the MIC subsidiary.
Billing Manager -1
Manual
Detective
Daily
Report of TAP OUT filles received by the Clearing House is reviewed and formally approved
P16
SC20
Validation of clearing house netting results by comparing difference retrieved TAP IN and created TAP OUT
Comparison of the Summary report sent by the Clearing CFO-1 House against the MIC subsidiarys own Tap IN & Tap OUT details.
Manual
Detective
Monthly
Reconciliation report (netting vs. TAP IN & TAP OUT) is reviewed and formally approved
P16
SC21
All the accounting records in relation to roaming revenue & CFO-1 cost are verified by the CFO -1 before posting into the GL.
Manual
Preventive
Monthly
Specific approval form for bookings is reviewed and formally approved AND/OR Adequate access security / segregation of duties setup in the accounting system (i.e. only the CFO-1 can actually post journal entries) is reviewed and formally approved Reconciliation report (Jounal Entries vs Mach reports) is reviewed and formally approved
P16
SC22
Accounting journal entries are The CFO reviews and validates the proposed Roaming reconciled with MACH reports revenue and cost bookings in the accounting system with the MACH reports.
CFO
Manual
Detective
Monthly
P16
SC23
Tariffs applied to TAP OUT are reviewed against those of Billing Manager -1 the signed agreement (AA14) with all roaming partners. All agreements have to be reviewed once a year, with 25% of roaming partners being reviewed quarterly on a rolling basis.
Quarterly
Reconciliation report (AA14 vs TAP out rates setup) is reviewed and formally approved
P17
IC01
A formal credit check is For each new postpaid subscriber recommended by the performed for each postpaid Go-to-Market Department, a formal credit check is subscriber before provisioning performed based on the approved Commercial policy to review and assess the credit status and reputation of the subscriber.
Manual
Preventive
P17
IC02
A specific exception form A specific exception form (prepared and justified by the Credit and Collection exists on the acceptance of Sales department) exists on the acceptance of postpaid Manager subscribers that do not comply subscribers that do not comply with the Commercial policy. with the Commercial policy / credit check limits
Manual
Preventive
P17
IC03
A specific exception form exists on the acceptance of exceptional discounts that do not comply with the Commercial policy
A specific exception form (prepared and justified by the Sales department) exists on the acceptance of exceptional discounts that do not comply with the Commercial Policy.
Manual
Preventive
P17
IC05
A formal verification is made to ensure that all credit limits reported are implemented in accordance with the Commercial policy.
Daily
P17
IC06
All manually provisioned changes to critical subscriber data are automatically reported and reviewed
All manually provisioned changes to critical subscriber data Consumer Manager (in the Switch and Billing environment) are automatically reported (based on a predefined query) and reviewed. The review verifies whether the reported provisioned changes equal the approved subscriber data change requests. Critical subscriber data is (but not limited to): name, address, services and status.
Daily
Formal report of all provisioned changes in both the switch and billing environment is reviewed and formally approved. Each provisioned change is matched with an approved change request.
P17
IC08
A standard report with all tariff A standard (predefined query) report with all tariff changes Category Manager changes is generated and is generated and signed off on a daily basis. This is either signed off on a daily basis done based on a report that runs daily or based on an exception / alarm report that is issued upon occurrence. When the control is based on an alarm: the approval must be attached to the exception report.
Manual
Detective
Daily
P17
IC11
Analyze and resolve corrupted Identify the source of the corruption (e.g. A or B number Billing staff EDRs at the mediation level not clear) and try to resolve the problem in order to prevent the event from happening in the future. Furthermore, the corrupted EDRs should be recuperated if possible. This process should occur continuously and the events, which happen the most, should be tackled first.
Daily
Upon occurrence, exception / alarm reports on corrupted EDRs are reviewed and formally approved OR if a daily report comes out, a daily report is reviewed and formally approved
P17
IC12
Analyze the filtered non-billable EDRs based on the reason for filtering and obtain proper approval. If no filtering occurs then this control is not applicable.
Billing Manager -1
Manual
Detective
Daily
P17
IC13
All corrupted EDRs at on Mediation device should be formally reported before bill run
Prepare a report on all EDRs, which are beyond error Billing Manager and CFO correction together with relevant explanations at the time of the bill run.
Manual
Detective
P17
IC14
A proper review of Business Rules for filtering of non billable EDRs is performed.
Manual
Detective
Monthly
Business rules and filters setup for non-billable traffic are reviewed and formally approved
P17
IC16
The mediation device or billing system includes an Billing Staff automated control that checks the time gaps between EDRs (calls or data traffic) and compares them to a certain threshold. If the time gap is too big (> threshold, e.g. no calls for more than half hour) the control should send out a critical alarm. This is either done based on a report that runs daily or based on an exception / alarm report that is issued upon occurrence.
Daily
Upon occurrence, exception / alarm reports on time gaps of EDRs are reviewed and formally approved OR if a daily report comes out, a daily report is reviewed and formally approved
P17
IC17
The test call matrix consists out of a relevant sample of test Billing Manager -1 calls (as well as other types of traffic e.g. SMS, MMS, etc) which are followed up from Switch up to the Billing System. Best practice is to use a test call generator to generate all possible call scenarios. In case no test call generator is used, the test call matrix contains the call scenarios that represent at least 90% of all traffic (data traffic included).
Manual
Detective
Monthly
- Test call matrix document outlining the type of tests that need to occur and the sample method. - Test call results are reviewed and formally approved (test call matrix along with print screens from the billing system call details) Rejected EDRs report (Billing system level) is reviewed and formally approved
P17
IC18
Identify the source of the rejected EDRs and try to resolve the problem in order to prevent the event from happening in the future. Furthermore, the rejected EDRs should be recuperated if possible. This process should occur continuously and the events that happen the most should be tackled first.
Billing Staff
Daily
P17
IC20
Monitoring of high usage looks at value, but also at minutes Credit and Collection and transactions (and must cover both prepaid as well as Manager -1 postpaid). Specific thresholds are applied (based on approved high usage policy & procedures) and subscribers surpassing the thresholds are followed up. Appropriate actions are taken, such as contacting the subscriber for an explanation or even barring the subscriber. This is either done based on a report that runs daily or based on an exception / alarm report that is issued upon occurrence.
Daily
High usage report summarizing high usage activity and the actions taken is reviewed and formally approved
P17
IC21
Usage of test SIMs is monitored and evaluated to detect any misuse. This is either done based on a report that runs daily or based on an exception / alarm report that is issued upon occurrence.
Revenue Assurance
Monthly
P17
IC22
Sample testing pre and post The accuracy of the invoices is verified on a sample basis. Billing Manager bill run (testing completeness The sample should represent a variety of billing scenarios. and calculation of invoice) A log should be maintained for any errors identified.
Manual
Detective
Pre and Post bill run sample testing reports and results are reviewed and formally approved
P17
SC04
All discounts (not part of a discount plan) are reported in a specific exception report on a daily basis. This report must be based on a predefined query.
Consumer Manager
Daily
Formal report of all exceptional discounts given is reviewed and formally approved
P17
SC07
Record all future movement of Future movements of revenues (e.g. connections fees) are CFO-1 revenues (e.g. connection computed and reported in a schedule, which is used for fees) based on the MIC Policy recognizing and booking the corresponding entries based on the MIC accounting policy.
Manual
Detective
Monthly
Reconciliation between future movement schedule and accounting entries is reviewed and formally approved
P17
SC09
The Switches (and other EDR generating nodes) must number their call records sequentially. A control is performed by the mediation device to verify whether the sequence is respected (completeness of EDRs). This is either done based on a report that runs daily or based on an exception / alarm report that is issued upon occurrence.
Billing Manager
Daily
P17
SC10
Automated check for duplicate The database of the billing system (or mediation) is EDRs checked for duplicate EDRs based on certain fields in a call record that are equal. This is either done based on a report that runs daily or based on an exception / alarm report that is issued upon occurrence.
Billing staff
Daily
Upon occurrence, alarm reports on duplicate EDRs are reviewed and formally approved OR if a daily report comes out, a daily report is reviewed and formally approved
P17
SC15
Reconcile the input of mediation device against the output Billing Manager by EDR category. This reconciliation is common for all type of Traffic ( i.e. Postpaid, Interconnect and Roaming). This reconciliations is the standard MIC input / output report, must occur both in numbers of EDRs, minutes and (kilo) bytes where applicable.
Daily
Reconciliation report (Mediation Input Vs Mediation Output) is reviewed and formally approved
P17
SC19
All rejected EDRs at on billing EDRs not corrected are reviewed by CFO and Local Platform should be formally Revenue Assurance Manager before clearing them from reported before bill run the Billing System (based on delegation of authority and local regulations).
Manual
Detective
Rejected (and not corrected) EDRs report is reviewed and formally approved
P17
SC23
Check all the revenue Ensure that all the revenue movements in the Billing cycle Billing Manager movements in the Billing cycle are captured and that all the pending subscription fees (e.f. is captured flat fee services and packages) are included in the settlement invoice.
Reconciliation of billable flat fees and flat fees actually billed during the bill run is reviewed and formally approved
P17
SC24
Check that all subscribers are Reconciliation of subscribers in the subscriber database included in a billing cycle against the subscribers covered by the bill runs in order to verify whether all subscribers are assigned to at least one of the bill runs.
Billing Manager
P17
SC25
Reconciliation provisioning prepaid platform with bills generated by the billing system for fixed bills
Validate fixed bills generated for fixed bill subscribers in the Billing Manager prepaid billing system to ensure that the reload (top-up) at the beginning of the month reconciles to the invoices generated at the end of the month.
Reconciliation report (fixed bills amounts with balance reloads of fixed bill subscribers) is reviewed and formally approved
P17
SC26
Reconciliation between the mediation output with the billing system input and Output
Reconciliation of output from the Mediation device with the Billing Manager input and Output into the Billing Systems in number of EDRs and in number of minutes and (kilo) bytes where applicable. This is a standard MIC input / output report.
Daily
Reconciliation report (Mediation output Vs Billing system input and output) is reviewed and formally approved
P17
SC27
Reconciliation between invoices generated versus invoices Billing Manager printed and sent out (including electronic invoices sent through the email).
Reconciliation report (invoices generated Vs invoices sent out) is reviewed and formally approved
P17
SC28
A report with the status of all overdue subscribers is Credit and Collection generated. Their status is compared to the theoretical Manager status they should have as per the barring / dunning policy, i.e. it should be verified whether all subscribers that are overdue with their invoice payment are barred in time.
Weekly
Overdue subscriber report with actual status is reviewed and formally approved
P17
SC29
Review non billable subscribers traffic (i.e. traffic from subscribers that do not need to pay for certain or all services) and ensure related revenue are not in accounting
All non-revenue generating traffic related to specific subscribers that are not billed (cf. MIC policy) are formally reported and approved. This control must be done before transactions are transferred in the accounting system so that only revenue generating transactions are posted.
Detective
P17
SC30
All bookings should be first prepared in draft and then CFO-1 approved by the CFO-1 before being booked in the G/L (this should be performed in both cases where there is an interface between the Postpaid system and the accounting system or if this is a manual booking into the accounting system).
Manual
Preventive
Specific approval form for bookings is reviewed and formally approved AND/OR Adequate access security / segregation of duties setup in the accounting system (i.e. only the CFO-1 can actually post journal entries) is reviewed and formally approved Reconciliation report (Billing system Vs Accounting system) is reviewed and formally approved
P17
SC31
Revenue data in the Billing System is reconciled with the Accounting System (both accruals and invoices)
The relevant bookings in the G/L are reconciled with their CFO source, i.e. the billing system and the invoices and accruals generated by it. This reconciliation must also reconcile the classification of revenue in both systems.
Manual
Detective
P17
SC32
Reconcile the output of Switch against input of mediation CTO-1 device by EDR category. This reconciliation is common for all type of Traffic ( i.e. Postpaid, Interconnect and Roaming). This reconciliations is the standard MIC input / output report, must occur both in numbers of EDRs, minutes and (kilo) bytes where applicable.
Daily
Reconciliation report (Switch Output Vs Mediation Input) is reviewed and formally approved
P18
IC02
Determine commercial All new / changed tariffs are subject to a profitability impact Category Manager feasibility of tariff changes/add analysis by Go-To-Market. The analysis must be reviewed and approved.
Manual
Preventive
Results of the profitability impact analysis of new/changed tariff is reviewed and formally approved
P18
IC04
Manual
Preventive
Request forms (for changes / additions to tariff (plans)) are reviewed and formally approved
P18
IC07
All manually initiated changes to subscriber balances require prior approval of the Customer Support. Manual changes are all changes that are not part of the normal automated logic of using and uploading balances. This covers adjustments and initiating batches for promotions and discount corrections. Note: The approval has to be in line with the MIC Policy No.B4.3.2. based on the thresholds set.
Customer Support
Manual
Preventive
Requests for manually initiated changes to prepaid subscriber balances are reviewed and formally approved
P18
IC10
Prepaid traffic which can not be rated, and for which default rated cant be applied is reported.
Billing Manager
Manual
Detective
Monthly
P18
IC14
The test transaction matrix consists out of a relevant sample of events scenarios (as well as other types of transactions e.g. Voice, SMS, MMS, GPRS, recharge vouchers, e-pin) that is executed each month, which are followed up from switch up to the Prepaid platform (or independent comparison of test call records from matrix with IN system and in case of any missing records, trace back on Switch or Mediation). The test transaction matrix contains the scenarios that represent at least 90% of all transactions. The billing manager ensures the forfeiture is taking place as per card expiry.
Billing Manager -1
Manual
Detective
Test matrix document and test transaction results are reviewed and formally approved
P18
IC15
Billing Manager
Monthly
Report for de-activation / expiry of scratch card/e-pins is reviewed and formally approved
P18
IC20
Before generating new PINs and registering these on the Category Manager network, the Category Manager should approve this action.
Manual
Preventive
P18
IC24
There is a proper management approval for activation of PINs in the prepaid platform. The Warehouse Manager is responsible for informing the Billing Manager.
Warehouse Manager
Manual
Preventive
Before PINs are activated PINs activation request is reviewed and formally approved
P18
IC26
A formal commercial policy is drafted and approved. This policy outlines the rules for accepting a dealer (credit checks that the dealer needs to pass, reputation considerations, etc). Secondly the policy also puts forward the acceptable commissions that can be granted per type of dealer or per the size of purchase.
Go to Market responsible
Manual
Preventive
P18
IC27
Credit vetting is performed For each new dealer recommended by the Go-To-Market / Credit & Collection based on the criteria set in the sales department, a formal credit check is performed by Manager Commercial Policy the credit and collection manager to review and asses the credit status and reputation of the dealer as per the Comercial policy for accepting dealers. A specific Yes/No answer field on the credit assessment form flags if a dealer is in line with the policy or not. The credit assessment is approved by the Credit & Collection Manager before appointment of the dealer. Approval taken from Management for appointing the Dealer A specific exception report (that needs to be approved) GM & CFO exists on the acceptance of dealers that do not comply with the commercial policy / credit limits check. This document is validated by the CFO and the GM.
Manual
Preventive
Credit status of dealer is documented in the Credit assessment form and reviewed and formally approved before appointment of the dealer
P18
IC28
Manual
Preventive
Acceptance of dealers taht do not comply with the commercial policy / credit limit checks is reviewed and formally approved
P18
IC29
A standard (predefined query) report with all commission parameter changes is generated and signed off on a daily basis. This is appropriate in case of automated control for commission calculation.
Category Manager
Manual
Detective
Daily
Formal report on all commission parameter changes is reviewed and formally approved
P18
IC30
Before transferring the credit to dealers e-Pin account, the Financial Responsible credit and especially the commission calculation (i.e. the (CFO-1) or Consumer difference between the payment and the proposed credit) Manager are approved by the Consumer Manager or Finance Responsible (CFO-1) to validate that the commission is in line with the commercial policy, and that an actual payment has occurred. The proof of the actual payment (e.g. bank statement, cash receipt, etc) is attached. This control is for manual commission calculations only.
Manual
Preventive
E-Pin request form (including credit to transfer and comission calculation) is reviewed and formally approved
P18
IC33
Validate identity of e-Pin credit transferred of credit and authentication of transfer and e-Pin deduction occurs before e-Pin addition
The SMSC and prepaid platform (and if relevant the e-Pin platform) will process the request for a balance transfer and verify the identity of the transferred, validity of the request and credit balance. Typically, the transferred is identified based on his MSISDNS and the transfer request is authenticated by means of a secret pin code provided in the SMS. To ensure that the deduction of the e-Pin accounts happens prior to the additions to subscriber accounts, the debit should precede a credit for every transaction. This should be tested each time the system changes.
Automated
Preventive
System documentation explaining the identification and authentication procedures is reviewed and formally approved
P18
SC01
Reconciliation of MSISDNs, subscribers profile and status in Switch subscriber db and prepaid and postpaid billing platform
The MSISDNs, subscriber's profiles and status (Active/Inactive) in the switch subscriber DB (HLR) and prepaid/postpaid Billing platform are reconciled by the billing manager. The Billing manager should review exceptions and propose corrective actions to IT and Network. Any corrective actions should be formerly documented Note: Ring Back Tone should also be reconciled (between RBT server, IN, Billing System and the Switch). For practical reasons the profile and MSISDNS reconciliation for prepaid and postpaid should be done at the same time.
Billing Manager
Daily
Reconciliation report (MSISDNs, subscribers profile and status in Switch and Billing environments) is reviewed and formally approved
P18
SC03
Changed or new tariff (plans) may have an impact on the CFO way revenue is recorded. As such, Finance needs, as per the MIC accounting policy manual, to assess the impact of a tariff change.
Manual
Preventive
Results of the accounting treatment impact analysis of new/changed tariff is reviewed and formally approved
P18
SC05
Changed / added tariffs report A standard (predefined query) report with all tariff changes Category Manager (including interconnect, roaming, prepaid, postpaid and wireless) is generated and signed off. This is either done based on a report that runs daily or based on an exception / alarm report that is issued upon occurrence.
Manual
Detective
Daily
P18
SC06
Reconciliation between EDRs generated by the prepaid platform and the ones generated by the Switch / SMSC / MMSC / GPRS (depending upon network architecture)
A reconciliation between EDRs generated by the prepaid Billing Manager platform and the ones generated by the Switch (or other EDR generating nodes on the network, e.g. SMSC, MMSC, GPRS Nodes, etc) should be performed in order to ensure integrity of transfer between both systems. The reconciliation should occur both in numbers of EDRs as well as in number of minutes and (kilo) bytes where applicable. Wherever it is applicable for content, there should be a reconciliation of SMS_MT with the Switch and IN EDRs.
Daily
Reconciliation report (EDRs generated by the prepaid platform and the ones generated by the Technical Network nodes) is reviewed and formally approved
P18
SC08
A predefined query reports all manual changes to subscriber balances. Issued report is reviewed and validated.
Daily
Report of all manual changes to the subscriber balances is reviewed and formally approved
P18
SC09
Review reasons for all subscriber with negative balance (or subscribers credited to 0 balance) and obtain validation by appropriate level of management
All negative balances for prepaid subscribers should be reviewed on a regular base. This includes also the instances where subscribers would normally have a negative balance but received a 0 balance because the prepaid platform does not allow / cannot handle negative balances.
Billing Manager -1
Weekly
Report including negative and null balances is reviewed and formally approved
P18
SC11
Formal report on all free traffic, zero rated traffic, default rated traffic
Free traffic is traffic for which a subscriber is not rated at Billing Manager all. A call is zero rated if a zero tariff is applied to the call. Default rated traffic are traffic for which no applicable rate could be found but where instead (in order to ensure service) a default rate was applied. If the system is not set up for free traffic, zero rating or default rating, then the weekly reports should not be run and in stead documentation should be provided proving that the system is not doing so. Note: This control just as all the other ones is relevant for all types of traffic and not only voice calls.
Weekly
Report listing free calls and zero rated calls (allowing to review these and to take corrective actions) is reviewed and formally approved. If the system is not set up for free traffic, zero rating or default rating then the weekly reports should not be run and in stead documentation should be provided proving that the system is not doing so. This documentation is reviewed and formally approved by the billing manager on a quarterly basis. Testing results of the post-hoc sample re-rating of the traffic are reviewed and formally approved
P18
SC12
There is a regular post-hoc testing / re-rating of the prepaid Billing Manager traffic of one day, this should be performed on a monthly basis. I.e. one day is selected (as a sample) and for that day all calls are re-rated. The result is reconciled with the actual result of that day. Note: This control just as all the other ones is relevant for all types of traffic and not only voice calls.
Manual
Detective
Monthly
P18
SC13
The prepaid platform must number their event records sequentially (Note: this numbering could e.g. be based on the billing ID, and does not need to reflect switch EDR sequential numbering). This is either done based on a report that runs daily or based on an exception / alarm report that is issued upon occurrence.
Billing Manager
Daily
Description and system documentation (technical / functional description) on how the alarm / exception report works. Exception report on missing sequence numbers is reviewed and formally approved.
P18
SC16
Accounting entries with regard to expired revenue are reconciled with actual subscriber balance and scratch card / PIN expirations on the prepaid platform
The accounting entries for expired revenue must be based CFO on and reconciled with actual balance and scratch card / PIN expirations on the prepaid platform, i.e. the deferred income that is taken into revenue via the accounting entry must be reconciled with balance deductions on the user accounts or scratch cards registered in the prepaid platform.
Monthly
Reconciliation report (expired balances and scratch cards/PINs in Prepaid platform and expired revenues booked in Accounting) is reviewed and formally approved
P18
SC17
Reconciliation between prepaid usage and the delta of the opening and closing balance of accounts
The following reconciliation should be performed: Billing Manager and The opening balance - usage (voice and data) + top-ups + Finance Responsible promotional credits +/- subscriber balance adjustments (CFO-1) expired subscriber credit = closing balance.
Daily
The reconciliation (prepaid usage and the delta of the opening and closing balance of accounts) is reviewed and formally approved
P18
SC18
All bookings should be first prepared in draft and then approved by the CFO-1 before being booked in the G/L.
CFO-1
Manual
Preventive
Monthly
P18
SC19
Prepaid platform report is The relevant bookings in the G/L are reconciled with their CFO reconciled with the accounting source, i.e. the prepaid platform. This reconciliation must system also reconcile the classification of revenue in both systems. Note: It should also include the Tigo Lends You platform report when reconciling the deferred revenue.
Manual
Detective
Monthly
Reconciliation report (Accounting Vs. Prepaid platform) is reviewed and formally approved
P18
SC21
Formal policies, procedures and documentation related to IT Security Staff scratch card PINs / HRNs security (platform documentation, procedure for generating PINs, authority of accesses, access security controls and/or encryption, etc.) should be formalized and reviewed on a bi-annually basis.
Automated
Preventive
Documentation of access rights to PINs/HRNs, actual security settings in the system (s) involved and documentation of the encryption method used to send PINs / HRNs to the warehouse are reviewed and formally approved
P18
SC22
The scratch cards and eThe scratch cards and e-vouchers have unique vouchers receive a sequential identification numbers as defined in the functionality of serial number in the prepaid prepaid platform. platform
Technical team
Automated
Preventive
P18
SC23
Reconciliation between PIN generated value on IN (including status) and those approved by marketing and then received in inventory
There is reconciliation between the scratch cards received in inventory against the PINs generated by the prepaid platform or PIN Generator. Also, this is checked against the approved PIN/HRN request (IC20). The Warehouse Manager performs this control, whilst the Financial Responsible (CFO-1) has to review and approve this reconciliation.
Detective
Reconciliation report (PINs received in Inventory Vs. PINs generated Vs. Approved requests) is reviewed and formally approved.
P18
SC25
Duplicated usage of scratch cards / PINs are reported and Billing Manager reviewed on a regular basis.
Daily
P18
SC31
A reconciliation is performed between money receipt in CFO-1 Billing System (Cash Management) against the e-pin credit given to the dealers.
Manual
Detective
Daily
Reconciliation report (money receipt in Billing against e-pin credit given in Paltform) is reviewed and formally approved
P18
SC32
A reconciliation at the account level is performed as per Billing Manager and CFO- Manual (electronic Detective the following: Opening Balance minus transfer out plus 1 evidence) transfer in plus/minus adjustments (if any) equals to the closing balance. Revenue Assurance reviews and ensures that actions are taken.
Daily
Reconciliation report at account level (epin opening balance transfer out + transfer in +/adjustments = epin closing balance) is reviewed and formally approved
P18
SC34
E-Pin output is reconciled with Reconciliation of the output from the e-Pin System against Billing Manager Prepaid Platform Input input for the prepaid platform. This reconciliation must occur in values and at the subscriber account level.
Daily
Reconciliation report (E-Pin output Vs. Prepaid Platform Input) is reviewed and formally approved
P19
IC01
For each new postpaid Wireless subscriber recommended Credit and Collection by the commercial department, a formal credit check is Manager -1 performed based on the approved Commercial policy to review and assess the credit status and reputation of the subscriber.
Manual
Preventive
P19
IC02
A specific exception form exists on the acceptance of subscribers that do not comply with the Commercial policy / credit check limits
A specific exception report (that needs to be approved) Credit & Collection exists on the acceptance of subscribers that do not comply Manager with the commercial policy / credit check limits. This report is based on a predefined query.
Manual
Preventive
P19
IC03
A specific exception form exists on the acceptance of exceptional discounts that do not comply with the Commercial policy
A specific exception form (prepared and justified by the Sales department) exists on the acceptance of exceptional discounts that do not comply with the Commercial Policy.
Manual
Preventive
For each new subscriber Exceptional discount allocated an exceptional acceptance form is reviewed discount and formally approved
P19
IC04
Discount Report
All discounts (not part of a discount plan) are reported in a specific exception report on a daily basis. This report must be based on a predefined query.
Consumer Manager
Daily
Formal report of all exceptional discounts given is reviewed and formally approved
P19
IC05
Check if installation material is All additional material used at the time of installation assigned to subscriber should be charged during provisioning.
Billing team
Manual
Preventive
P19
IC06
All manually provisioned changes to critical subscriber data are automatically reported and reviewed
All manually provisioned changes to critical subscriber data Consumer Manager (in the switch or billing environment) are automatically reported and reviewed. The review verifies whether the reported provisioned changes equal the approved subscriber data change requests. Critical subscriber data is (but not limited to): name, address, services and status.
Daily
Formal report of all provisioned changes in both the switch and billing environment is reviewed and formally approved. Each provisioned change is matched with an approved change request.
P19
IC09
There is a check over additional material charging if its required during the installation.
Billing Staff
Charging report on additional material required during the installation is reviewed and formally approved
P19
IC10
Sample testing pre and post bill run (testing completeness and calculation of invoice)
The accuracy of the invoices is verified on a sample basis. Billing Manager The sample should represent a variety of billing scenarios. A log should be maintained for any errors identified.
Manual
Detective
Pre and Post bill run sample testing reports and results are reviewed and formally approved
P19
IC11
Check that all subscribers are Reconciliation of subscribers in the subscriber data against Billing Manager included in a billing cycle the subscribers covered by the bill runs in order to verify whether all subscribers are assigned to at least one of the bill runs.
P19
IC17
Verify whether installation is assigned to client before picking up CPE from the warehouse
There is a verification that CPE given out for installations Warehouse Manager corresponds to a real customer. CPE are given to technicians upon a valid installation order which is amended and signed off by the Warehouse manager (a copy is kept at warehouse for filing).
Manual
Preventive
Installation orders are amended and formally approved by the Warehouse manager before providing a CPE
P19
IC18
Reconcile disconnection instructions with received CPEs in Credit and Collection warehouse and ensure allocation of charges for non Manager received CPEs
Weekly
Reconciliation report (disconnection instructions with received CPEs in warehouse) is reviewed and formally approved
P19
SC07
Reconciliation subscriber numbers and profiles in wireless network routers and billing system
Reconciliation subscriber numbers and profiles in wireless network routers and billing system. This includes the number reconciliation, Status, and speed.
Billing Manager
Daily
Reconciliation report (subscriber numbers in wireless network routers and billing system) is reviewed and formally approved
P19
SC12
Comparison of invoices generated in the billing system against the invoices printed and sent out.
Billing Manager
Reconciliation report (invoices generated Vs invoices printed and sent out) is reviewed and formally approved
P19
SC13
Review non billable subscribers traffic (i.e. traffic from subscribers that do not need to pay for certain or all services) and ensure related revenue are not in accounting Validation of prepared bookings by CFO-1
All non-revenue generating traffic related to specific subscribers that are not billed (cf. MIC policy) are formally reported and approved. This control must be done before transactions are transferred in the accounting system so that only revenue generating transactions are posted.
P19
SC14
All bookings are first prepared in draft and then approved by the CFO -1 before being booked in the G/L.
CFO-1
Manual
Preventive
Specific approval form for bookings is reviewed and formally approved AND/OR Adequate access security / segregation of duties setup in the accounting system (i.e. only the CFO-1 can actually post journal entries) is reviewed and formally approved Reconciliation report (Billing system Vs Accounting system) is reviewed and formally approved
P19
SC15
Revenue data in the billing system (both accruals and invoices) is reconciled with the accounting system
The relevant bookings in the G/L are reconciled with their CFO source, i.e. the billing system and the invoices and accruals generated by IT. This reconciliation also reconciles the classification of revenue in both systems.
Manual
Detective
P19
SC16
On a weekly basis a formal review is performed on the status of all overdue subscribers according as defined by the collection / barring policy.
Weekly
P1b
Payroll Outsourced
IC01
Personnel additions (Local Senior Management and Regional equivalents) are approved
Subsequent to the approval of RAR, the package for the new Local Senior Management and Regional equivalents is approved.
Preventive
Each new recruitment of Packages related to the hiring of Local Senior Management new Local Senior Management and Regional equivalents and Regional equivalents are reviewed and formally approved and related contracts are in line with approved packages. Each new recruitment of employee different than Local Senior Management and Regional equivalents Contracts with new employees, other than Local Senior Management and Regional equivalents, are reviewed and formally approved.
P1b
Payroll Outsourced
IC02
Personnel additions (other than Local Senior Management and Regional equivalents) are approved
Subsequent to the approval of RAR, the package for the employees other than Local Senior Management and Regional equivalents is approved.
Manual
Preventive
P1b
Payroll Outsourced
IC03
Performance evaluation forms The Head of Department reviews and approves the are approved by Head of evaluation forms of his/her team, and then sends the Departments evaluation forms to HR Responsible.
Head of Department
Manual
Preventive
Annually
P1b
Payroll Outsourced
IC04
Business Owner reviews the commissions and other variable pay elements (overtime, paid off, sickness, holidays, absence, personnel expenses).
Manual
Preventive
Monthly
Commissions and other variable pay elements reports are reviewed and formally approved. Calculation of effective bonuses allocated to the Local Senior Management and Regional equivalents is reviewed and formally approved.
P1b
Payroll Outsourced
IC05
Effective bonuses and related Calculation is made based on bonus performance criteria CEO and Head of Manual calculation are approved agreed and communicated by Headquarters. The Performance and Reward performance of the operation is calculated and communicated by Headquarters, the individual performance discussed and agreed at operation level. Calculation of effective bonuses for Local Senior Management and Regional equivalents is prepared locally and reviewed by the Regional Manager and approved. Effective bonuses and related Calculation is made based on bonus performance criteria calculation are approved agreed and communicated by Headquarters. The performance of the operation is calculated and communicated by Headquarters, the individual performance discussed and agreed at operation level. Calculation of effective bonuses for employees below Local Senior Management and Regional equivalents is prepared locally and reviewed and approved by GM. Payroll Coding Assignments are reviewed by department GM Manual
Preventive
Annually
P1b
Payroll Outsourced
IC06
Preventive
Annually
Calculation of effective bonuses allocated to people below the Local Senior Management and Regional equivalents is reviewed and formally approved.
P1b
Payroll Outsourced
IC08
The mapping between the job positions within the company Human Resources and related cost center code is reviewed by the Human department (GM-2) Resources department (GM-1 or GM-2).
Manual
Preventive
Quarterly
Mapping between job positions and related cost center code is reviewed and formally approved.
P1b
Payroll Outsourced
IC11
Returns and fillings prepared Returns and fillings are reviewed by Human Resources Human Resources by the service organization are department for reasonableness and unusual items department (GM-2) reviewed for reasonableness Note: All the Employee (Direct, Indirect, Consultants) related Taxes and Social Security commitments must be calculated. Employee Taxes (PAYE, WHT etc) of Local as well as Expatriate employees must be calculated.
Manual
Detective
Every Filling
Copies of the returns kept on file are reviewed and formally approved.
P1b
Payroll Outsourced
IC13
Monthly payroll activity is Human Resources Staff analyses payroll monthly report compared to previous periods against payroll report of previous period. All variances greater than 10% should be investigated and explained.
Manual
Detective
Monthly
Analytical review with explanation for significant variances is reviewed and formally approved.
P1b
Payroll Outsourced
SC07
Changes in employment status and variable pay elements are approved before communication to Third Party Service Provider
1) HR Responsible reviews and authorizes the following Human Resources changes in employee status/package (salary, variable pay Responsible (GM-1) elements, benefits, etc) before they are communicated to the Third Party Service Provider: - Changes due to employee dismissal / termination (removal of the employee from the employee list) - Changes due to employee recruitment (formalization of new employee contracts) - Changes due to annual performance evaluation (approval of annual performance evaluation forms) - Changes due to employee promotion - Changes due to employee leveling - Changes due to employee move from one department to another 2) HR Responsible reviews the commissions and other variable pay elements (overtime, paid off, sickness, holidays, absence, personnel expenses and bonuses). 3) Deduction rates, as well as rates for external requirements, social payments and others, are reviewed every time there is a change, to identify eventual changes or errors in the rates. 4) HR Responsible reviews and ensures follow up of cases for recorded complaints of employees.
Manual
Preventive
Monthly
- Employee identification sheet, status change request documents ('Personnel action' form) are reviewed and formally approved. - All other variable pay elements reports to be communicated to the Third Party Service Provider are approved - Printed copy of discount rate's file is approved - Complaint book is properly approved
P1b
Payroll Outsourced
SC09
Sample of payroll amounts HR manager recomputes a sample of 3 payroll amounts are recomputed and traced to for clerical accuracy and agrees details with information in information as per personal personal files. files
Manual
Detective
Monthly
Copy of pay slip from selected employee retained on file with evidence of review is reviewed and formally approved.
P1b
Payroll Outsourced
SC10
Bonus accrual computation is The Human Resources department prepares the bonus reviewed accrual computation based on expected performance.
Manual
Preventive
Quarterly
P1b
Payroll Outsourced
SC12
Pay slip for each individual must be reconciled to fund request form detail and total cash disbursement
Pay slips for each individual must be reconciled to fund request form details and to the total cash disbursement.
Manual
Detective
Monthly
P1b
Payroll Outsourced
SC14
Fund request form is approved by Human Resources department (GM-1 or GM-2) and CFO. All billing complaints accepted by Consumer undergo an additional validation by the billing department.
Manual
Preventive
Monthly
Report is reviewed and formally approved. Subscriber billing complaints are reviewed
P20
Adjustments
IC01
Manual
Detective
P20
Adjustments
IC02
Review proposed billing adjustment for prepaid / postpaid / e-pin / wireless subscribers
All Billing Adjustments for all services arising from issues detected by means of the internal controls are validated and approved.
Billing Manager
Manual
Preventive
Prepaid / postpaid / e-pin / wireless billing adjustment form is reviewed and formally approved
P20
Adjustments
IC03
All roaming and interconnect billing adjustments are validated and approved by the CFO and the billing manager.
Manual
Preventive
P20
Adjustments
IC04
Additional approval of massive In case e-pin, prepaid, postpaid or wireless billing GM and Customer billing adjustment adjustments have an impact on multiple subscribers an Manager analysis report needs to be approved by the GM and the Customer Manager. An audit log should be kept for every massive adjustments using a batch / script for the review purposes. Massive = adjustments that affect multiple subscribers at the same time. Typically, this is the case where the number of adjustments is so high that it is favorable to automate the adjustment in a batch / script in stead of performing the adjustment one by one.
Manual
Preventive
P20
Adjustments
IC06
All billing adjustments as per the systems are reported and CFO matched with the corresponding approved requests for adjustments (i.e. IC1-IC4).
Manual
Detective
Monthly
Reconciliation report (billing adjustments vs. corresponding approval forms) is reviewed and formally approved
P20
Adjustments
SC05
Billing adjustments are validated/ reviewed and approved based on MIC Policy.
Manual
Preventive
P20
Adjustments
SC07
Validation of prepared Journal All the accounting records in relation to CNs or DNs are Voucher for CN/DN bookings verified by the CFO -1 before posting into the GL.
CFO-1
Manual
Preventive
Monthly
P20
Adjustments
SC08
CN / DN in the billing systems A reconciliation of the credit and debit notes in the different CFO are reconciled with the billing systems with the credit and debit notes recorded in accounting system the accounting system.
Manual
Detective
Monthly
Reconciliation report (CN/DN in billing systems Vs accounting system) is reviewed and formally approved
P21
IC01
The functional and technical description of the batch or IT Manager and report that is used for subscriber reporting must be aligned Consumer Manager and with the MIC subscriber reporting policy. IT should sign off CFO-1 on this technical description on their understanding of the MIC policy. Finance and Consumer must sign off on their understanding of the functional description and the alignment of this description with the MIC policy. The number of subscribers as recorded in the Reporting GM and CFO package is analytically reviewed by CFO and GM as part of the Reporting package validation and approval before sending out the Reporting package.
Manual
Preventive
Each time a change occurs to the report, module or batch that generates this report
Functional and technical description of the report or batch (vs. subscriber reporting policy) is reviewed and formally approved
P21
IC02
Subscribers numbers as recorded in the reporting package are reviewed and approved by CFO and GM as part of the Reporting Package validation and approval Check compliance with accounting principles
Manual
Detective
For each reporting Weekly and monthly reporting package (i.e. weekly packages are reviewed and report and monthly report) formally approved
P21
IC03
The functional and technical description of the batch or report that is used for subscriber reporting must be aligned with the accounting principles. IT should sign off on this technical description on their understanding of the accounting principles. Finance and Consumer must sign off on their understanding of the functional description and the alignment of this description with the accounting principles. The reported subscribers are validated by the Consumer manager. Then, the recording of the number of subscribers should be first prepared in draft and then approved by the CFO before being actually recorded or disclosed.
Manual
Preventive
Each time a change occurs to the report, module or batch that generates this report
Functional and technical description of the report or batch (vs. accounting principles) is reviewed and formally approved
P21
IC04
Manual
Preventive
P22
Intercompany
IC02
Manual
Preventive
Each IC invoice
P22
Intercompany
IC03
Intercompany reconciliation is On a monthly basis, Accounting Responsible approves the Accounting Responsible approved by Accounting intercompany BS and PL reconciliation (Excel spreadsheet (CFO-1) Responsible supported by e-mails exchanged) communicated by the Accounting Staff. The purpose is to ensure that all intercompany balances and transactions are reconciled, enabling proper elimination on consolidation.
Manual
Detective
Monthly
P22
Intercompany
SC01
The IC contract is signed off by both parties (concerns only CFO loan and TSF).
Manual
Preventive
P23
IC01
Accounting responsible validates fair value of unquoted securities by reviewing the inputs to the models used
Manual
Preventive
Monthly
P23
SC02
CFO reviews assumptions and CFO reviews assumptions and approves final computation. CFO approves final computation
Manual
Preventive
Monthly
P24
IRU
SC01
The list of installations On a monthly basis, region technical responsible prepares AMNET Region CFO completed during the month is a list of installations completed during the month. This reviewed document is reviewed and approved by the AMNET Region CFO before being communicated to the region accounting department. Conclusions on IRU classification (service agreement vs lease) are reviewed The IRU agreements are reviewed in order to assess whether the IRU should be considered as a lease or a service agreement. Conclusions on IRU classification must be in line with MIC Policy Manual, properly documented by the accountant of the company that is purchasing the IRU and approved. The IRU agreements are reviewed in order to assess whether the lease should be considered as a financial lease or an operating lease. Conclusions on lease classifications must be in line with IAS 17, properly documented by the accountant of the company that is purchasing the IRU and approved. AMNET Region CFO
Manual
Monthly
List of installations completed during the month reviewed and formally approved.
P24
IRU
SC02
Manual
Conclusions on IRU classification in accordance with MIC Policy Manual reviewed and formally approved.
P24
IRU
SC03
Conclusions on lease classification in accordance with IAS 17 (capital vs operating lease) are reviewed
Manual
Conclusions on lease classification in accordance with IAS 17 reviewed and formally approved.
P24
IRU
SC04
The leasing amortization table prepared by Accounting Local CFO of the Staff for financial lease according to the lease agreement's company purchasing the terms and conditions is approved. IRU
Manual
P24
IRU
SC05
The computation of the straight line rent prepared by Local CFO of the Accounting Staff for operating lease according to the lease company purchasing the agreement's terms and conditions is approved. IRU
Manual
P24
IRU
SC06
Every time there is a change to existing IRUs / Network capacity agreements are reviewed by Region Category Manager to identify changes in existing IRU and assumptions. The list of changes is approved by AMNET Region CFO
Manual
The list of changes to existing IRU and assumptions reviewed and formally approved.
P24
IRU
SC07
IRU assets that are impaired / On a quarterly basis, IRU assets are reviewed by no longer in use are reviewed Accounting Staff to identify any assets that are impaired or no longer in use. The list is approved by Local CFO. Reconciliation between The accounts related to the IRU's Net Book Value (NBV) accounting and lease as per the accounting system are reconciled with the amortization table is reviewed amortization table. Discrepancies are investigated and documented.
Local CFO of the company purchasing the IRU Local CFO of the company purchasing the IRU
Manual
Quarterly
List of IRU assets that are impaired / no longer in use reviewed and formally approved. Reconciliation reviewed and formally approved.
P24
IRU
SC08
Manual
Monthly
P24
IRU
SC09
Cost allocation sheet prepared based on country requested capacity / usage is reviewed Installation requirements are reviewed
A cost allocation sheet is prepared by the region operations AMNET Region technical technicals to summarize the IRU cost to be recharged to responsible each country. The cost is calculated based on the country requested capacity / usage. For each new content contracted, installation requirements -Regional Programming are reviewed and formally approved before being Director communicated to the Local Technical Area. -COO Home or Regional CEO Home & Corporate
Manual
Monthly
P25
IC02
Manual
Preventive
P25
SC01
New contents' agreements are Agreement with content providers are reviewed and approved. formally approved.
-Regional Programming Director -COO Home or Regional CEO Home & Corporate
Manual
Preventive
P25
SC03
List of installations completed A list of installations, removals or movements during the month is reviewed completed during the month is reviewed and formally (Line up Review) approved. This list is then communicated to the Regional Programming department and to the Financial department. The report must include all the signals that are in the line up specifying name and position by head-end divided into analog and digital (splitting analog from digital)
Local CTO
Manual
Preventive
List of installations completed during the month reviewed and formally approved.
P25
SC04
Programming cost Cost computation report (including both flat fee report and Regional Programming computation report is reviewed variable cost report) is prepared by the Programming Director department based on the terms of the agreement (number of subscribers per type of package / country and based on the cost per subscriber). The report is reviewed and approved.
Manual
Detective
Monthly
P25
SC05
Monthly accrual calculation is prepared by Programming department. Conclusions are reviewed and approved. Amount is communicated to operations for booking.
Manual
Detective
Monthly
P25
SC06
Reconciliation between programmers invoices vs. Payments made and their calculation is reviewed
Reconciliation is performed between Programmers' Local Accounting invoices comparing them vs. the payments made during Manager (each country) / the month and the calculation made to determine those Local CFO (each country) payments. Any differences are investigated and explained; any corrective actions are taken and documented. (The reconciliation must tie the following 3 primary elements: invoice, payment and calculation). For each new or changed cable TV product, tariff and/or Category Manager promotion, the Marketing department should initiate a commercial feasibility study (including cost/benefit analysis, a market study, a comparison with the competitors, etc). This study should be formally documented and approved.
Manual
Detective
Monthly
P26
IC01
Manual
Preventive
For each new or changed Results of the profitability cable TV product/tariff/ impact analysis of promotion new/changed tariff is reviewed and formally approved
P26
IC04
Each new or changed cable TV product, tariff and/or promotion should be approved as per MIC Policy.
Manual
Preventive
For each new or changed Request forms (for changes / cable TV product/tariff/ additions to tariff (plans)) are promotion reviewed and formally approved
P26
IC05
A formal credit check is For each new corporate cable TV subscriber and for each Credit & Collection performed for each subscriber new residential cable TV subscriber with a digital cable TV Manager -1 before provisioning package and Pay-Per-View (Pay Per View) option, a formal credit check is performed by the Credit & Collection Manager -1 before any provisioning activities. A specific exception report (that needs to be approved) exists on the acceptance of subscribers that do not comply with the commercial policy / credit check limits.
Manual
Preventive
For each new corporate Credit check form is reviewed and cable TV subscriber and formally approved for each new residential cable TV subscriber with a digital cable TV package and Pay-Per-View (Pay Per View) option
P26
IC06
A specific exception report exists on the acceptance of subscribers that do not comply with the commercial policy / credit check limits
A specific exception report (that needs to be approved) Credit & Collection exists on the acceptance of cable TV subscribers that do Manager not comply with the commercial policy / credit check limits. This report is based on a predefined query.
Manual
Preventive
P26
IC07
All discounts or free usage are All discounts or free usage, given to corporate cable TV reviewed and approved by the subscribers, are reviewed and approved by the Credit & Credit & Collection Manager Collection Manager.
Manual
Preventive
For each new corporate cable TV subscriber, receiving a discount or free usage
Report including all discounts or free usage given to the corporate subscriber is reviewed and formally approved
P26
IC08
All outstanding cable TV work orders are reported in a Installations Head specific follow-up report and reviewed and approved by the Installations Head on a daily basis. This report is based on a predefined query.
Daily
Follow-up report on all outstanding work orders is reviewed and formally approved
P26
IC09
Check if installation material is All additional material used at the time of installation assigned to subscriber should be charged during provisioning.
Billing Staff
Manual
Preventive
P26
IC10
All manually provisioned changes to critical subscriber data are automatically reported and reviewed
All manually provisioned changes to critical subscriber data Consumer Manager (in the television billing system and the television network platform) are automatically reported and reviewed. The review verifies whether the reported provisioned changes equal the approved subscriber data change requests. Critical subscriber data is (but not limited to): name, address, services and status.
Daily
Formal report of all provisioned changes in both the television billing system and television network platform is reviewed and formally approved. Each provisioned change is matched with an approved change.
P26
IC11
Analyze and resolve rejected Identify the source of the rejected EDRs and try to resolve usage records at the television the problem in order to prevent the event from happening billing system in the future. Furthermore, the rejected EDRs should be recuperated if possible. This process should occur continuously and the events that happen the most should be tackled first.
Billing Staff
Daily
Rejected EDRs report (Billing system level) is reviewed and formally approved
P26
IC15
Sample testing pre and post bill run (testing completeness and calculation of invoice)
The accuracy of the cable TV invoices is verified on a sample basis. The sample represents a variety of billing scenarios. A log is maintained for any errors identified.
Billing Manager
Manual
Detective
Pre and Post bill run sample testing reports and results are reviewed and formally approved
P26
IC23
Reconcile disconnection work On a weekly basis, a reconciliation is performed between Credit and Collection orders with CPEs received in received disconnection work orders with CPEs received in Manager warehouse the warehouse. Any exceptions are analyzed and followedup. Changed/added products/tariffs/promotions report on Billing System are reviewed A standard (predefined query) report with all existing cable Category Manager TV products, tariffs and promotions is generated and signed off on a monthly basis.
Weekly
Reconciliation report (disconnection work orders with CPEs received in the warehouse) is reviewed and formally approved Formal report on all tariff changes is reviewed and formally approved
P26
SC02
Daily
P26
SC03
Determine accounting impact of tariff changes/addition in cable TV products, tariffs and/or promotions (including bundled offers)
Changes or addition of cable TV products, tariffs and/or CFO promotions (including bundled offers) may have an impact on the way revenue is recognized. As such, Finance needs, as per the MIC accounting policy manual, to assess the impact of a change. in revenue recognition.
Manual
Preventive
For each new or changed Results of the accounting cable TV product/tariff/ treatment impact analysis of promotion new/changed tariff is reviewed and formally approved
P26
SC12
Reconcile subscriber numbers Reconciliation of cable TV subscriber numbers and profiles Billing Manager and profiles in television between television billing system and television network network platform and platform. television billing system
Daily
Reconciliation report (subscribers in the billing system vs. network platform) is reviewed and formally approved
P26
SC13
Reconciliation of usage records between television billing system and television network platform
Reconciliation of the Pay Per View usage records between Billing Manager the television billing system and the television network platform.
Daily
Reconciliation report (usage in the billing system vs. network platform) is reviewed and formally approved
P26
SC14
Check whether charges outside of basic fee are assigned to the subscriber
There is a check over additional charges related to material required during the installation which was not included in the basic fee.
Billing Staff
P26
SC16
Reconciliation of cable TV subscribers in the subscriber Billing Manager data against the cable TV subscribers covered by the bill runs in order to verify whether all subscribers are assigned to at least one of the bill runs.
P26
SC17
All rejected EDRs on TV Billing Platform should be formally reported before bill run
EDRs not corrected are reviewed by CFO and Local Revenue Assurance Manager before clearing them from the Billing System (based on delegation of authority and local regulations).
Manual
Detective
Rejected (and not corrected) EDRs report is reviewed and formally approved
P26
SC18
Reconciliation between invoices generated versus invoices printed and sent out
Reconciliation between invoices generated versus invoices Billing Manager printed and sent out.
Reconciliation report (invoices generated Vs invoices printed and sent out) is reviewed and formally approved
P26
SC20
All bookings are first prepared in draft and then approved by the CFO -1 before being booked in the G/L.
CFO-1
Manual
Preventive
Specific approval form for bookings is reviewed and formally approved AND/OR Adequate access security / segregation of duties setup in the accounting system (i.e. only the CFO-1 can actually post journal entries) is reviewed and formally approved Reconciliation report (Billing system Vs Accounting system) is reviewed and formally approved
P26
SC21
Revenue data in the television The relevant bookings in the G/L are reconciled with their billing system is reconciled source, i.e. the television billing system and the invoices with the accounting system and accruals generated by IT. This reconciliation also reconciles the classification of revenue in both systems.
CFO
Manual
Detective
P26
SC22
A formal review must be On a weekly basis a formal review is performed on the Credit and Collection performed on the status of all status of all overdue cable TV subscribers according to the Manager overdue cable TV subscribers defined collection / barring policy.
Weekly
Overdue subscriber report with actual status is reviewed and formally approved
P27
Hedging
C01
Local CFO reviews the For each new hedging instrument, the local CFO reviews hedging memo (part A) before the Memo part A (assessing the hedging opportunity) and submission to HQ signoff the part A of the memo related to the hedging activity. Local CFO also authorizes the submission of the memo to the HQ Head Corporate Finance (HCF) reviews the hedging memo (part A) and authorizes hedging opportunities Head Corporate Finance reviews the hedging agreement against the hedging opportunities. HCF also reviews the memo (part A) related to the hedging activities and authorizes the transaction
Region CFO
Manual
Each new Hedging The local CFO signs the part A of instrument is mentioned in the memo control description, any change in subsequent phase (memo part D) Each new Hedging The HEF signs the part A of the instrument is mentioned in memo control description, any change in subsequent phase (memo part D)
P27
Hedging
C02
Manual
P27
Hedging
C03
Local legal dept ensures that the terus conditions ar eproperly reflected within the draft contract and gives its approval on the continuance of the process.
Manual
Each new Hedging The local legal department signs instrument is mentioned in the draft contract according to the control description, any Memo part A change in subsequent phase (memo part D)
P27
Hedging
C04
The GFC reviews the part B of the hedging memo in order GFC to check the compliance of the contract with IAS 39.88 criteria.
Manual
P27
Hedging
C05
The Group CFO reviews the hedging agreement together with the GFC comments and approves the transaction
Group CFO
Manual
P27
Hedging
C06
GFC reviews the hedging memo (part C) and related accounting treatment
GFC reviews the hedging memo provided by the Group Finance department and approve the qualification (fair value, cash flow, foreign currency) and the related accounting treatment.
GFC
Manual
P27
Hedging
C07
GFC reviews the hedging memo (part D), journal entry and disclosure
GFC reviews the hedging memo (part D), including data assumptions for the valuation, accounting treatment and valuation method and also reviews the related journal entries and disclosures required by IFRS 7.22 for all hedging instruments and related hedged items
GFC
Manual
Each new Hedging instrument or change in the contract / Each reporting date
P27
Hedging
C08
P27
Hedging
C09
P27
Hedging
C10
P27
Hedging
C11
GFC reviews and approves the conclusion of the hedging memo (part E) GFC reviews the assessment of changes and the updated version of the hedging memo (part D GFC reviews valuation method, journal entry and disclosures required by IFRS 7.22 GFC reviews derecognition journal entry and disclosures required by IFRS 7.22
GFC
Manual
On a quaterly basis
GFC signs the part F of the memo GFC sgns the updated part D of the memo
GFC reviews the assessment of changes of the hedging memo (part D) factors leading to direct derecognition GFC reviews valuation method, journal entry and disclosures required by IFRS 7.22 and give the approval for the journal entries GFC reviews the derecognition journal entry and the disclosures required by IFRS 7.22 for all hedging instruments and related hedged items
Manual
On a quaterly basis
GFC
Manual
On a quaterly basis
GFC signs the derecognition rationale and the related journal entries GFC signs the derecognition journal entry and disclosures
GFC
Manual
At each derecognition
P28
C01
Local CEO, CFO and CTO review the accuracy of the documentation prepared to assess the tower lease back opportunities
The local CEO, CFO and CTO review the tower lease back Local CEO, CFO and opportunities (including business case, potential returns, CTO etc.) and the availabilities of counterparts
Manual
P28
C02
Group CFO ensures that everything have been properly and entirely identified and assessed
Group CFO
Manual
P28
C03
Local CFO reviews and approves the lease back contract qualification analysis
The local CFO reviews whether the lease should be considered as a financial lease or an operating lease. Conclusions on lease classifications must be in line with IAS 17 and MIC policies.
Local CFO
Manual
Conclusions on lease classification in accordance with IAS 17 and MIC policies are approved
P28
C04
GFC reviews and approves the lease back contract qualification analysis
The GFC reviews whether the lease should be considered GFC as a financial lease or an operating lease. Conclusions on lease classifications must be in line with IAS 17 and MIC policies. Based on the local CFO analysis
Manual
Conclusions on lease classification in accordance with IAS 17 and MIC policies are approved
P28
C05
GFC reviews the computation and the accounting memo prepared by the Finance department for operating and finance according to the lease agreement's terms and conditions.
GFC
Manual
P28
C06
Group CFO reviews the computation, the accountin memo Group CFO and the journal entires prepared by the Finance department for operating and finance according to the lease agreement's terms and conditions.
Manual
P28
C07
GFC reviews the disposal accounting treatment (including sales & lease back accounting specificities)
GFC reviews the disposal accounting treatment and any excess of sales proceeds over the carrying amount.
GFC
Manual
Computation is approved
P28
C08
Local CFO reviews lease computation, related journal entry and disclosures
Local CFO, according to the type of lease, reviews the Local CFO computation, in case of finance lease: - computes the discounted value (using incremental interest borrowing rate), - creates the leasing amortization table, - prepares the related journal entry, and - prepares the specific disclosures as per IAS 17 and IFRS 7; in case of finance lease: prepares the computation of the rent on a straight line basis, prepares the related journal entry and the specific disclosures as per IAS 17 and IFRS 7 Local CFO, according to the type of lease, reviews the GFC computation, in case of finance lease: - computes the discounted value (using incremental interest borrowing rate), - creates the leasing amortization table, - prepares the related journal entry, and - prepares the specific disclosures as per IAS 17 and IFRS 7; in case of finance lease: prepares the computation of the rent on a straight line basis, prepares the related journal entry and the specific disclosures as per IAS 17 and IFRS 7 Local CFO
Manual
Computation is approved
P28
C09
Manual
Computation is approved
P28
C10
Local CFO reviews the lease Local CFO approves the identified changes in the lease payment conditions changes payment conditions occurred during the period
Manual
P28
C11
Local CFO approves the transferability of the rental Local CFO agreement concerned by the transaction and the purchase request form
Manual
P28
C12
Local CFO and CTO checks the supplier responses and approves the transaction
Manual
Agreement is approved
P29
IC04
Testing for systems, platforms, applications and databases is performed in a testing environment
For all critical systems, platforms, applications and databases, there is a testing environment: - separated logically and/or physically from the production environment, - which allows adequate stress, unit, end-to-end testing - which reflects as much as possible the live environment (data in kind and quantity), - which is available for sufficient testing time
Preventive
Print copy of the catalogue and/or description of the testing environments are reviewed and formally approved.
P29
IC10
Implementation of change/project is communicated to all Critical Systems relevant parties (end-users, stakeholders) to ensure they Technology are aware of the change and its related impacts Responsible(s)
Manual
Preventive
Each new project/change The profiles matrix (and related implemented rights) related to each job description are Approved
P29
IC11
The Logical Access Management policy (or security policy) Technology Factory Chief Manual is reviewed and approved to check that the management of user accounts for joiners, job changes and job termination is part of the policy (for both employees and contractors, for local and remote access...)
Preventive
Bi-annually (period of 5 to Logical Access Management 7 months required Policy (or Security Policy) is between control reviewed and formally approved executions)
P29
IC26
Personal data and sensitive information are inventoried and adequately protected to ensure data confidentiality Backup execution is reviewed
Personal data and sensitive information are adequately protected to ensure data confidentiality
Preventive
Quarterly
Security set-up for personal data and sensitive information privacy is reviewed and formally approved
P29
IC28
Backup execution results are documented in the backup journal and validated to ensure that backups are carried out on critical systems, platforms, applications and databases at least daily for data and weekly for configuration setups
Manual
Detective
Daily
P29
IC32
The formalized DRP is reviewed and approved Note: DRP and BCP plans should be updated whenever there is a large change implemented.
Preventive
Bi-annually (period of 5 to The DRP is reviewed and formally 7 months required approved between control executions)
P29
IC33
Preventive
Annually
The test results of the DRP are reviewed and formally approved
P29
IC34
The Incident and Problem Management Policy and Procedures is reviewed to check that non-standard events are analyzed and resolved in a timely manner, including escalation procedures, supplier involvement if appropriate and a clear description of the process (flowchart for example)
Preventive
Bi-annually (period of 5 to The Incident and Problem 7 months required Management Policy is reviewed between control and formally approved executions)
P29
IC35
Significant IT events or incidents and failures are Critical Systems monitored, communicated and resolved in a timely manner Technology Responsible(s)
Manual
Detective
P29
IC36
Detective
Monthly
P29
IC39
The list of authorized software The list of authorized, tolerated and unauthorized software Technology Factory Chief Manual permitted for use by is formalized and reviewed employees is documented and communicated
Preventive
Bi-annually (period of 5 to List of authorized, tolerated and 7 months required unauthorized software is reviewed between control and formally approved executions)
P29
IC40
The list of software installed is The list of software installed and used on each computer reviewed and server is reviewed and reacted upon
Security Officer
Manual
Detective
Quarterly
P29
IC42
The results of scheduled jobs Summary of the batch jobs executions is communicated executions are communicated and approved to ensure batch jobs run properly and approved The operating procedures are Formalized operating procedures are in place and reviewed and approved documented
Detective
Monthly
The job scheduling checklist and related results are reviewed and formally approved
P29
IC43
Preventive
Bi-annually (period of 5 to Operating procedures are 7 months required reviewed and formally approved between control executions)
P29
IC44
An inventory listing all potential suspicious activities should be maintained to allow the monitoring of unauthorized activities Change requests are authorized
An inventory listing all potential suspicious activities for Technology Factory Chief Manual each system should be maintained to allow the monitoring and Security Officer of unauthorized activities. This list should be updated based on experience and used to review unauthorized activities (P13.SC37). Change request forms are completed, reviewed and approved Business Owners and Stakeholders and Critical Systems Technology Responsible(s) Manual
Preventive
Bi-annually (period of 5 to Listing including all potential 7 months required suspicious activities. between control executions)
P29
SC01
Preventive
Change request form is Approved according to the local change management policy.
P29
SC02
Existing controls are identified, Existing controls (which may be affected by the design and tested and redesigned if implementation of changes) are identified and reported in necessary the change request. Testing of the existing controls impacted is documented as part of the test plans in the change request. Change acceptance tests performed by Business Owners and Stakeholders include the testing of these controls. Appropriate actions are taken to modify or redesign these controls, if necessary, to retain their integrity
Manual
Preventive
Impact analysis, and if appropriate tests results, are reviewed and formally approved
P29
SC03
Change requests (including Test plan, roll-out plan and roll-back plan are formalized, changes to critical end-user reviewed and approved prior to implementation of the computing tools) have a test change plan, a roll-out plan and a rollback plan developed prior to implementation
Preventive
Test plan, roll-out plan and fallback plan are reviewed and formally approved
P29
SC05
Testing of interfaces between Interface test results are formalized and reviewed to systems and the confirm that data transmissions are complete, accurate corresponding results are and valid and that interfaces are working properly reviewed
Manual
Preventive
At least every 3 years, and Interfaces' test results are before a new or changed Approved interface is put into production
P29
SC06a
Test results are reviewed and Changes are tested, test results are reviewed and decision approved before going live to go live in production is approved with the change in the production environment
Manual
Preventive
P29
SC06b
Implementation results are reviewed and approved after going live with the change in the production environment
Business Owners
Manual
Detective
P29
SC07a
Impact of change on the documentation and support service plans of critical systems, platforms, applications and databases is assessed and the documentation is updated if necessary Documentation and support service plans for critical systems, platforms, applications and databases is reviewed Impact of change on the documentation and support service plans of end-user computing tools is reviewed and the documentation is updated if necessary Documentation and support service plans for end-user computing tools is reviewed Emergency changes are reviewed
Changes in a critical system, platform application or database are subject to an impact analysis of the related documentation (user and operation procedures, manuals, technical documentation, support service plans, training materials, ) which is updated if necessary
Preventive
List of available documentation (including location) for critical systems, platforms, applications and databases is reviewed and formally approved.
P29
SC07b
The documentation of critical systems, platforms, applications and databases (user and operation procedures manuals, technical documentation, support service plans, training materials, ) is reviewed to ensure sufficiency against business needs Changes to end-user computing tools are subject to an impact analysis of the related documentation (user and operation procedures, manuals, technical documentation, training materials, ) which is updated if necessary
Detective
List of available documentation (including location) for end-user computing tools is reviewed and formally approved.
P29
SC08a
Business Owners
Manual
Preventive
P29
SC08b
P29
SC09
The documentation of end-user computing tools (user and Business Owners Manual operation procedures manuals, technical documentation, training materials, ) is reviewed to ensure sufficiency against business needs Emergency changes are reviewed to assess legitimacy Technology Factory Chief Manual and compliance with change management policies and and Country Manager procedures
Detective
Detective
Bi-annually (period of 5 to 7 months required between control executions) Every emergency changes
P29
SC12
Matrix of profiles (and related rights) are reviewed and mapped to job descriptions
The profiles/roles in the systems, platforms, applications and databases are mapped to each job description (up-todate), to ensure that related access rights granted via the profiles are commensurate with job/position responsibilities
Business Owners, Critical Manual Systems Technology Responsibles and Human Resources.
Preventive
The profiles matrix (and related rights) related to each job description are reviewed and formally approved
P29
SC14
Provisioning / deprovisioning forms are reviewed and approved to grant users only the access they need
The logical access request forms for joiners, job changes and job terminations for employees, contractors, vendors and non-client personnel are: - prepared and approved by the Head of Department (of the employee or contracting a third-party), - reviewed and approved by the Human Resources Responsible vs. the job description for legitimacy and segregation of duties purposes, - processed by the IT Staff
Manual
Preventive
P29
SC15
Accesses to systems, platforms, applications and databases is reviewed against the list of all transfers and leavers
Human Resources prepares a monthly list of all transfers and leavers which is used by the Security Officer to verify that the relevant access rights have been modified or revoked
Detective
Monthly
Review of accesses vs. The list of transfers and leavers is formally approved
P29
SC16
Access rights to systems, platforms, applications and databases that are granted (through profiles) are reviewed, updated if necessary and approved
The complete access rights (granted through allocation of profiles) are reviewed to check that: - access rights are in line with employee's position and responsibilities in the company (job description) and that these are still aligned with need-to-have and segregation of duties principles - all users of systems, platforms, applications and databases receive a unique user ID by which they can be uniquely identified (any exception to this rule must be well documented, rationalized and approved) - temporary accounts, generic accounts, applicative accounts are legitimate and adequately supported by documentation User access rights are reviewed and approved to check that: - only authorized personnel has access for migrating new/modified systems, platforms, applications and databases into the production environment; - user access rights are in line with job description; - this personnel is not authorized to perform any development.
Manual
Detective
Quarterly
P29
SC17
Access for migrating new/modified systems, platforms, applications and databases into the production environment is restricted
Detective
Quarterly
User access rights related to the migration of new/modified systems, platforms, applications and databases are reviewed and formally approved
P29
SC18
Privileged access (admin, super users) to systems, platforms, applications and databases is reviewed and approved
The list of usernames (and corresponding persons) with privileged/powerful access rights to systems, platforms, applications and databases is reviewed to ensure that capability to issue powerful commands is limited to appropriate individuals
Detective
Quarterly
List of usernames (and corresponding persons) granted with privileged/powerful access rights to systems, platforms, applications and databases is reviewed and formally approved
P29
SC19
End-user computing tools are End-user computing tools (such as spreadsheets and secured from unauthorized other end-user programs) are placed on secured access and use directories, for which the list of usernames (and corresponding persons) with access to these, is reviewed to ensure that accesses respect the need-to-have principles Note: End-user computing tools are all tools created by business department personnel not limited to only spreadsheets (e.g. Excel Macro, Excel reconciliation spreadsheets, MS Access tools) that are used to compute or control figures of Financial Statement.
Manual
Detective
Quarterly
User access rights list to end-user computing tools is reviewed and formally approved
P29
SC20
Access rights granted to The access rights granted to providers (including generic, vendors and contractors are application and maintenance accounts) are reviewed to strictly limited in terms of time assess the need-to-be of active vendors' accounts and profile (need-to-have basis)
Human Resources Manual Responsible and Security Officer and Technology Factory Chief
Detective
Monthly
The vendors/contractors accounts and related access rights are reviewed and formally approved
P29
SC21
Remote access connection capability from vendors, contractors and employees is adequately limited
The timeframe and business requirements for remote access granted to vendors, contractors and employees is reviewed
Human Resources Manual Responsible and Security Officer and Technology Factory Chief
Detective
Monthly
The list of user accounts with remote access capability is reviewed and formally approved
P29
SC22
Remote access connections Activities on network components performed during remote Critical Systems from vendors, contractors and access are monitored by the Critical Systems Technical Technology employees is monitored Responsible through review and documentation of the Responsible(s) activity logs (connection, tasks performed, disconnection) to ensure they are in line with the planned remote activities. The monitoring of connection/disconnection to the VPN platform (if any) is the responsibility of the Critical System IT Responsible. The reports on remote connections are communicated and approved Remote connections and the related activities performed are reported
Manual
Detective
The logs of activities from remote connections vs. planned activities are reviewed and formally approved
P29
SC23
Detective
Monthly
Reports on remote connections and activities performed are reviewed and formally approved
P29
SC24
The security set-up for the critical information is reviewed to ensure that only authorized users are in the list
Password files, authorization tables, communications Security Officer and Manual software, encryption keys and critical installation programs Technology Factory Chief are stored in logically protected areas or otherwise protect from read-and-write access
Detective
Quarterly
P29
SC25
The set-up for passwords of each system, platform, application and database is reviewed
Password controls to critical network and systems, platforms, applications and databases are in effect and consider minimum security rules (where technically feasible)
Preventive
Security rules implemented in the systems, platforms, applications and databases (print screens, ) are reviewed and formally approved
P29
SC27
Storage and backup principles Retention periods, backup and storage terms are defined Technology Factory Chief Manual are formalized and approved for documents, data, programs, reports and messages, as and Legal or Regulatory well as the data (keys, certificates) used for their encryption Responsible and authentication, while considering the classification of company data/information sensitivity
Preventive
Bi-annually (period of 5 to Retention periods and storage 7 months required terms are reviewed and formally between control approved executions)
P29
SC29
P29
SC30
The backup journal is reviewed to ensure that backups are carried out on critical systems, platforms, applications and databases at least daily for data and weekly for configuration setups The backup restore journal is reviewed to verify the results of the restore tests
Detective
Monthly
Critical Systems Manual Technology Responsible(s) and Technology Factory Chief1 (Support Manager)
Preventive
Bi-annually (period of 5 to The restore journal is reviewed 7 months required and formally approved between control executions)
P29
SC31
Only authorized individuals have access to the back-up data and media
The list of individuals able to access the backups Technology Factory Chief- Manual (physically and logically, on media and on logical drives, on- 1 (Support Manager) site and off-site) is reviewed vs. the authorizations
Detective
Quarterly
The review of accesses to backups vs. the authorizations is reviewed and formally approved
P29
SC37
Unauthorized activities attempts recorded in audit trails (logs) on key systems and network components are reviewed The reports on unauthorized activities are communicated and approved
Unauthorized activities attempts (successful and unsuccessful) done at network, systems, platforms, applications and databases level are identified and reacted upon in an appropriate way. It does include a review of firewall / IDS and IPS logs to detect any hacking intrusion attempt. Unauthorized activities and their resolution and status are reported
Manual
Detective
Weekly
The security logs and unauthorized activities highlighted are reviewed and formally approved
P29
SC38
Detective
Monthly
P29
SC41
The daily job scheduling checklists and corresponding results are reviewed
Batch jobs are scheduled and monitored to ensure they run as needed and to completion
Manual
Detective
Daily
The job scheduling checklist and related results are reviewed and formally approved
PwC Testing
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Obtain a list of all employees which were subject to annual performance evaluation (some employees hired too recently may not be subject yet to evaluations). - Select the number of employees to be tested. - For each selected employee obtain the annual performance evaluation form. - Ensure it was reviewed and formally approved before promotion period.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- For each selected month obtain the reports including commissions and other variable pay elements (overtime, paid off, sickness, holidays, absence, personal expenses). - Ensure they are reviewed and formally approved. - Obtain the list of all Local Senior Management and Regional equivalents - Select the number of employees to be tested. - For each selected employee obtain the calculation of effective bonus and related supporting documentation (i.e.: assessment of individual performance and general bonus performance criteria communicated by headquarters). - Ensure arithmetical accuracy. - Ensure each calculation was reviewed and formally approved.
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
non-key
Walkthrough
- Obtain the list of all employees other than Local Senior Management and Regional equivalents - Select the number of employees to be tested. - For each selected employee obtain the calculation of effective bonus and related supporting documentation (i.e.: assessment of individual performance and general bonus performance criteria communicated by headquarters). - Ensure arithmetical accuracy. - Ensure each calculation was reviewed and formally approved.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
non-key
Walkthrough
- Obtain the quarterly mapping between job positions within the company and related cost center code. - Reperform the mapping to ensure that: a) All identical job positions bear the same cost center code. b) All the job positions included in the list are active (no expired or inactive positions must be included) c) All the cost center codes included in the list are active (no expired or inactive codes must be included) - Ensure that any discrepancy is properly explained and that corrective action has been taken. - Ensure mapping was reviewed and formally approved.
Reperformance
non-key
Walkthrough
- For each selected month, obtain the analytical review between current month payroll accounts and previous month. - Ensure that the analytical review includes all the costs related to employees: not only salaries, also other personnel expenses, etc. - Verify that all variations equal or above 10% have been properly investigated and explained. - In case of errors, ensure that corrective actions have been taken and documented. - Ensure that the analytical review has been reviewed and formally approved. - For each selected month, obtain the returns kept on file (taxes and social security). - Ensure that any unusual item has been properly investigated and explained. - Verify the returns have been reviewed and formally approved before communication to the authorities.
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
For the selected month, ensure that the HR Responsible reviewed the complaint book. Select a sample of 2 complaints registered in previous months and inquire abouth the resolution/ follow up performed. 1) For each selected month, obtain a list of the Payroll System changes made during the month (note: you can identify the changes by comparing the payroll detail of the month selected with the previous month. Each change in the employee net salary is in the scope of this control): a) Recruitments (employees added to payroll database). b) Dismissals (employees removed from payroll database). c) Changes in variable pay elements (overtime, paid off, sickness, holidays, absence, personnel expenses). d) Changes in salary and benefits. e) Changes in deduction rates (social payments and others). f) Changes due to employee's complaints. 2) Select 10% of the changes made during the month (sample must include all above categories). 3) For each change selected, obtain the personnel action form or any document evidencing HR Responsible approval (or Head of Performence and Reward approval for changes related to Local Senior Management and Regional equivalents) 4) Ensure that the above mentioned changes were reviewed and formally approved before their input into the payroll system.
Inquiry
non-key
Inspection
Low
Reperformance
- Obtain the reconciliation between the Payroll monthly report and the payroll data approved before input into the payroll system. - Reperform the reconciliation to ensure arithmetical accuracy. - Ensure that the reconciliation is properly evidenced (existence of tick marks and/or cross references). - Ensure that any discrepancy is properly explained and that corrective action has been taken. - Ensure reconciliation was reviewed and formally approved. - Additionally, for the 2 months selected, obtain an employees' list from HR department and ensure that the number of employees in the monthly payroll report equals the total number of employees in the list.
Reperformance
Low
Rely
- Obtain the computation of the bonus accrual for each selected quarter and related supporting documentation. - Verify arithmetical accuracy and reasonableness of calculation. - Tie out the accrual's computation vs. accounting records.
Reperformance
Med.
Reperformance
- Obtain from the inventory system the list of stock that has been ordered during the period under review. - Select the appropriate sample of orders. - For the sample selected: a) Obtain the approved order request form (or approved e-mail). b) Check that the form is duly supported by an inventory review or that a monitoring was done by the warehouse officer. c) Ensure the order is properly reviewed and formally approved. - Additionally select 5 weeks in which "No need to order" was identified and verify that an analysis or support documentation was properly approved to support this situation. - Obtain from inventory system the list of all goods dispatched to customer, Dealers and goods transferred to local warehouse during the period under review. - Select the sample to be tested and for each transaction selected, obtain approved Stock Order Form / approved Dispatch Note. - Ensure that the form was properly completed, reviewed and formally approved by the sending and receiving parties. - Verify sending party reviewed and formally approved the "completed" Stock Order Form / Dispatch Note to ensure that the quantity requested matches with the quantity delivered and received. - Ensure that any differences identified in this review have been investigated and resolved.
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Obtain the list of goods in transit - Ensure that the old outstanding goods in transit (i.e. for which no approved Stock Order Form/Dispatch Note has been received) have been investigated and that any required corrective actions have been executed. - Verify that the goods in transit analysis have been reviewed and formally approved. - Obtain the list of indirect sales that took place during the period under review. - Select the sample to be tested and obtain the related approved Stock Order Form. - Check that it was reviewed and formally approved (i.e. the quantity, amount and the credit limit of the supplier were validated).
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Obtain the approved list of sales prices - Ensure the list has been directly extracted from the invoicing system. - Ensure it has been reviewed and formally approved. - Obtain from the invoicing system the list of stock sales made during the period under review. - Select the sample to be tested and obtain for each transaction selected, the approved quantity reconciliation between the invoicing system and the stock order form/dispatch note. - Ensure the accuracy of the reconciliation by reperforming it. - For any differences identified, ensure appropriate investigation took place and corrective actions were taken. - Verify that the reconciliation were reviewed and formally approved.
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
non-key
Walkthrough
- Obtain from the inventory system the list of stock returns that took place during the period under review. - Select the samples to be tested and obtain for each transaction, the approved Stock Return Form. - Ensure the form includes the relevant information (description of inventory item returned detailing the accessories, quantity received, reason for return) - Ensure the Stock Return Form were reviewed and formally approved.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- For the sample selected for IC 10, obtain the approved Credit Note. - Ensure the review of the credit note was properly performed by ensuring that the approved Credit Note is in line with the Stock Return Form. - Verify that the credit note was reviewed and formally approved.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- a) Monthly counts: - Obtain the report of the count performed by technical team. - Verify this report was reviewed and formally approved by the accounting team. b) Bi-annual counts: - Obtain the report of the count performed by technical team. - Ensure that all stocks items were counted. - Verify this report was reviewed and formally approved by the accounting team. - Obtain a list of sales authorized to Dealer which were aboce the credit limit. - Verify that the sales has been properly authorized by the CFO
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Obtain the monthly list of dealers which have a balance above their credit limit - Ensure completeness of list - Verify that the list was approved by the CFO - Obtain the approved cost of sale calculation methodology and criteria's. - Ensure accuracy of accounting treatment proposed (compared to MIC accounting policy manual) - Verify that the cost of sale calculation methodology was reviewed and formally approved. - Obtain the approved Reconciliation between sales in accounting system and sales in invoicing system. - Ensure the accuracy of the reconciliation by reperforming it. - For any differences identified, ensure appropriate investigation took place and correction actions were taken. - Verify that reconciliation has been properly reviewed and approved.
Inspection
non-key
Walkthrough
Inspection
Low
Rely
Reperformance
Med.
Reperformance
- Obtain the Reconciliation between value total inventory in accounting and in inventory module. - Ensure the accuracy of the reconciliation by reperforming it. - For any differences identified, ensure appropriate investigation took place and correction actions were taken. - Verify that reconciliation has been reviewed and formally approved. - Obtain the approved reconciliation between stock counts performed during the quarter and inventory report. - Ensure the accuracy of the reconciliation by reperforming it. - For any differences identified, ensure appropriate investigation took place and correction actions were taken. - Verify that reconciliation has been reviewed and formally approved.
Reperformance
Med.
Rely
Reperformance
Low
Reperformance
- Obtain the approved "Obsolete inventory and slow-moving items" policy and/or procedure. - Ensure the policy is in line with MIC accounting policy guidelines. - Check the policy is reviewed on a yearly basis - Verify policy and / or procedure has been reviewed and formally approved. - Obtain the approved list of obsolete items - Verify the list has been properly approved by CFO and GM - Based on the quarterly list of obsolete items approved by the CFO and GM (Control SC15), select 25 obsolete stock items to be checked. - Through observation in the warehouse verify that those items are clearly identified and separated for other stock items. - Obtain the approved calculation of the obsolescence reserve. - Reperform the calculation to ensure that calculation has been made according to the approved assumptions (SC14 -SC15). - Ensure calculation has been reviewed and formally approved. - Obtain the approved remeasurement tests conclusions - If no remeasurement test should be performed (depends on the stock items type), ensure this conclusion is properly documented and verify in the inventory system that there is effectively no handsets, accessories or CPEs. - If remeasurement test should be performed, obtain the approved stock net realizable value calculation and the methodology describing how to calculate the stock net realizable value. Ensure the approved methodology was properly applied. Ensure that if the NRV was below the current stock value, an adjustment has been booked in the accounts. - Verify that the remeasurement tests conclusions was reviewed and formally approved.
Inspection
Low
Rely
2 2
1 1
Inspection Inspection
Low Low
Rely Rely
Reperformance
Med.
Reperformance
Reperformance
Low
Rely
Med. - Obtain the list of the CAR issued during the period under review - Select the samples to be tested and obtain for each of them the approved CAR - Verify the CAR was reviewed and formally approved - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5 Inspection non-key
Rely Walkthrough
- Obtain from the PO module the list of all assets purchased which were associated to a CAR. - Select the samples to be tested and obtain the associated approved CAR - Verify that the Purchasing responsible has checked that the assets request remains within the approved CAR amount.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Obtain the approved vendor's master file - Verify it was reviewed (e.g. review of potential duplicate suppliers, review and blocking of inactive suppliers) and formally approved. - From contract database, obtain the list of all purchase contracts for the period under review. - Select the samples to be tested and obtain for each of them, the related signed contract and reviewed purchase contract checklist. - Ensure the checklist was properly completed by tracing back all the information to the approved contract. - Verify the checklist was reviewed and formally approved.
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- From the accounting system, obtain the list of all credit notes received from the suppliers during the period under review. - Select the samples to be tested and obtain for each of them the approved credit note. - Ensure that the credit note was reviewed and formally approved before booking.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Obtain from accounting system the list of advanced payments made during the period and select the one for which good/service has been received. - Select the samples to be tested and obtain the evidence of the reversal booking - Ensure each reversal has been reviewed and formally approved before booking.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Obtain summary of approved timesheets (cell-site commissioning team working on site under construction). - Verify the timesheets include for all cell-site commissioning team the time they spent on project or site. - Verify that the timesheets were properly reviewed and formally approved
Inspection
non-key
Walkthrough
- Obtain the list of all sites that went on air during the period under review. - Select the sample to be tested and obtain for each of them the approved confirmation of list of assets to be capitalized. - Verify that the confirmation was reviewed and formally approved before the updated of the FAR.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
non-key
Walkthrough
- Obtain a list of all the assets transferred during the period under review. - Select the samples to be tested and obtain for each of them the approved ATN. - Ensure the ATN was duly completed and formally approved by the sending and receiving department.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Obtain all the approved lists of assets per assets owner. - Ensure that the lists were completed by tracing back the information to the FAR - Ensure that the lists were reviewed and formally approved. - Obtain a list of all the assets disposed during the period under review. - Select the samples to be tested and obtain for each of them the approved ADN. - Ensure the ADN was duly completed, that all required supporting documents were attached (receipt of sales proceed, ARO computation, realized gain or loss) and formally approved.
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Obtain from the accounting system, the list of all purchases (goods or services) done during the period under review. - Select the samples to be tested and obtain for each of them the purchase request including the account classification information. - Ensure that the transaction has been properly classified (check to be done based on the MIC accounting policy manual) - Verify that the transaction classification (CAPEX, inventory, OPEX) included in the purchase request has been reviewed and formally approved - Obtain the approved authority matrix - For the sample selected for SC5, obtain the approved purchase order. - Ensure that the PO was reviewed and formally approved as per the authority matrix.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Rely
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Med.
Reperformance
There are two possibilities to check this control: a) Obtain the PO module technical book and ensure that the system does not allow to record GRN/SDN quantity higher than the PO quantity. Make sure this option cannot be changed manually. b) If no Technical book can be obtained, ensure that the functionality is properly working in the PO module by performing the following test of 1: try, for one open PO, to record a GRN / SDN with an amount higher to the one assigned in the PO and verify that the system prevents the booking of this operation (make a print-screen as evidence for the test) - Obtain the approved summary statement listing the open CAPEX accruals. - Ensure appropriate analysis has been done (e.g. verify that all open CAPEX accruals have been considered in the analysis, verify that the analysis has been performed by suppliers). Obtain an Ageing of the CAPEX accruals and inquire on all items over 6 months to conclude the reasonability of these balances. - Verify that the analysis was reviewed and formally approved.
Inspection
Low
Rely
Inspection
Med.
Independent
- Obtain the approved accruals checklist. - Ensure appropriate analysis has been done (e.g. completeness check, reasons for accruals explained, identification of accruals booked in previous period, total amount booked in the GL). - Verify that the analysis was reviewed and formally approved.
Inspection
Low
Reperformance
- Obtain the approved advance payments summary statements. - Ensure appropriate analysis has been done (e.g. verify that all advance payments have been considered in the analysis, verify that the analysis has been performed by suppliers, ensure completeness and proper reversal of advance payments when goods are received or services delivered). Obtain an Ageing of the Advance payments and inquire on all items over 6 months to conclude the reasonability of these balances. - Verify that the analysis was reviewed and formally approved. - Obtain the approved authority matrix - For the sample selected for SC5, obtain the approved invoices. - Ensure that the invoice was reviewed and formally approved as per the authority matrix before initiating the payment.
Inspection
Med.
Reperformance
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Med.
Independent
There are two possibilities to check this control: a) Obtain the PO module technical book and ensure that the system does not allow to record invoice quantity higher than the PO and GRN/SDN quantity. Make sure this option cannot be changed manually. b) If no Technical book can be obtained, ensure that the functionality is properly working in the PO module by performing the following test of 1: try, for one open PO, to record an invoice with an amount higher to the one assigned in the GRN/SDN and verify that the system prevents the booking of this operation (make a print-screen as evidence for the test). Note: If the 3-way match is manual, obtain a list of the invoices received during the Quarter and select 10 items; Request the PO and the GRN for each item in your sample and re-perform the 3 way match to ensure that the PO matches in quantity with the GRN; the PO matches in price with the invoice and the GRN matches in quantity with the invoice.
Inspection
Low
Rely
-Obtain from the accounting system the list of assets pertaining to the company - 25 assets (floor to tag approach) - Select 1 type of each different locations (e.g. site on air, office, shop and warehouse) and select in total the - 25 assets (tag to floor approach) appropriate sample of assets from the accounting record. - For each location selected, organise an inspection on site and verify that selected assets are physically present on site and that the tag number is correct (tag to floor approach). Select also some assets in the sites and verify afterward that they were properly recorded in the accounts (floor to tag approach). - Ensure also that the tag numbers used complies with the asset coding mentioned by HQ in MIC Policy manual
Inspection
Med.
Independent
- For the period under review Obtain a list of all new turnkey projects. - Select the samples to be tested and Obtain For each of them the approved accounting memorandum. - Verify that the accounting treatment summarized complies with the contract terms and with MIC accounting policy manual. - Verify that the memorandum was reviewed and formally approved.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Rely
- Based on the sample selected for IC 17, obtain the valuation sheet from the HR department. - Ensure accuracy of calculation - Verify that the valuation sheet was reviewed and formally approved
Inspection
Med.
Rely
Note that this control is only applicable if the CWIP register is manually maintained. If the CWIP is included in the FAR, this control should be considered as no sample. - Obtain the approved manual CWIP register. - Verify that CWIP register includes at minimum assets identification, date of receipt, PO reference, value, expected date of capitalization, location and asset description. - Reperform the reconciliation between CWIP register and CWIP accounts and ensure that any difference identified has been investigated and corrected. - Verify that the reconciliation was reviewed and formally approved. - Obtain a list of assets which were linked to ARO - Select the samples to be tested (new assets acquired and assets disposed) and obtain the approved ARO calculation sheet - Review the accuracy of the calculation by reperforming it and ensure appropriate supporting documents exist. - Verify the calculation was reviewed and formally approved
Inspection
High
Independent
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
Med.
Reperformance
- Based on selection made for IC20, obtain the approved assets costing sheet. - Ensure that all elements have been considered including the assets, ARO, interest, services, freight, duties, etc. - Ensure the accuracy of the costing by reperforming it when possible - Verify that the costing sheet was reviewed and formally approved - Ensure that the accounts were properly updated based on this approved costing sheet. - Obtain the list of all regulatory licenses obtained in the period under review. - For each license selected, obtain the agreement and the approved License Summary Sheet. - Reconcile all information in the license summary sheet with the license agreement. - Verify that capitalization's rules have been correctly applied. - Verify the license summary sheet was reviewed and formally approved.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
High
Reperformance
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Med.
Reperformance
- Obtain the approved summary by assets category showing depreciation rates used. - Verify that analysis was properly performed by ensuring that depreciation rates used correspond to the one approved in the MIC policy. - For those assets which do not follow normal depreciation rates, verify that they were properly identified and documented: - In case of the use of another depreciation rate, verify the justification and the proper approval. - In case of error, verify its follow-up, correction, documentation and correct booking into the FAR. - Verify that the analysis has been reviewed and formally approved. - Obtain the approved analysis of assets with negative net book value. - Ensure that the analysis was properly performed by ensuring that no assets with negative value were included in those reports. - If negative net book value was identified, ensure that appropriate actions were taken to resolve the issue. - verify that the analysis was reviewed and formally approved. - Obtain a list of all Assets for which useful life were modified during the period under review. - Select the samples to be tested and Obtain for each one the approved useful life determination sheet - Ensure the new rate remains in line with the MIC Accounting Policy Manual or has been properly justified and documented. - Verify that the analysis has been reviewed and formally approved.
Reperformance
High
Reperformance
Inspection
High
Rely
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Med.
Rely
- Obtain the approved ATN cut-off report. - Ensure that the report includes all required information (sequential number, transfer date, receipt date, FAR update date - Ensure that any missing ATN in the report has been investigated in order to ensure completeness of FAR update. - Verify that the ATN cut-off report was reviewed and formally approved. - Obtain the approved reconciliation between the count and the FAR. - Ensure the count has been performed for all assets (during the year) and included the verification of the asset number per tag, existence and obsolescence. - Ensure that the reconciliation was properly performed and that any discrepancies identified during the reconciliation process has been properly investigated and that any issues were properly resolved and corrected if required (in the FAR or on the sites) - Ensure that an analysis of the obsolete items has been properly performed and that any required adjustments were properly documented. - Verify that the reconciliation sheet and obsolete analysis were reviewed and formally approved. - Obtain the approved reconciliation between the count and the CWIP register. - Ensure the count has been performed for all assets under constructions and included the verification of the asset number per tag and existence. - Ensure that the reconciliation was properly performed and that any discrepancies identified during the reconciliation process has been properly investigated and that any issues were properly resolved and corrected if required (in the CWIP register or on the sites) - Verify that the reconciliation sheet was reviewed and formally approved. - Based on the sample selected for IC32, obtain the approved computation of realized gain/loss. - Verify the accuracy of the calculation by reperforming it (using valid supporting documents) - Verify the computation was reviewed and formally approved.
Inspection
High
Reperformance
Inspection
High
Independent
Inspection
High
Independent
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
Med.
Reperformance
- Obtain the list of all advance payments made during the period under review. - Identify all advance payments given to suppliers above a predefined threshold, for which the review of the financial statements was not satisfactory and for which no guarantee exists. - Based on this list, select the samples to be tested. - For each of them, obtain the approved report from the service provider and ensure that it includes assessment of the existence, quality and solvability of the related supplier. - Ensure that the conclusions of report are in line with the grant of advance payment (only positive results in each advance payment). - Verify the report was reviewed and formally approved. - Obtain the approved log book of vendor complaints at purchasing department. - Ensure appropriate provision has been calculated when needed. - Verify it has been reviewed and formally approved on a monthly basis.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
- Obtain from the accounting system the list of all payments made to suppliers during the period under review. - If estimated yearly population > 50 --> select 10% of - For each sample selected, ensure that the treasurer has reviewed and formally approved the supplier balance available population, up to 25 before payment. - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Obtain the approved log book of customers complaints at customer service department and check every case has clearly identified to ensure appropiate decision of Financial responsible to provision. - Ensure appropriate provision has been calculated. - Verify it has been reviewed and formally approved on a monthly basis. - Obtain the approved bank reconciliation summary sheet. - Ensure that this document clearly indicates the reconciliation for each bank accounts, the remaining unexplained amount and the actions plan to explain/correct those differences. - Ensure accuracy of the information included in the summary sheet. a) All active bank accounts are listed. b) Reconciliation was performed based on approved documentation (refer to SC13). c) All discrepancies found were correctly identified and timely resolved. d) The reconciliation has been reviewed and formally approved. - Obtain from the accounting system the list of all petty cash advances granted during the period under review. - Select the samples to be tested and obtain for each of them the approved supporting documents justifying the petty cash advance request. - Ensure adequacy between the petty cash effectively granted and the supporting documents. - Ensure petty cash request is reviewed and formally approved according to authority matrix.
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Based on the sample selected for IC 15, obtain the approved petty cash voucher. - Ensure the petty cash voucher was reviewed and formally approved by the treasurer (prior to the review of the existence of remaining outstanding advance)
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Based on the sample selected for IC 15, obtain all the approved invoices related to the advance payment. - Ensure that the expenses made was in line with the authorized advance payment (cf. IC 15) - Verify that the invoice was reviewed and formally approved as per the authority matrix. - Verify it was verified legality of use (business and legal purposes)
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Obtain the approved petty cash reconciliation (between general ledger and petty cash count). - Reperform reconciliation and ensure that any difference identified has been investigated and resolved if necessary. - Verify that the reconciliation was reviewed and formally approved. - Obtain the approved payable aging balance report. - Ensure all unpaid amounts for more than 6 months were properly analyzed and cleared if required. - Verify the aging report was reviewed and formally approved. - Obtain the list of the top 20 suppliers and ensure that the selection was made based on the volume of purchases done in the last 12 months. - Ensure that a circularization letter has been timely sent to all of them. - Ensure that the reconciliation was completed during the quarter (i.e. all vendors submitted their answer, all reconciliations have been performed). - Reperform the reconciliation between account payable and vendor statement for the defined sample. If difference has been identified, ensure that appropriate investigation has been performed (and documented) and corrective actions were taken if necessary. - Verify than the reconciliations were reviewed and formally approved.
Inspection
non-key
Walkthrough
Inspection
Low
Rely
a) 2 b) 1
Selected the Vendor Reconciliation performed during the Quarter and reperform 10 reconciliations.
Reperformance
High
Independent
- Obtain the list of all payments made during the period under review (from the accounting system). - Exclude from this list all direct debit payments. - Select the samples to test and obtain the approved payment voucher / instructions / cheque. - Verify that the payment voucher / instructions / cheque were reviewed and formally approved (based on adequate supporting documents and as per the approved authority matrix).
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Rely
- Obtain the approved list of authorized direct debit received from the financial institutions. - Ensure it was reviewed and formally approved. - Check that for all unauthorized direct debit identified, actions have been taken and documented (i.e. suppression of direct debit authorization). - For each day selected, obtain the approved reconciliation between the cash deposit and/or electronic payment (from the financial institution) and the sales report (from the cash platform). - Reperform the reconciliation based on valid supporting document and ensure that any differences identified have been investigated and resolved. - Verify that reconciliation was reviewed and formally approved. - Understand frequency of the control and adapt the sample selection based on this frequency. For all samples selected, obtain the approved cash reconciliation between accounting system and billing system. - Reperform the reconciliation based on valid supporting document and ensure that any differences identified have been investigated and resolved. - Verify that reconciliation was reviewed and formally approved. This control is only applicable to dealers indirect sales force. If the company does not have any indirect sales force, this control should be considered as no sample. - In case of sample, obtain the approved reconciliation between banking summary report and bank statements - Reperform the reconciliation based on valid supporting document and ensure that any differences identified have been investigated and resolved. - Verify that reconciliation was reviewed and formally approved. - Obtain the approved analysis of blocked deposit. - Ensure appropriate review was performed on the segregation - Verify that report has been reviewed and formally approved. If weekly: 5 If daily: 25
Inspection
Med.
Rely
25
10
Reperformance
High
Reperformance
If weekly: 3 If daily: 10
Reperformance
Med.
Reperformance
Reperformance
Med.
Reperformance
Inspection
Med.
Rely
- Obtain from the accounting system the list of all bank accounts. - Obtain for each bank accounts the approved reconciliation (even for zero balance account or account without movement) - Reperform all reconciliations and ensure differences have been identified, investigated and corrected (if needed). If the investigation is not finalized before the closing of the month, ensure that this is clearly documented and that an appropriate follow-up is performed during the following month. Make sure that all reconciled items, whatever the amount, is investigated. - Ensure that an analysis of all old outstanding unreconcilied items has been performed and that appropriate cleaning has been performed. - Ensure that all Zero-balance accounts were blocked in the accounting system. - Ensure that all uncashed cheques has been reviewed and cleaned if necessary - Ensure that all unapplied cash accounts has been reviewed and cleaned if necessary - Verify that all reconciliations were reviewed and formally approved.
Reperformance
High
Independent
- Identify all new financing / loan granted during the period and select the sample to be tested. - Obtain the approved Loan Summary Form and the correspondent agreement signed by both parties. - Ensure that the Loan Summary Form was properly reviewed by tying all its information with the agreement to ensure validity of data. - Verify Loan Summary Form was reviewed and formally approved by CFO and HQ (Corporate Finance).
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- For all the financing / loans selected in IC1: - Obtain the approved reconciliation between the loan agreement and the cash received. - Reperform reconciliation by tying the amount granted in loan agreement vs. cash received - Ensure that any differences identified have been investigated and resolved. - Ensure reconciliation is reviewed and formally approved.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
non-key
Walkthrough
- Based on the results of the analysis performed under SC4, identify if breaches have been identified. - If no, the control is to be considered as no sample - If yes, verify the debt covenants computation has been communicated to HQs for review. - Identify all new financing / loan granted during the period and select the sample to be tested (e.g. bank financing, supplier financing with vendors, 3rd party financing through developing agencies, shareholder loans). - Verify that the agreement was formally approved by HQ (Corporate Finance) before being effective.
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
1.- Interest Expenses: - Obtain the approved reconciliation between the calculation sheet and the accounts - Reperform the reconciliation by tracing back the information to valid source documents. - Ensure that any discrepancy identified has been analyzed, investigated ands resolved. - Verify that the reconciliation was properly reviewed and approved. 2.- Classification of Short / Long Term Debt: - Obtain the approved analysis of the classification between long term and short term. - Review appropriate classification based on contract reimbursements terms. - Verify that the analysis was reviewed and formally approved. - Obtain the approved debt covenants computation. - Ensure the analysis was performed based on current data and based on the company 12 months forecast. (Note: as per MIC policy B.4.7.2.5 the Company has to identify potential future breaches, therefore the calculation using the 12 months forecast should be performed). - Reperform loan covenants computation by checking that all loan covenants as per the agreement have been considered in the analysis (financial and non-financial). Recalculate the financial covenants to ensure accuracy of calculation (use valid source information, e.g. approval budget, financial statements). - Verify that covenants computation has been reviewed and formally approved. - Ensure that if breaches were identified, all the corresponding loan was reclasified into short term, unless an explicit waiver from HQ was obtained. - Obtain from the accounting system, the list of all new prepayments booked during the period under review: - For each sample selected, obtain the approved reconciliation between the prepayment details inputted in the fixed assets register and the ones included in the related contract summary form. - Reperform the reconciliation and ensure that any difference identified has been timely resolved. - Verify that the reconciliation was reviewed and formally approved.
Reperformance
Med.
Reperformance
Reperformance
Med.
Independent
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
non-key
Walkthrough
- Obtain the approved reconciliation between manual recomputation of monthly prepayment and accounting records. - Reperform the manual recomputation based on valid supporting document - Reperform the reconciliation - Verify the reconciliation was reviewed and formally approved.
Reperformance
Low
Reperformance
- Obtain the approved calculation for the current and deferred taxes accruals. - Reperform the calculation to ensure accuracy (verify validity of source document and ensure arithmetical accuracy of calculation) - Ensure that the provision calculation has been reviewed and formally approved. - Per discussion, understand the frequency of direct tax returns to be filed. Based on this total population, select the sample to be tested. - For the samples selected, ensure that it was reviewed and formally approved by the CFO (signature and / or written comments). - Ensure the review was performed before the return was filed. - Review the accuracy of the tax return by tracing the information to source documents. a) Quarterly comparison: - Obtain the approved comparison between the booking of the tax in the accounts and the tax provision calculation. - Verify arithmetical accuracy. - Verify that comparison was reviewed and formally approved. b) Tax assessment comparison: - Obtain the approved comparison between the booking of the tax in the accounts and the tax assessment. - Verify arithmetical accuracy. - Verify that comparison was reviewed and formally approved. - Obtain from the billing system a report listing all the changes made in the tax parameters during the period under review. - Select an appropriate sample of changes and ensure that the appropriate documentation and approval has been obtained for all of them (check review, sign-off and date) before to be inputted in the billing system. - Obtain the approved quarterly memo summarizing the indirect tax review. - Ensure that any tax rate change (if any) has been documented. - Ensure that an analysis of the indirect tax rate has been performed by type of transaction and that any discrepancy identified has been analyzed, investigated and solved if required. - Verify that the memo was reviewed and formally approved.
Reperformance
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
Quarterly: 2 Ad hoc: - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Quarterly: 1 Ad hoc: - If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
non-key
Walkthrough
25
10
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
- Obtain the approved list of tax parameters changes. 2 - Ensure that a reconciliation was performed between all the changes performed in the system and the approval supporting documents (test the changes according to documentation required in IC06 ). - Verify that the reconciliation has been reviewed and formally approved. - Per discussion, understand the frequency of indirect tax returns to be filed. Based on this total population, select the sample to be tested. - For the samples selected, ensure that it was reviewed and formally approved by the CFO (signature and / or written comments). - Ensure the review was performed before the return was filed. - Review the accuracy of the tax return by tracing the information to source documents. - Obtain the approved tax advisors report. - Verify the advisor has ensured on a quarterly basis the completeness of direct taxes to be booked using a checklist. Reperform the reconciliation. - Verify the advisor has reviewed on a quarterly basisthe tax calculation accuracy including the review of the tax rate. Reperform the calculation by ensuring the accuracy of source documents / information, including tax rate. - Verify the advisor has reviewed on a quarterly basis the uncertain tax position. - Verify the advisor has prepared on an annual basis a loss carry forward analysis. Reperform the analysis by tracing back the analysis to valid supporting documents. - Verify the advisor has reviewed if any the tax assessment received from the Tax Administration. - Ensure the tax report was reviewed and formally approved by the CFO. - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
Quarterly: 2 Annually: 1 Ad hoc: - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Quarterly: 1 Annually: 1 Ad hoc: - If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
High
Independent
- Obtain the approved reconciliations between accounting and income tax base and between statutory and 2 effective income tax rates. - Reperform the reconciliations by tracing back the reconciliation data to valid supporting documents and ensure provided explanations are sufficiently detailed. - Verify that the reconciliations were reviewed and formally approved (signature and / or written comments). - Obtain the approved tax advisors report. - Verify the advisor has ensured on a monthly basis the completeness of indirect taxes to be booked using a checklist. Reperform the reconciliation. - Verify the advisor has performed on a monthly basis a rationalization test per indirect taxes rates. Reperform the reconciliation. - Verify the advisor has reviewed if any the tax assessment received from the Tax Administration. - Ensure the tax report was reviewed and formally approved by the CFO. Monthly: 2 Ad hoc: - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
Med.
Reperformance
Monthly: 1 Ad hoc: - If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
High
Independent
- Obtain the approved impairment calculation sheet. - Reperform the impairment calculation and ensure adequacy of conclusion. - Ensure that the impairment calculation sheet has been reviewed and formally approved. There are two possibilities to check this control: a) Obtain the billing system's parameterization book. - Review that the functionality "Ageing balance report automatically generated" has been activated. - Check this option is automatic and can not be changed manually. b) If no Technical book can be obtained, ensure that the functionality is properly working in the billing system by performing the following test of 1: - Ask an accountant to make an extraction of the ageing report. - Ensure report is automatically generated and contains all data and proper classification of ageing. - Obtain the approved reconciliation between Account Receivables (AR) from the aging balance and from the general ledger. - Reperform the reconciliation by checking that AR aging balance ties with the AR balance in general ledger (check last version in the accounting system) and ensure that any differences identified have been investigated and resolved. - Verify that the reconciliation has been reviewed and formally approved. - Ensure that all amounts overdue for more than 120 days have been provisioned for (unless a waiver has been obtained from the Cluster Responsible). - Ensure that all interconnect and roaming partners, dealers and overdue postpaid subscribers have been reviewed on an individual basis and that for any customers or partner facing financial stress, an additional bad debt provision has been considered in the quarterly bad debt provision balance. - Ensure that this analysis has been properly documented, reviewed and formally approved.
Reperformance
Med.
Independent
Inspection
Low
Rely
Reperformance
Low
Rely
Inspection
Med.
Reperformance
- Obtain the approved bad debt provision calculation sheet. - Reperform provision calculation and ensure accuracy (of source information and calculation) - Ensure that all balances overdue for more than 90 days have been provisioned. - Ensure that this analysis has been properly documented, reviewed and formally approved. - Based on the samples selected for IC2, determine the contracts that include the MIC purchasing general terms and conditions and ensure that those terms and conditions were reviewed and formally approved. - For the contracts which does not include the MIC purchasing general terms and conditions, verify that those terms and conditions were reviewed and formally approved by the legal responsible.
Reperformance
Low
Reperformance
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- From the contracts database, obtain the list of all new contracts / agreements issued during the period under review. - Select in this list the samples to be tested and obtain the related contracts. - Verify for each sample selected that the legal responsible has ensured that the contract was properly signed by both parties. - In particular, ensure that the contract was signed according to the company approved authority matrix. - Based on the samples selected for IC2, obtain the approved contract summary form. - Reconcile the information contained in the contract summary form with the contract to ensure data accuracy. - Verify that it has been reviewed and formally approved by the legal department. - Ensure it is sequentially numbered.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
non-key
Walkthrough
- Based on the samples selected for IC2, obtain the approved "calculation sheet". - Reconcile the information contained in the calculation sheet with the contract summary form and the contract to ensure data accuracy. - Ensure that all accounting treatments comply with the MIC accounting policy - Ensure the arithmetical accuracy of any calculation - Verify that the calculation sheet has been reviewed and formally approved by the accounting responsible - Obtain the approved list of all CAPEX purchase commitments. - Verify that this list was reviewed and formally approved by the Purchasing Responsible to ensure completeness and accuracy (signature and / or written comments) - Verify that the total CAPEX commitments from the detail reviewed matches with the total of CAPEX commitments figure reported to HQ. - Obtain the approved list of all pending litigations and lawsuits. - Verify that this list includes the following information: description of lawsuits, status, estimated loss and probability of occurrence. - Verify that this list was reviewed and formally approved by the Legal Responsible to ensure completeness and accuracy (signature and / or written comments) - Obtain the approved list of the guarantees / pledge assets. - Verify that this list was reviewed and formally approved by the CFO to ensure completeness and accuracy (signature and / or written comments) - Obtain the approved compliance memo. - Obtain also a copy of all the licenses agreements - Verify, in the compliance memo, that all licenses agreements are analyzed. - Verify, in the compliance memo, that for each license agreement, all majors terms and conditions have been listed. - Verify, in the compliance memo, that for each license agreement, a review of all majors terms and conditions has been performed by the Responsible (i.e. purpose is to ensure that no breach is detected and that all terms and conditions are still respected) - Obtain the approved list of all lease agreements (financial and operating). - Verify that this list was reviewed and formally approved by the Financial Responsible to ensure completeness and accuracy (signature and / or written comments) - Obtain the approved summary of tax commitments and contingencies. - Verify that this summary was reviewed and formally approved by the Tax Responsible to ensure completeness and accuracy (signature and / or written comments)
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Med.
Reperformance
Inspection
Low
Reperformance
Inspection
Med.
Independent
Inspection
Low
Reperformance
Inspection
Med.
Rely
Inspection
Med.
Independent
Inspection
Med.
Rely
- Obtain all the approved lists of other commitments and contingencies. - Verify that this list was completed, reviewed and formally approved by all departments (completeness of documentation review). - If no additional commitment and contingency needed to be reported by a Head of Department, ensure that the review was still performed and resulted in this conclusion (e.g. evidence of investigation, approval of a nil report). - Verify that Finance has reviewed information provided by other departments and accounting treatment decision based on IFRS (accounting booking, disclosure). a) Changes approval: - Obtain from the accounting system a report listing all the changes made in the accounting system parameters during the period under review. - Select randomly changes and ensure that the appropriate review and approval has been obtained for all of them (check sign-off and date). b) Full review of all parameters: - Obtain the report listing all accounting parameters and ensure they were all reviewed and signed (Annual check). There are 2 possibilities to check this control: '1.- Obtain Technical book. - Review that the functionalities "no unbalanced journal entry can be booked" and "journal entries numbers are automatically generated" have been activated. - Check these options are automatic and can not be changed manually. 2.- If no Technical book can be obtained, ensure that the two functionalities are properly working in the system by performing the following test of 1: - Ask the accountant to try to book an unbalanced entry. - Verify that system blocks this action and print the screen. - Ask the accountant to try to book two transactions with the same journal number. - Verify that system blocks or does not allow this action and print the screen. - From the accounting system, obtain a list of standard journal entries (S-JE) recorded in the period under review. (Note: if no list of S-JE available, obtain the full list of JE and filter the Standard ones by using the MIC definition and using the accounts name and/or transaction type / description) - Select randomly S-JE, and for each one: a) Verify the existence and accuracy of supporting documents (reperformance if needed). b) Ensure that the supporting documents properly tie with the journal entry. c) Ensure that the journal entry has been reviewed and formally approved as per the authority matrix. d) Ensure that the posted journal entry corresponds to the one approved.
Inspection
Low
Rely
a) Inspection
Med.
Reperformance
b) 1
b) 1 b) Inspection
Inspection
High
Reperformance
25
10
Reperformance
High
Independent
- From the accounting system, obtain a list of Non standard journal entries (NS-JE) recorded in the period under review. (Note: if no list of NS-JE available, obtain the full list of JE and filter the Non Standard ones by using the MIC definition and using the accounts name and/or transaction type / description) - Select randomly NS-JE, and for each one: a) Verify the existence and accuracy of supporting documents (reperformance if needed). b) Ensure that the supporting documents properly ties with the journal entry. c) Ensure that the journal entry has been reviewed and formally approved as per the authority matrix. d) Ensure that the posted journal entry corresponds to the one approved.
25
10
Reperformance
High
Independent
- Obtain the Non-standard JEs summary list (monthly report prepared by Accounting Responsible). - Ensure completeness of the list. (Based on the list of JEs extracted from the accounting system, identify by spot check the potential NS-JE and verify that were all included in the approved summary list). - Verify this report has been reviewed and formally approved (check sign-off and date). - Obtain the closing checklist and the closing binder. - Ensure that all control listed in the closing checklist have been properly performed (Tie out all the points included in the check list vs. support documentation included in the closing binder). - Reperform all month-end controls included in the closing binder. - Ensure that the closing checklist and all binder documentation are reviewed and formally approved. (i.e. tick marks ensuring completeness on it, signature of review, etc.). In case local Ledger is different to IFRS one: - Obtain the approved "Local GAAP and IFRS reconciliation". - Obtain a copy of the final version of the Local GAAP Ledger. - Obtain a copy of the final version of the IFRS Ledger (before adjustments). - Reperform the reconciliation. - Ensure that any differences identified have been investigated and resolved. - Ensure reconciliation is reviewed and formally approved. In case local Ledger is different to IFRS, per each month selected: - Obtain the "IFRS adjustments calculation sheet" performed by the accounting team and the list of all the IFRS Adjustments recorded in the accounting system. - Ensure all IFRS adjustments were properly calculated and recorded under IAS principles (i.e. IFRS reference included as a technical support). - Verify the arithmetical accuracy of all IFRS adjustments. - Ensure all IFRS adjustments were reviewed, formally approved and posted in the accounting system (IFRS Ledger). - Per each month selected, obtain the printed "Clean Promotion screen". - Ensure this screen has the "Clean" status, as evidence of the correct transfer of information from local accounting system to consolidation system.
Inspection
High
Independent
Reperformance
High
Independent
Reperformance
Med.
Reperformance
Reperformance
Med.
Independent
Inspection
High
Reperformance
- From the consolidation system, obtain for the two months selected, all Manual Journal Entries (CM-JE only booked by Operations) in the period under review. For all of them: a) Verify the existence and accuracy of supporting documents (reperformance if needed). b) Ensure that the supporting documents properly tie with the journal entry. c) Ensure that the journal entry has been reviewed and formally approved as per the authority matrix. d) Ensure that the posted journal entry corresponds to the one approved. - Obtain the approved Reporting Binder. - Verify that Reporting Binder contains the final version of reporting packages (by tying total amounts in each reporting package vs. closing Trial Balance ). - Ensure that all points included in the Reporting checklist has been properly performed by the responsible. - Ensure that each single data included in the reporting package disclosures is supported by underlying approved documentation. (Note that a clear link (for instance: tick marks) should be evidenced between the reporting package disclosure and the related supporting documents). - Ensure binder documentation is reviewed and formally approved. (i.e. tick marks ensuring completeness on it, signature of review, etc.). - In order to verify that monthly reporting package has been approved by HQ in the consolidation system, obtain "Promotion screen" and ensure that level indicated is the highest - Obtain the list of all critical systems, platforms, applications and databases. - For each critical system, platform, application and database, obtain and inspect the print copy of the catalogue and/or description of the testing environment. - Ensure that the testing environment is separated logically and/or physically from the production environment, that it allows adequate stress, unit and end-to-end testing, that it reflects as much as possible the live environment (data in kind and quantity), and that it is available for sufficient testing time. - Ensure that the print copy of the catalogue and/or description of the testing environment has been formally reviewed and approved by the CIO. - In case there is no separate testing environment for a critical system, platform, application or database, ensure that there are specific adequate procedures and guidelines in place for testing (including details of mitigating factors and measures in place to prevent negative impact of testing) and that they have been formally reviewed and approved by the CIO. - Obtain and inspect the list of changes to systems, platforms, applications and databases (logs if any), especially changes to critical ones. - Based on professional judgement, select a representative sample of changes for the period under review. - For each selected item, determine whether users and relevant stakeholders were informed of the change implementation.
Reperformance
Low
Rely
Reperformance
High
Independent
Inspection
Low
Rely
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Obtain the Logical Access Management Policy (or Security Policy). - Determine whether the management of user accounts for joiners, job changes and job termination is part of the policy (for both employees and contractors, for local and remote access...). - Ensure that the Logical Access Management Policy (or Security Policy) has been formally reviewed and approved by the CIO within the last 7 months. - Obtain evidence that the Logical Access Management Policy (or Security Policy) has been formally communicated. - Obtain and inspect the formal inventory of personal data and sensitive information. - Ensure that security means are enabled to protect the integrity and privacy of these personal data and sensitive information. - For the last quarter, ensure that the security set-up has been adequately and formally reviewed and approved by the CIO and the Legal or Regulatory Responsible. - Obtain and inspect the backup policy to verify whether the backup terms are appropriate (all critical element considered in scope and backup frequency requirements). - Based on professional judgement, select the sample for the period under review. - For each of the selected days, obtain and inspect the Backup journals to ensure that backups were run as per the backup policy (at least daily for data and weekly for configurations) for all critical systems, platforms, applications and databases. - Ensure that the backups ran successfully to completion (or failure was explained and timely remediated). - Ensure that the backup journals have been formally reviewed and approved by the Critical Systems IT Responsible(s). - Obtain and inspect the Disaster Recovery Plan. - Ensure that the DRP addresses the critical systems, platforms, applications and databases as a minimum requirement. Ensure that the DRP has been formally reviewed and approved by the CIO and GM within the last 7 months. - Obtain and inspect the Disaster Recovery Plan. - Obtain and inspect the DRP test results (if a real disaster occur and lead to the deployment of the plans, then this is considered as the sample item) - Verify that the DRP was tested within the last year. - Ensure that the DRP test results have been formally reviewed and approved by the CIO and GM. - Obtain and inspect the Incident and Problem Management Policy and Procedures. - Ensure that it defines handling, analysis and resolution mechanisms of non-standard events (incidents), including escalation procedures, supplier involvement if appropriate and clear description of the process. - Ensure that the Incident and Problem Management Policy and Procedures have been formally reviewed and approved by the CIO within the last 7 months. - Obtain evidence that the Incident and Problem Management Policy and Procedures have been formally communicated. - Obtain and inspect the Events and Incidents Journals for the period under review. - Based on professional judgement, select a representative sample of significant IT events or incidents and failures for the period under review. - For each of the selected events, incidents and failures, ensure that they have been formally reviewed and approved immediately by the Critical Systems IT Responsible(s). - For each of the selected events, incidents and failures, ensure that it has been communicated and resolved in a timely manner.
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
25
10
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Based on professional judgement, select a 2 month sample for the period under review. - For each of the selected months, obtain and inspect the Events and Incident's Journals. - Ensure that all significant IT events or incidents and failures of the Events and Incident's Journals (including the resolution activities and status) have been formally communicated to the CIO and GM. - Ensure that the Events and Incident's Journals have been formally reviewed and approved by the CIO and the GM. - Obtain and inspect the document defining and listing authorized, tolerated and unauthorized software. - Ensure that the list of authorized, tolerated and unauthorized software has been formally reviewed and approved by the CIO within the last 7 months. - Ensure that the list of authorized, tolerated and unauthorized software has been formally communicated throughout the company. - Obtain and inspect the document defining and listing authorized, tolerated and unauthorized software. - Obtain and inspect the document which formalized the review of software installed and used. - Ensure that the review addresses all the computers and machines (user PCs and servers). - Ensure that any unauthorized software installed has been reported and reacted upon. - Ensure that the review of software installed and used has been formally reviewed and approved by the Security Officer. - Based on professional judgement, select the sample for the period under review. - For each of the selected months, obtain and inspect the job scheduling checklists of all critical systems, platforms, applications and databases to determine whether they have been formally reviewed and approved by the CIO. - Obtain and inspect the operating procedures. - Ensure that all operation procedures have been documented, updated and formally reviewed and approved by the CIO within the last 7 months. - Obtain and inspect the operating procedures. - Ensure that the listing of all potential suspicious activities have been updated and formally reviewed and approved by the CIO and the Security Officer within the last 7 months.
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
- Obtain and inspect the list of changes to systems, platforms, applications and databases (logs if any), especially changes to critical ones. - Based on professional judgement, select a representative sample of changes for the period under review. - For each selected item, obtain the corresponding change request form. - Determine whether the selected change was formally authorized by Business Owners, Stakeholders and the relevant Critical System IT Responsible before the change had been processed.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Med.
Reperformance
- Obtain and inspect the list of changes to systems, platforms, applications and databases (logs if any), especially changes to critical ones. - Based on professional judgement, select a representative sample of changes for the period under review. - For each selected item, obtain the corresponding change request form. - Determine whether the selected change was subject to an impact analysis (in particular regarding controls that may be impaired) reviewed by Business Owners, Stakeholders and the relevant Critical System IT Responsible. - Ensure that appropriate actions were taken to modify or redesign these controls (if necessary) to retain their integrity
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Rely
- Obtain and inspect the list of changes to systems, platforms, applications and databases (logs if any), especially changes to critical ones. - Based on professional judgement, select a representative sample of changes for the period under review. - For each selected item, obtain the corresponding change request form. - Determine whether the selected change was subject to the formalization of a test plan, a roll-out plan and a roll-back plan. - Ensure that these test plan, roll-out plan and roll-back plan had been formally reviewed and approved by the relevant Critical Systems IT Responsible and CIO prior to implementation of the change.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Rely
- Obtain the list of all interfaces between critical systems, platforms, applications and databases. - For each interface, obtain the last testing results. - Ensure the testing results are no more than 3 years old. - Ensure that the test results confirm that data transmissions are complete, accurate and valid. - Ensure that the interface test results have been formally reviewed and approved by the Critical Systems IT Responsible. - Obtain the list of individual changes that occurred on existing interfaces during the period under review. - Based on professional judgement, select a representative sample of changes to interfaces for the period under review. - For each selected item, obtain the interface test results. - Ensure that the test results confirm that data transmissions are complete, accurate and valid. - Ensure that the interface test results have been formally reviewed and approved by the relevant Critical Systems IT Responsible. - Obtain and inspect the list of changes to systems, platforms, applications and databases (logs if any), especially changes to critical ones. - Based on professional judgement, select a representative sample of changes for the period under review. - For each selected item, obtain the corresponding change request form including the test plan approved. - Determine whether the test plan was followed for testing the change. - Determine whether the test results were formally documented, reviewed and approved by Business Owners, Stakeholders and Critical Systems IT Responsible before the change had been implemented (live in the production environment).
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - 1 every 3 years
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5 - 1 every 3 years
Inspection
Low
Rely
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
High
Independent
- Obtain and inspect the list of changes to systems, platforms, applications and databases (logs if any), especially changes to critical ones. - Based on professional judgement, select a representative sample of changes for the period under review. - For each selected item, obtain the corresponding change request form. - Determine whether the change results were reviewed by the Business Owner showing approval of the change implemented.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
High
Independent
- Obtain the list of all changes to critical systems, platforms, applications and databases. - Based on professional judgement, select a representative sample of changes for the period under review. - For selected changes, obtain and inspect the change requests and ensure that documentation impact assessment has been formalized. - If updated, ensure that documentation has been reviewed formally by the Business Owners and CIO.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Reperformance
- Obtain the list of all critical systems, platforms, applications and databases. - For each critical system, platform, application and database, obtain and inspect the list of available documentation and support service plan (including location) and ensure it is kept in the mentioned location. - Ensure that it has been formally reviewed and approved by the Business Owners and CIO.
Inspection
Low
Reperformance
- Obtain the list of all end-user applications. - Based on professional judgement, select a representative sample of changes for the period under review. - For selected changes, obtain and inspect the change requests and ensure that documentation impact assessment has been formalized. - If updated, ensure that documentation has been reviewed formally by the Business Owners.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Rely
- Obtain the list of all end-user applications. - For each end-user application, obtain and inspect the list of available documentation and support service plan (including location) and ensure it is kept in the mentioned location. - Ensure that it has been formally reviewed and approved by the Business Owners. - Obtain and inspect the list of emergency changes to systems, platforms, applications and databases (logs if any), especially emergency changes to critical ones. - Based on professional judgement, select a representative sample of emergency changes for the period under review. - For each selected item, obtain the corresponding emergency change form. - Determine whether the selected emergency change was formally reviewed and authorized by the CIO and the GM. - Obtain the list of all positions/functions in the company and the related job descriptions. - Verify that each job description specifies the profiles/accesses to be allocated to the corresponding position/function. - Obtain and inspect the matrix of profiles to determine whether all positions/functions have been considered. - Verify whether the matrix of profiles is in line with all the job descriptions and roles in the organization. - Ensure that it has been reviewed within last 7 months. - Ensure that it has been formally reviewed and approved by the Business Owners/Critical Systems Responsibles and Human Resources.
Inspection
Low
Rely
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Med.
Rely
Med.
Reperformance
- Obtain and inspect the list of joiners, job changes and job terminations, for employees, contractors, vendors and non-client personnel. - Based on professional judgement, select a representative sample of access request forms (provisioning and deprovisioning) for the period under review. - For each selected item, determine whether selected forms were adequately prepared, reviewed and approved by the Head of Department and the Human Resources Responsible. - Verify in the relevant systems, platforms, applications and databases that the access rights have been granted (in case of provisioning) or revoked (in case of deprovisioning) as per the details of the approved provisioning/deprovisioning form. - Based on professional judgement, select the appropriate sample of month for the period under review. - For each selected month, obtain the list of transfers and leavers from Human Resources Department. - For each transfer and leaver of the list, obtain systems' evidences that the access rights have been updated accordingly (modified for transfers or revoked/suspended for leavers). - For each selected month, ensure that the review of transfers and leavers has been formally reviewed and approved by the Human Resources Responsible and the Security Officer.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Med.
Reperformance
Med.
Reperformance
- Obtain and inspect the access rights review performed. - Ensure that the scope of the access rights review is complete (i.e. at least all critical systems, platforms, applications and databases). - For each critical system, platform, application and database, ensure that the effective access rights (system capture) are in line with employee's position and responsibilities in the company (job description) and that these are still aligned with need-to-have and segregation of duties principles. - For each critical system, platform, application and database, ensure that all users have a unique user ID by which they can be identified (any exception to this rule must be well documented, rationalized and approved). - For each critical system, platform, application and database, identify temporary accounts, generic accounts, applicative accounts and ensure that they are legitimate and adequately supported by documentation and explanations. - Ensure that the access rights review has been reviewed and approved by each Critical Systems IT Responsibles and the Security Officer.
High
Independent
- Obtain and inspect the access rights review related to the migration of new/modified systems, platforms, applications and databases. - Ensure that the scope of the access rights review is complete (i.e. at least all critical systems, platforms, applications and databases). - Based on effective access rights (system capture), determine which accounts are authorized migrate new/modified systems, platforms, applications and databases into the production environment. - Determine whether the job descriptions of the personnel capable to migrate new/modified systems, platforms, applications and databases into the production environment, specify such an authority for these positions/functions. - Ensure that these personnel (authorized to migrate new/modified systems, platforms, applications and databases into the production environment) are not authorized to perform any development, in order to comply with Segregation of Duties principles. - Ensure that the access rights review related to the migration of new/modified systems, platforms, applications and databases has been formally approved by the Security Officer and the CIO. - Obtain and inspect the list of usernames (and corresponding persons) with privileged/powerful access rights to systems, platforms, applications and databases. - Ensure that this list is in line with the access actually implemented in systems (system capture). - Ensure that such privileged/powerful access rights are part of the job description of the persons using these usernames. - Ensure that access to powerful operating system commands is limited to the appropriate IT users. - Ensure that the list of usernames with privileged/powerful access rights to systems, platforms, applications and databases has been formally reviewed and approved by the Security Officer and the CIO.
High
Reperformance
High
Independent
- Obtain the updated list of end-user computing tools. - For each end-user computing tool (such as spreadsheets and other end-user programs), obtain the user access rights related to it (e.g. access rights to the directory/folder where it is stored and used from the system capture). - Ensure that the list of user access rights to end-user computing tools has been formally reviewed and approved by the Head of Department and Business Owners.
Med.
Reperformance
- Based on professional judgement, select the appropriate sample for the period under review. - For each selected month, obtain the reviewed list of vendors/contractors accounts and the related access rights (system capture). - Ensure that the scope of the list is complete (i.e. at least all critical systems, platforms, applications and databases). - Obtain the access request forms related to each vendor/contractor. - Verify whether each vendor/contractor access is limited in terms of access rights granted and time of activity defined in the access request form. - Verify whether each existing vendors/contractors account is legitimate vs. the provisioning and deprovisioning dates defined in the access request form. - Ensure that the list of vendors/contractors accounts and the related access rights has been formally reviewed and approved by the Human Resources Responsible, Security Officer and Critical Systems IT Responsible(s). - Based on professional judgement, select the appropriate sample for the period under review. - For each selected month, obtain the list of user accounts with remote access capability granted to vendors, contractors and employees (system capture). - Ensure that the scope of the list is complete (i.e. at least all critical systems, platforms, applications and databases). - Obtain the remote connection request forms related to the vendors, contractors and employees who have remote connection capabilities. - Ensure that remote connection is appropriately limited in terms of time window of activity (e.g. no 24h/7d activation) in line with the need-to-have. - Ensure that only vendors, contractors and employees that currently need to access Tigo infrastructure remotely, can actually connect remotely. - Ensure that the list of user accounts with remote access capability granted to vendors, contractors and employees, has been formally reviewed and approved by the Human Resources Responsible, Security Officer and CIO. - Obtain the logs of remote connections for each critical system, platform, application and database. - Based on professional judgement, select a representative sample of remote accesses to these for the period under review. - For each selected item, ensure that the activities were adequately supported by a remote connection request form and the description of activities planned. - Ensure that the logs of activities from remote connections vs. planned activities have been formally reviewed and approved by the Critical System IT responsible.
Med.
Rely
Med.
Reperformance
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Med.
Reperformance
- Based on professional judgement, select the appropriate sample for the period under review. - For each selected month, obtain the reports on remote connections to critical systems, platforms, applications and databases. - Ensure that the reports contain details (and description of activities) related to all approved remote connection request forms. - Ensure that the reports have been formally reviewed and approved by the Security Officer and the CIO. - Obtain and inspect the security setup review for critical protected areas. - Ensure that critical password files, authorization tables, communications software, encryption keys and critical installation programs are stored in logically protected areas or otherwise protect from read-and-write access. - Ensure that the security setup documentation has been formally reviewed and approved by the Security Officer and the CIO and access to critical protected areas is granted to authorized users only.
Inspection
Med.
Reperformance
Inspection
High
Reperformance
For each critical system, platform, application and database, obtain the password complexity rules and ensures that password controls are in effect and consider minimum security rules (where technically feasible): - Minimum password length of 8 characters, - Password complex composition is enforced: password must be composed of alpha-numeric characters at least (characters and digits). Additional complexity can be implemented (e.g. not words in dictionary, use of symbols), - Passwords are forced to be changed every 90 days at least (passwords of administrator accounts can have a one year validity), - Unsuccessful login attempts must be logged and reviewed. Complementary security practices can also be considered: - Initial log-on uses a one time password, - History of the last 6 passwords can not be used for password renewal, - 5 unsuccessful log on attempts allowed before lockout (where business continuity is not impacted), - Idle session time out after 10 minutes. Ensure that the review of password controls has been performed within the last 7 months and has been formally approved by the Security Officer and the CIO.
Inspection
Med.
Reperformance
- Obtain and inspect the policy defining retention periods, backup and storage terms of information. - Ensure that it defines backup terms (frequency, media, etc.), storage terms (on-site, off-site, access, etc.) and retention periods for information from critical systems, platforms, applications and databases (both data and parameters/configurations), as well as any information considered as sensitive in the company's data/information classification. - Ensure that the retention periods, backup and storage terms have been formally reviewed and approved by the CIO and the Legal or Regulatory Responsible within the last 7 months. - Based on professional judgement, select the sample for the period under review. - For each of the selected months, obtain and inspect the backup journals covering all days of the month to determine whether they have been formally reviewed and approved by the CIO. - Obtain and inspect the restore journals for the last 7 months. - Determine whether restore tests occurred for information from all critical systems, platforms, applications and databases (both data and parameters/configurations), as well as for any information considered as sensitive in the company's data/information classification. - Ensure that the restore tests were successful. - Ensure that the backup restoration journal and the corresponding restoration results have been formally reviewed and approved by the Critical Systems IT Responsible(s) and the CIO. - Obtain and inspect the list of authorized individuals allowed to access to the back-up media. - Determine whether access to backup media is commensurate with the function and/or profile of the authorized individuals. - Ensure that only formally authorized individuals can access the backup media (both on-site and off-site). - Ensure that the review of accesses to backups vs. the authorizations has been formally reviewed and approved by the CIO for the last quarter.
Inspection
Low
Rely
Inspection
High
Independent
Inspection
Med.
Reperformance
Inspection
Med.
Rely
- Based on professional judgment, select the sample for the period under review. - For each of the selected weeks, and for each critical system, platform, application, database and Firewall, obtain the logs of unauthorized activities. - For each unauthorized activity, ensure that it has been documented and reacted upon in an appropriate manner. - For each unauthorized activity, ensure that it has been formally reviewed and approved by the Critical Systems IT Responsible(s) and the Security Officer. - Based on professional judgement, select a 2 month sample for the period under review. - For each of the selected months, obtain and inspect the logs of unauthorized activities for network activity and for all critical platforms, systems, applications and databases. - Ensure that all unauthorized activities from the logs (including the actions taken) have been formally communicated to the CIO and GM. - Ensure that the monthly reports on unauthorized activities have been formally reviewed and approved by the CIO and the GM.
Inspection
High
Independent
Inspection
High
Independent
- Obtain and inspect the batch jobs schedules for each critical system, platform, application and database. - Based on professional judgement, select the sample for the period under review. - For each of the selected days, obtain and inspect the job scheduling checklists to ensure that batch jobs ran as per the job schedules for all critical systems, platforms, applications and databases. - Ensure that the batch jobs ran successfully to completion (or failure was explained and timely remediated). - Ensure that the job scheduling checklists and related results have been formally reviewed and approved by the Critical Systems IT Responsible(s).
25
10
Inspection
Med.
Rely
- Obtain the list of all critical systems, platforms, applications and databases. - For each critical system, platform, application and database, obtain and inspect the print copy of the catalogue and/or description of the testing environment. - Ensure that the testing environment is separated logically and/or physically from the production environment, that it allows adequate stress, unit and end-to-end testing, that it reflects as much as possible the live environment (data in kind and quantity), and that it is available for sufficient testing time. - Ensure that the print copy of the catalogue and/or description of the testing environment has been formally reviewed and approved by the CTO. - In case there is no separate testing environment for a critical system, platform, application or database, ensure that there are specific adequate procedures and guidelines in place for testing (including details of mitigating factors and measures in place to prevent negative impact of testing) and that they have been formally reviewed and approved by the CTO. - Obtain and inspect the list of changes to systems, platforms, applications and databases (logs if any), especially changes to critical ones. - Based on professional judgement, select a representative sample of changes for the period under review. - For each selected item, determine whether users and relevant stakeholders were informed of the change implementation.
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Obtain the Logical Access Management Policy (or Security Policy). - Determine whether the management of user accounts for joiners, job changes and job termination is part of the policy (for both employees and contractors, for local and remote access...). - Ensure that the Logical Access Management Policy (or Security Policy) has been formally reviewed and approved by the CTO within the last 7 months. - Obtain evidence that the Logical Access Management Policy (or Security Policy) has been formally communicated. - Obtain and inspect the backup policy to verify whether the backup terms are appropriate (all critical element considered in scope and backup frequency requirements). - Based on professional judgement, select the sample for the period under review. - For each of the selected days, obtain and inspect the Backup journals to ensure that backups were run as per the backup policy (at least daily for data and weekly for configurations) for all critical systems, platforms, applications and databases. - Ensure that the backups ran successfully to completion (or failure was explained and timely remediated). - Ensure that the backup journals have been formally reviewed and approved by the Critical Systems Technical Responsible(s). - Obtain and inspect the Disaster Recovery Plan. - Ensure that the DRP addresses the critical systems, platforms, applications and databases as a minimum requirement. Ensure that the DRP has been formally reviewed and approved by the CTO and GM within the last 7 months. - Obtain and inspect the Disaster Recovery Plan. - Obtain and inspect the DRP test results (if a real disaster occur and lead to the deployment of the plans, then this is considered as the sample item) - Verify that the DRP was tested within the last year. - Ensure that the DRP test results have been formally reviewed and approved by the CTO and GM. - Obtain and inspect the Incident and Problem Management Policy and Procedures. - Ensure that it defines handling, analysis and resolution mechanisms of non-standard events (incidents), including escalation procedures, supplier involvement if appropriate and clear description of the process. - Ensure that the Incident and Problem Management Policy and Procedures have been formally reviewed and approved by the CTO within the last 7 months. - Obtain evidence that the Incident and Problem Management Policy and Procedures have been formally communicated. - Obtain and inspect the Events and Incidents Journals for the period under review. - Based on professional judgement, select a representative sample of significant technical events or incidents and failures for the period under review. - For each of the selected events, incidents and failures, ensure that they have been formally reviewed and approved immediately by the Critical Systems Technical Responsible(s). - For each of the selected events, incidents and failures, ensure that it has been communicated and resolved in a timely manner. - Based on professional judgement, select the sample for the period under review. - For each of the selected months, obtain and inspect the Events and Incident's Journals. - Ensure that all significant technical events or incidents and failures of the Events and Incident's Journals (including the resolution activities and status) have been formally communicated to the CTO and GM. - Ensure that the Events and Incident's Journals have been formally reviewed and approved by the CTO and the GM. - Obtain and inspect the operating procedures. - Ensure that all operation procedures have been documented, updated and formally reviewed and approved by the CTO within the last 7 months. - Obtain and inspect the operating procedures. - Ensure that the listing of all potential suspicious activities have been updated and formally reviewed and approved by the CTO and the Security Officer within the last 7 months.
Inspection
non-key
Walkthrough
25
10
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
- Obtain and inspect the list of changes to systems, platforms, applications and databases (logs if any), especially changes to critical ones. - Based on professional judgement, select a representative sample of changes for the period under review. - For each selected item, obtain the corresponding change request form. - Determine whether the selected change was formally authorized by Business Owners, Stakeholders and the relevant Critical System Technical Responsible before the change had been processed.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Med.
Reperformance
- Obtain and inspect the list of changes to systems, platforms, applications and databases (logs if any), especially changes to critical ones. - Based on professional judgement, select a representative sample of changes for the period under review. - For each selected item, obtain the corresponding change request form. - Determine whether the selected change was subject to an impact analysis (in particular regarding controls that may be impaired). - Ensure that appropriate actions were taken to modify or redesign these controls (if necessary) to retain their integrity
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Rely
- Obtain and inspect the list of changes to systems, platforms, applications and databases (logs if any), especially changes to critical ones. - Based on professional judgement, select a representative sample of changes for the period under review. - For each selected item, obtain the corresponding change request form. - Determine whether the selected change was subject to the formalization of a test plan, a roll-out plan and a roll-back plan. - Ensure that these test plan, roll-out plan and roll-back plan had been formally reviewed and approved prior to implementation of the change.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Reperformance
- Obtain the list of all interfaces between critical systems, platforms, applications and databases. - For each interface, obtain the last testing results. - Ensure the testing results are no more than 3 years old. - Ensure that the test results confirm that data transmissions are complete, accurate and valid. - Ensure that the interface test results have been formally reviewed and approved by the Critical Systems Technical Responsible. - Obtain the list of individual changes that occurred on existing interfaces during the period under review. - Based on professional judgement, select a representative sample of changes to interfaces for the period under review. - For each selected item, obtain the interface test results. - Ensure that the test results confirm that data transmissions are complete, accurate and valid. - Ensure that the interface test results have been formally reviewed and approved by the Critical Systems Technical Responsible. - Obtain and inspect the list of changes to systems, platforms, applications and databases (logs if any), especially changes to critical ones. - Based on professional judgement, select a representative sample of changes for the period under review. - For each selected item, obtain the corresponding change request form including the test plan approved. - Determine whether the test plan was followed for testing the change. - Determine whether the test results were formally documented, reviewed and approved by Business Owners, Stakeholders and Critical Systems Technical Responsible before the change had been implemented (live in the production environment).
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - 1 every 3 years
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5 - 1 every 3 years
Inspection
Low
Rely
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
High
Independent
- Obtain and inspect the list of changes to systems, platforms, applications and databases (logs if any), especially changes to critical ones. - Based on professional judgement, select a representative sample of changes for the period under review. - For each selected item, obtain the corresponding change request form. - Determine whether the change results were reviewed by the Business Owner showing approval of the change implemented.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
High
Independent
- Obtain the list of all changes to critical systems, platforms, applications and databases. - Based on professional judgement, select a representative sample of changes for the period under review. - For selected changes, obtain and inspect the change requests and ensure that documentation impact assessment has been formalized. - If updated, ensure that documentation has been reviewed formally by the Business Owners and CIO.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Rely
- Obtain the list of all critical systems, platforms, applications and databases. - For each critical system, platform, application and database, obtain and inspect the list of available documentation and support service plan (including location) and ensure it is kept in the mentioned location. - Ensure that it has been formally reviewed and approved by the Business Owners and CTO.
Inspection
Low
Rely
- Obtain and inspect the list of emergency changes to systems, platforms, applications and databases (logs if any), especially emergency changes to critical ones. - Based on professional judgement, select a representative sample of emergency changes for the period under review. - For each selected item, obtain the corresponding emergency change form. - Determine whether the selected emergency change was formally reviewed and authorized by the CTO and the GM. - Obtain and inspect the list of joiners, job changes and job terminations, for employees, contractors, vendors and non-client personnel. - Based on professional judgement, select a representative sample of access request forms (provisioning and deprovisioning) for the period under review. - For each selected item, determine whether selected forms were adequately prepared, reviewed and approved by the Head of Department and the Human Resources Responsible. - Verify in the relevant systems, platforms, applications and databases that the access rights have been granted (in case of provisioning) or revoked (in case of deprovisioning) as per the details of the approved provisioning/deprovisioning form. - Obtain and inspect the access rights review performed. - Ensure that the scope of the access rights review is complete (i.e. at least all critical systems, platforms, applications and databases). - For each critical system, platform, application and database, ensure that the effective access rights (system capture) are in line with employee's position and responsibilities in the company (job description) and that these are still aligned with need-to-have and segregation of duties principles. - For each critical system, platform, application and database, ensure that all users have a unique user ID by which they can be identified (any exception to this rule must be well documented, rationalized and approved). - For each critical system, platform, application and database, identify temporary accounts, generic accounts, applicative accounts and ensure that they are legitimate and adequately supported by documentation and explanations. - Ensure that the access rights review has been reviewed and approved by each Critical Systems Technical Responsibles and the Security Officer. - Obtain and inspect the list of usernames (and corresponding persons) with privileged/powerful access rights to systems, platforms, applications and databases. - Ensure that this list is in line with the access actually implemented in systems (system capture). - Ensure that such privileged/powerful access rights are part of the job description of the persons using these usernames. - Ensure that access to powerful operating system commands is limited to the appropriate technical users. - Ensure that the list of usernames with privileged/powerful access rights to systems, platforms, applications and databases has been formally reviewed and approved by the Security Officer and the CTO.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Med.
Rely
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Med.
Reperformance
High
Independent
High
Independent
- Based on professional judgement, select the sample for the period under review. - For each selected month, obtain the reviewed list of vendors/contractors accounts and the related access rights (system capture). - Ensure that the scope of the list is complete (i.e. at least all critical systems, platforms, applications and databases). - Obtain the access request forms related to each vendor/contractor. - Verify whether each vendor/contractor access is limited in terms of access rights granted and time of activity defined in the access request form. - Verify whether each existing vendors/contractors account is legitimate vs. the provisioning and deprovisioning dates defined in the access request form. - Ensure that the list of vendors/contractors accounts and the related access rights has been formally reviewed and approved by the Human Resources Responsible, Security Officer and Critical Systems Technical Responsible(s). - Based on professional judgement, select the sample for the period under review. - For each selected month, obtain the list of user accounts with remote access capability granted to vendors, contractors and employees (system capture). - Ensure that the scope of the list is complete (i.e. at least all critical systems, platforms, applications and databases). - Obtain the remote connection request forms related to the vendors, contractors and employees who have remote connection capabilities. - Ensure that remote connection is appropriately limited in terms of time window of activity (e.g. no 24h/7d activation) in line with the need-to-have. - Ensure that only vendors, contractors and employees that currently need to access Tigo infrastructure remotely, can actually connect remotely. - Ensure that the list of user accounts with remote access capability granted to vendors, contractors and employees, has been formally reviewed and approved by the Human Resources Responsible, Security Officer and CTO. - Obtain the logs of remote connections for each critical system, platform, application and database. - Based on professional judgement, select a representative sample of remote accesses to these for the period under review. - For each selected item, ensure that the activities were adequately supported by a remote connection request form and the description of activities planned. - Ensure that the logs of activities from remote connections vs. planned activities have been formally reviewed and approved by the Critical System Technical Responsible. - Ensure that the logs of connections/disconnections to the VPN platforms have been formally reviewed and approved by the Critical System IT Responsible. - Based on professional judgement, select the sample for the period under review. - For each selected month, obtain the reports on remote connections/disconnections to critical systems, platforms, applications and databases, and ensure that they have been formally reviewed and approved by the Security Officer and the CIO. - Ensure that the reports contain details (and description of activities) related to all approved remote connection request forms, and ensure they have been formally reviewed and approved by the Security Officer and the CTO. For each critical system, platform, application and database, obtain the password complexity rules and ensures that password controls are in effect and consider minimum security rules (where technically feasible): - Minimum password length of 8 characters, - Password complex composition is enforced: password must be composed of alpha-numeric characters at least (characters and digits). Additional complexity can be implemented (e.g. not words in dictionary, use of symbols), - Passwords are forced to be changed every 90 days at least (passwords of administrator accounts can have a one year validity), - Unsuccessful login attempts must be logged and reviewed. Complementary security practices can also be considered: - Initial log-on uses a one time password, - History of the last 6 passwords can not be used for password renewal, - 5 unsuccessful log on attempts allowed before lockout (where business continuity is not impacted), - Idle session time out after 10 minutes. Ensure that the review of password controls has been performed within the last 7 months and has been formally approved by the Security Officer and the CTO.
Med.
Rely
Med.
Reperformance
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Med.
Independent
Inspection
Med.
Reperformance
Inspection
Med.
Reperformance
- Obtain and inspect the policy defining retention periods, backup and storage terms of information. - Ensure that it defines backup terms (frequency, media, etc.), storage terms (on-site, off-site, access, etc.) and retention periods for information from critical systems, platforms, applications and databases (both data and parameters/configurations), as well as any information considered as sensitive in the company's data/information classification. - Ensure that the retention periods, backup and storage terms have been formally reviewed and approved by the CTO and the Legal or Regulatory Responsible within the last 7 months. - Based on professional judgement, select the sample for the period under review. - For each of the selected months, obtain and inspect the backup journals covering all days of the month to determine whether they have been formally reviewed and approved by the CTO. - Obtain and inspect the restore journals for the last 7 months. - Determine whether restore tests occurred for information from all critical systems, platforms, applications and databases (both data and parameters/configurations), as well as for any information considered as sensitive in the company's data/information classification. - Ensure that the restore tests were successful. - Ensure that the backup restoration journal and the corresponding restoration results have been formally reviewed and approved by the Critical Systems Technical Responsible(s) and the CTO. - Obtain and inspect the list of authorized individuals allowed to access to the back-up media. - Determine whether access to backup media is commensurate with the function and/or profile of the authorized individuals. - Ensure that only formally authorized individuals can access the backup media (both on-site and off-site). - Ensure that the review of accesses to backups vs. the authorizations has been formally reviewed and approved by the CTO for the last quarter. - Based on professional judgment, select the sample for the period under review. - For each of the selected weeks, and for each critical system, platform, application an database, obtain the logs of unauthorized activities (including both successful and unsuccessful unauthorized attempts to connect to the network or to systems, platforms, applications and databases). - For each unauthorized activity, ensure that it has been documented and reacted upon in an appropriate manner. - For each unauthorized activity, ensure that it has been formally reviewed and approved by the Critical Systems Technical Responsible(s) and the Security Officer. - Based on professional judgement, select the sample for the period under review. - For each of the selected months, obtain and inspect the logs of unauthorized activities for network activity and for all critical platforms, systems, applications and databases. - Ensure that all unauthorized activities from the logs (including the actions taken) have been formally communicated to the CTO and GM. - Ensure that the monthly reports on unauthorized activities have been formally reviewed and approved by the CTO and the GM. - Obtain the list of new or revised interconnect agreements during the period under review. - For the sample selected, ensure they are signed by GM as per MIC Policy
Inspection
Low
Rely
Inspection
High
Rely
Inspection
Med.
Reperformance
Inspection
Med.
Rely
Inspection
High
Reperformance
Inspection
High
Rely
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
a) Review functional/ Technical documentation: Obtain and inspect the query used to generate alarms/exception report for the changes on all Switches and/or Interconnect billing system. b) Changes review: - Randomly select the appropriate sample of daily reports summarizing any provisioning changes to the settings of all Switches and/or interconnect billing system (i.e. destinations etc). - Ensure reports are reviewed and approved by the Billing Manager
25
10
Inspection
non-key
Walkthrough
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. b) EDRs rejection reports: - Based on a professional judgment, select the appropriate sample of daily rejection reports during the period under review. - For each report selected, ensure that the source of the rejection is identified (if possible) and the problem is resolved in order to prevent the event from happening in the future. - Ensure that rejected EDRs are recuperated if possible and obtain resolution evidence or confirmation of the resolution. - Ensure reports are reviewed by the Billing Staff. a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. - Ensure all Switches are included in the reconciliation. - In case of filtration rules defined based on Trunk Groups on Mediation Device, ensure it is included in the design of the exception report. b) Trunk Group / Reference data Reconciliation: - Based on a professional judgment, select 2 months reconciliation from the period under review. - Obtain reconciliation report of Trunk groups and gateway transit /reference data set ups in the Interconnect Billing system with the respective set up and reference data in the Switching platform. - Reperform reconciliation (by tracing data reconciled to supporting documents (data source and tick marks visible)) - Obtain documentation related to reconciliation differences identified and assess relevancy of differences explained. - Ensure reconciliation reports are signed-off on time by the Billing Manager. - Based on a professional judgment, select the appropriate sample of months (including all invoices from the sample period) from the period under review. - For selected invoices, obtain and review the delivery notes to ensure all Interconnect invoices were sent out to partners. - Ensure that in case of delivery failure, corrective actions are taken and documented. - Ensure the check list consolidating the dispatch of all Interconnect invoices of the month is reviewed and signed-off on time by the CFO-2. - Based on a professional judgment, select the sample from the period under review. - Obtain reports containing rejected EDRs which could not be corrected. - Review adequate reasoning on rejected CDRs which could not be processed. - Ensure selected reports are reviewed and signed-off by Billing manager, Local Revenue Assurance Manager and CFO. a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. - Obtain and review the SQL query used to perform the reconciliation. b) Mediation Output Vs Billing Input Vs Billing Output reconciliation reports: - Based on a professional judgment, select the appropriate sample of daily reports for reconciling Mediation output versus Interconnect Billing Input and Output. - Ensure that the reconciliation is done in terms on number of EDRs and in Minutes. - Ensure all discrepancies are investigated and explained. - Reperform reconciliation by tracing data reconciled to supporting documents (data source and tick marks visible) - Ensure reconciliation reports are signed-off on daily basis by the Billing Manager. Note: In case of filtering at the interconnect Billing System Input, ensure that the number of rejected EDRs and corresponding Minutes is clearly described in the reconciliation documentation. - Based on a professional judgment, select the appropriate sample of months (including all invoices from the sample period) from the period under review. - For selected months, obtain and review the interconnect revenue invoice for all Interconnect partners. - Ensure the validation is done in terms of the monetary values, minutes and events. - Ensure the invoices are reviewed against the MOU statement from Billing system. - Ensure that all discrepancies are investigated and explained (if any). - Ensure the check list consolidating all Interconnect invoices validation for the month is reviewed and signed-off on time by the CFO-1.
25
10
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of - If estimated yearly population > 50 --> select 10% of available population, up to 25 available population, up to 10 - If estimated yearly population < 50 --> select all population - If estimated yearly population < 50 --> select all population available, up to 5 available, up to 5
Reperformance
non-key
Walkthrough
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5 10
Inspection
Med.
Reperformance
25
Reperformance
Low
Reperformance
Inspection
Med.
Rely
- Based on a professional judgment, select the appropriate sample of months (including all invoices from the sample period) from the period under review. - For selected months, obtain and review reconciliation of usage reports with other operators (with the registered traffic sent to them). - Ensure the reconciliation is performed in terms of EDRs number, Minutes and value. - Ensure that if the figures deviate from a preset tolerance limit (threshold defined based on a regulation or a formalized agreement), a detailed analysis is performed (exchange of EDRs may be necessary in this case). - Ensure identified deviations for all Interconnect Partners are analyzed and signed-off on time by the Billing Manager. - Based on a professional judgment, select the appropriate sample of months (including all invoices from the sample period) from the period under review. - Ensure that payable invoices are validated by the Interconnect Manager against the reconciliation of Usage Reports done in SC9. - Based on a professional judgment, select the appropriate sample of months (including all invoices from the sample period) from the period under review. - Obtain all Interconnect invoices or the checklist (with all supporting invoices) and ensure they are signed-off by the GM and Interconnect Manager. - Ensure they have been approved by the GM and Interconnect Manager before payment. - Based on a professional judgment, select the appropriate sample of months from the period under review. - For selected months obtain all Journal Vouchers related to Interconnect costs and revenues. - Trace back the relevant bookings with invoices received and dispatched. For accruals, check against the Billing system traffic report. - Reperform reconciliation (by tracing data reconciled to supporting documents (data source and tick marks visible)) - Ensure the CFO-1 has reviewed and validated journal entries before posting. - Based on a professional judgment, select the appropriate sample of months from the period under review. - For selected month, obtain signed reconciliation report of interconnect revenue & cost booked in the accounting system with the revenue/cost from the interconnect billing system & the invoices sent out/received. - Reperform reconciliation ( by tracing data reconciled to supporting documents (data source and tick marks visible) - Obtain documentation related to reconciliation differences identified and assess relevancy of differences explanations - Ensure the reconciliation report is signed on time by the CFO
Inspection
High
Independent
Inspection
High
Independent
Inspection
Low
Reperformance
Reperformance
Low
Reperformance
Reperformance
Low
Rely
- Randomly select the appropriate sample of months from the period under review. - For selected months, obtain and inspect the netting validation report containing all Interconnect Partners. - Ensure the netting report is signed on time by the CFO-1. - Obtain the list of new or revised roaming agreements during the period under review. - For the sample selected, ensure they are signed by GM as per MIC Policy
Inspection
Med.
Rely
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this functionality b) Changes review: - Obtain the system log from Switch and Billing System (Service Ticketing System in case of TAP OUT generation done by Mach) in order to select the daily samples when changes occurred during the period under review - Ensure reports are reviewed and approved by the Category Manager. - In case of changes identified through the sample selected, ensure that adequate supporting documentation and approval is attached as part of the review. - Assess that for all opened items, corrective action is taken. - Select randomly the daily outbound roaming high usage reports. - Obtain the selected daily reports (including FDR and ER if NRTRDE is implemented). - Ensure each HUR, FDR and ER reports are reviewed and analysis and actions taken are formalized. - Ensure that outbound roaming HUR are reviewed on time by both Credit & Collection Manager -1 and Billing Manager -1 - Ensure adequate documentation/formalization is done for the review.
25
10
Reperformance
non-key
Walkthrough
25
10
Inspection
non-key
Walkthrough
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this functionality - Review the script to validate the criteria set as per Business requirements b) IMSI validation review: - Based on a professional judgement, select the daily samples during the period under review. - Ensure that the reconciliation is performed, reviewed and signed-off by the Billing Manager -1 and that all differences are investigated and documented. a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this functionality b) Reports review: - Randomly select the daily logs on the successful / failed TAP IN file uploads and conversions during the period under review. - Ensure TAP IN files were successfully uploaded. In case of failure, ensure it is investigated, corrected and uploaded successfully. - Review the adequacy of documentation for ensuring all TAP IN files are uploaded. - Ensure that the reports are reviewed and signed-off on time by the Billing Manager-1
25
10
Inspection
non-key
Walkthrough
25
10
Inspection
non-key
Walkthrough
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. b) EDRs rejection reports: - Based on a professional judgement, select the daily reports during the period under review. - For each report selected, ensure that the source of the rejection is identified (if possible) and the problem is resolved in order to prevent the event from happening in the future. - Ensure that rejected EDRs are recuperated if possible and obtain resolution evidence or confirmation of the resolution. - Ensure the reports are reviewed and signed-off on time by the Billing Staff. a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. b) EDRs rejection reports: - Based on a professional judgement, select the daily reports during the period under review. - For each report selected, ensure that the source of the rejection is identified (if possible) and that the problem is (being) resolved in order to prevent the event from happening in the future. - Ensure that rejected EDRs (during MBF files generation), are recuperated if possible and obtain resolution evidence or confirmation of the resolution. - Ensure that rejected EDRs (during TAP files generation, either internal or external), are recuperated if possible and obtain resolution evidence or confirmation of the resolution. - Ensure that the reports are reviewed and signed-off on time by the Billing Staff. a) HUR/NRTRDE not implemented: - Select randomly the daily inbound roaming high usage reports. - Ensure that each day, reports containing High Usage are reviewed by the Billing Manager and sent on time to the Clearing House / Roaming Partners. - Ensure that a threshold for HUR is defined, agreed and properly set in the system. b) NRTRDE compliant: - Select randomly the daily inbound roaming high usage reports. - Ensure that NRTRDE files are stored on MACH server every 4 hours meaning each EDR should be rated, converted and stored on MACH server. - Ensure that summary reports on NRTRDE files containing High Usage are reviewed and signed-off on time by the Billing Manager once per day. - Ensure that a threshold for NRTRDE is defined, agreed and set in the system. - Obtain the list of new or updated roaming tariff - For the sample selected, ensure they were sent to Mach at least 4 weeks before the agreed start date of application. Ensure processing confirmation from Mach has been received.
25
10
Inspection
non-key
Walkthrough
25
10
Inspection
non-key
Walkthrough
25
10
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this functionality b) Reconciliation reports: - Based on a professional judgement, select the appropriate sample of months in the period under review. - For selected months, check relevant base documents to review the reconciliation (roaming partners and related IMSI ranges defined). - Obtain and review the reconciliation and ensure identified discrepancies have been closed. - Obtain the adequate documentation related to their closure. - Ensure the reconciliation has been signed off by the Billing Manager a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this functionality b) Reconciliation reports: - Based on a professional judgement, select the appropriate sample of months in the period under review. - For selected months, check relevant base documents to review the reconciliation (roaming partners and related IMSI ranges defined). - Obtain and review the reconciliation and ensure identified discrepancies have been closed. - Obtain the adequate documentation related to their closure. - Ensure the reconciliation has been signed off by the Billing Manager a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this functionality b) Duplicate EDRs review: - Based on a professional judgement, select the daily samples during the period under review. - For selected days, obtain reports related to duplicate check on Outbound Roaming EDRs and ensure they are corrected, reviewed and signed-off by Billing staff. a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this functionality b) Validation of TAP IN sequence: - Based on a professional judgement, select the daily samples during the period under review. - For selected days, obtain validation reports and ensure all missing /sequence gaps are investigated and explained - Ensure all reports are signed-off by the Billing Manager -1. a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this functionality b) Rates reconciliation review: - Obtain the rates agreed and approved by management. (refer to agreements for tariffs/tariffs change request) - Ensure the scripts used to validate the rating process are using the correct rates. - Based on a professional judgement, select the daily samples during the period under review. - Obtain reports for selected days and ensure all differences are investigated and explained - Ensure all reports are signed-off by the Billing Manager -1. - Select randomly the months during the period under review. - Ensure that the validation of the SDR rate has been done on time based on an official source of information document attached (e.g. FMI ) - Ensure that the rate is correctly setup in Roaming Billing system (if any) or in MACH COM portal through print screen evidence. - Ensure that the currency conversion validation has been signed-off by the CFO-1. a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this functionality - Ensure both postpaid and prepaid records are included in the reconciliation in case of prepaid roaming. a) Outbound Roaming reconciliation review: - Select the sample during the period under review. - For selected items, obtain reconciliation reports done between the billing records contained in TAP IN records with the roaming records uploaded in the postpaid billing system and EDRs on prepaid system. Ensure that if Prepaid Roaming is offered for Out roamers, the reconciliation of TAP IN EDRs is reconciled with prepaid EDRs. - Ensure that all identified differences are investigated and explained. - Ensure the reports are reviewed and signed-off on time by the Billing Manager
Reperformance
Med.
Reperformance
Reperformance
Med.
Reperformance
25
10
Inspection
Low
Rely
25
10
Inspection
Low
Rely
25
10
Inspection
Med.
Rely
Inspection
Low
Rely
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Reperformance
- Select randomly the months during the period under review. - Obtain the reports containing the rejected EDRs which could not be corrected. - Ensure that the selected reports have been reviewed and signed-off by Billing manager, Local Revenue Assurance Manager and CFO. - Review adequate reasoning on rejected CDRs which could not be processed. - Select randomly the months during the period under review. - Obtain the reports containing the rejected EDRs which could not be corrected. - Ensure that the selected reports have been reviewed and signed-off by Billing manager, Local Revenue Assurance Manager and CFO. - Review adequate reasoning on rejected CDRs which could not be processed. a) Review functional/ Technical documentation: - Obtain and inspect the query used to check the sequential numbering of TAP OUT files. - In case of alarm report, obtain and review settings of the alarm. b) TAP OUT files sequence numbering review: - Select randomly the daily reports related to the check on TAP OUT files sequence numbering. - Ensure all sequence gaps in TAP OUT files are investigated and explained. - Ensure daily reports are signed off by a Billing Manager-1. - Based on a professional judgement, select the daily reports. - Obtain the approved rate list from the roaming team. (refer to agreements/tariffs change request) - Review the reconciliation of rates applied in all the TAP OUT files sent on that day vs. the agreed rates. - Ensure that all exceptions have been investigated and resolved. - Ensure that the reconciliation of rates has been formalized and signed-off by the Billing Manager-1. - Based on a professional judgement, select the daily reports. - Review the Mach IOT check report (Detail report). - Ensure that all exceptions have been investigated and resolved. - Ensure that the report has been signed-off by the Billing Manager-1. a) Review of documentation: - Obtain and review the SQL query used to perform the reconciliation. - Obtain functional/technical requirements related to an automated reconciliation b) Reconciliation reports: - Based on a professional judgement, select the daily reports reconciling Mediation output versus Roaming Billing Input and Output. - Ensure that the reconciliation is done in terms on number of EDRs, in Minutes and bytes. - Ensure all discrepancies are investigated and explained. - Reperform reconciliation by tracing data reconciled to supporting documents (data source and tick marks visible) - Ensure reconciliation reports are signed-off on daily basis by the Billing Manager. Note: In case of filtering at the Roaming Billing System Input, ensure that the number of rejected EDRs and corresponding Minutes is clearly described in the reconciliation documentation.
Inspection
Low
Reperformance
Inspection
Low
Reperformance
25
10
Inspection
Low
Rely
25
10
Reperformance
Med.
Rely
25
10
Reperformance
Med.
Rely
25
10
Reperformance
Low
Reperformance
a) Review of documentation: - Obtain and review the SQL query used to perform the reconciliation. - Obtain functional/technical requirements related to an automated reconciliation b) Reconciliation reports: - Based on a professional judgement, select the daily reports reconciling Mediation output versus created Mach TAP Out - Ensure that the reconciliation is done in number of EDRs, in Minutes and bytes between figures extracted at the mediation output vs. Mach Tap creation report for Revenue Assurance - Ensure that all discrepancies have been investigated and explained. - Ensure that the reconciliation reports have been signed-off by the Billing Manager. -Select randomly the days during the period under review. - For selected days, obtain the checklist on TAP OUT files received by the Clearing House. - Ensure that reasons of missing TAP OUT file were investigated and were finally received by the Clearing House. - Ensure that all TAP OUT files were sent on time. - Ensure that checklists were reviewed and signed-off on time by the Billing Manager -1. a) Review of documentation: - Obtain and review the SQL query used to perform the reconciliation. - Obtain functional/technical requirements related to an automated reconciliation b) Reconciliation reports: - Select randomly 2 monthly reports reconciling summary report sent by the Clearing House against the MIC subsidiarys own Tap IN & Tap OUT details. - Ensure that all discrepancies are investigated and explained. - Ensure that reconciliation reports are signed-off on time by the CFO-1. - Based on a professional judgement, select the sample during the period under review. - For the selected months obtain all Journal Vouchers related to Roaming costs and revenues. - Trace back the relevant bookings with invoices received and dispatched. For accruals, check against the Billing system traffic report. - Ensure that the CFO-1 reviewed and validated the journal entries before posting.
25
10
Reperformance
Low
Reperformance
25
10
Inspection
Low
Rely
Inspection
Med.
Rely
Reperformance
Low
Reperformance
- Based on a professional judgement, select the sample during the period under review. - For the selected months, obtain the signed reconciliation report of Roaming revenue & cost booked in the accounting system with MACH reports - Reperform the reconciliation ( by tracing data reconciled to supporting documents) - Obtain documentation related to reconciliation differences identified and assess relevancy of the explanations and investigations - Ensure that the reconciliation reports were signed on time by the CFO. - Select the quarterly reconciliation report. - Obtain the list of all active roaming agreements. - Ensure that about 25% of the roaming partners were considered for the reconciliation. - Ensure that the tariffs setup for rating the TAP OUT files are in line with the tariffs agreed in each AA14 for the corresponding roaming agreements. - Ensure that the validation has been reviewed and signed-off by the Billing Manager-1. - Verify whether all the active roaming agreements had been considered in such a reconciliation during the last year. a) Review functional/ Technical documentation: - Obtain and inspect the query used to obtain the list of new postpaid subscribers b) Credit check review: - Obtain the list of all new postpaid subscriber from the period under review - Based on a professional judgment, select an appropriate sample amongst the list of new postpaid subscribers - Ensure new accepted subscribers comply with the commercial policy and adequate documentation is done as per commercial policy for credit check. - For the sample selected obtain credit check form signed-off by the Credit and Collection Manager -1
Reperformance
Med.
Reperformance
Med.
Reperformance
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Obtain the list of the acceptance of new postpaid subscribers who do not comply with the Credit Policy during the period under review. - For the sample selected, obtain the credit assessment and exception subscriber acceptance forms signed-off by the Credit and Collection Manager.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Obtain the list of the discounts granted to postpaid subscribers during the period under review. - For the sample selected, obtain the exceptional discount acceptance form signed-off by the Credit and Collection Manager with adequate reasoning for doing so.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) Credit Limit review: - Based on a professional judgement, select the daily samples during the period under review. - For selected dates, obtain the report related to credit limit reports. - Ensure all exceptions to the Commercial Policy are explained. - Ensure they are reviewed and signed-off by the Credit and Collection Manager. a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) Credit Limit review: - Based on a professional judgement, select the daily samples during the period under review and obtain local definition of critical data for subscribers. - For selected dates, obtain the report related to changes to critical subscriber data (both in the Switch and Postpaid Billing systems) - Ensure that each provisioned change is matched with an approved change. All exceptions must be explained. - Ensure reports are reviewed and signed-off by the Consumer Manager.
25
10
Inspection
non-key
Walkthrough
25
10
Inspection
non-key
Walkthrough
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) Changes review: - Based on a professional judgement, select the daily reports summarizing any changes or addition of tariff of Postpaid Billing system - Whenever changes are identified, check adequate supporting documentation (e.g. tariff change request) is available. - Ensure reports are reviewed and approved on a daily basis by the Category Manager. a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. b) EDRs corruption reports: - Obtain the formal procedure/task description of reviewing and resolving rejected EDRs - Based on a professional judgment, select the daily reports during the period under review. - For each report selected, ensure that the source of the corruption is identified (if possible) and the problem is resolved in order to prevent the event from happening in the future. - Ensure that corrupted EDRs are recuperated if possible and obtain resolution evidence or confirmation of the resolution. - Ensure reports are reviewed by the Billing Staff. - Based on a professional judgment, select the daily samples during the period under review. - For each report selected, obtain the filter EDRs reports and ensure they are properly approved by the Billing Manager -1. - Ensure an appropriate reason is given for filtered-out EDRs. - Based on a professional judgment, select an appropriate sample amongst all bill runs done during the period under review. - For selected items, obtain reports containing corrupted EDRs which could not be corrected. - Review adequate reasoning on corrupted CDRs which could not be processed. - Ensure selected reports are reviewed and signed-off by Billing manager and CFO.
25
10
Inspection
non-key
Walkthrough
25
10
Inspection
non-key
Walkthrough
25
10
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Based on a professional judgment, select the sample from the period under review. - For selected months, obtain the Business Rule validation for filtering non-billable traffic - Obtain filtering rules done at the mediation and Billing system level - Ensure Business Rule validated by the management is reflecting implemented rules in systems. - Ensure Business Rules are validated and signed-off by the GM and Billing manager. a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report during the period under review. - In case of alarm report, obtain parameters of alarm set up and ensure that if the time gaps are too big (> threshold, e.g. no calls for more than half hour) the control sends out a critical alarm continuously. b) Time Gap analysis report: - Based on a professional judgment, select the sample of daily reports for time gap analysis during the period under review. - For selected items, obtain the exception / alarm reports or daily report. - Ensure reports are reviewed and signed-off by Billing staff. - Based on a professional judgement, select the sample during the period under review. - Review the guidelines for testing and ensure they are documented and approved. All tested calls are done based on the guideline. - For selected months, obtain the test call matrix related to the postpaid traffic. - Ensure that scenarios tested represent at least 90% of all transactions scenarios (including on-net traffic, offnet traffic, international, peak, off-peak, off-off-peak for all kind of postpaid subscription) - Ensure root cause analysis is performed and documented for any exception identified. - Ensure tests report have been signed off by the Billing Manager -1 on a monthly basis and whenever a change occurred. a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. b) EDRs rejection reports: - Based on a professional judgment, select the sample of daily rejection reports during the period under review. - For each report selected, ensure that the source of the rejection is identified (if possible) and the problem is resolved in order to prevent the event from happening in the future. - Ensure that rejected EDRs are recuperated if possible and obtain resolution evidence or confirmation of the resolution. - Ensure reports are reviewed by the Billing Staff.
Inspection
non-key
Walkthrough
25
10
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
25
10
Inspection
non-key
Walkthrough
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. - Ensure this report/alarm includes Postpaid and Prepaid traffic and is setup based on a threshold defined as per the High Usage Policy. b) High Usage reports: - Obtain and review the High Usage Policy. - Select the sample of daily high usage reports from the period under review. - Ensure each reports are reviewed by Credit and Collection Manager -1 and actions taken are written down - Ensure adequate documentation/formalization is done for the review. - Select the sample during the period under review - For selected items, check the outstanding amount and the aging movement of the test sim. - Choose 10 Items/Test SIM and check if proper authorization is given for the test SIM. Check if any follow up/corrective action is taken - Obtain the formal procedure that describes how the pre and post bill run are performed. - Based on a professional judgment, select an appropriate sample amongst all bill runs done during the period under review. - For selected items, obtain the sample of test reports - Ensure they have been approved by the Billing Manager. - Verify they contain relevant explanation for discrepancies. a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) Discount Reports review: - Based on a professional judgement, select the daily samples during the period under review. - For selected dates, obtain the discount reports. - Ensure all discounts granted which are not part of a discount plan are justified. - Ensure reports are reviewed signed-off by the Consumer Manager. - Based on a professional judgement, select the sample during the period under review. - For selected months, obtain the report of future movement schedule related to Postpaid revenue (e.g. connection fees). - Ensure that revenues from the connection fees are deferred and recognized ratably on a straight-line basis over the estimated life of the customer relationship, based on MIC Policy (Policy N 2.1 & 2.2) - Ensure that the reconciliation between the future movement schedule and the corresponding accounting entries is reviewed and signed-off by the CFO-1. a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) EDRs sequence numbering review: - Based on a professional judgement, select the reports related to the check on EDR sequence numbering in the Switch platform including nodes like SMSC, MMSC ... during the period under review. - For selected items, obtain signed-off exception report or daily report on missing sequence numbers. - Ensure that issues and actions taken have been documented and signed-off by the Billing Manager.
25
10
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
25
10
Inspection
Low
Reperformance
Inspection
Low
Rely
25
10
Inspection
Med.
Independent
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) Duplicate usage review: - Based on a professional judgement, select and obtain the sample of duplicated EDRs reports or alarms generated by the system - Ensure that exception are documented (obtain and trace to supporting documentation) - Ensure the reports are reviewed by the Billing staff. a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. - Obtain and review the SQL query used to perform the reconciliation. b) Mediation Input Vs Output reconciliation reports: - Based on a professional judgment, select the sample of daily reports for reconciling Mediation input versus output during the period under review. - Ensure that the reconciliation is done in terms on number of EDRs, Minutes and bytes. - Ensure all discrepancies are investigated and explained. - Reperform reconciliation by tracing data reconciled to supporting documents (data source and tick marks visible) - Ensure reconciliation reports are signed-off on daily basis by the Billing Manager. - Based on a professional judgment, select an appropriate sample amongst all bill runs done during the period under review. - For selected items, obtain reports containing rejected EDRs which could not be corrected. - Review adequate reasoning on rejected CDRs which could not be processed. - Ensure selected reports are reviewed and signed-off by Billing manager, Local Revenue Assurance Manager and CFO. a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. b) Revenue movements reports: - Based on a professional judgment, select an appropriate sample amongst all bill runs done during the period under review. - For selected items, ensure all pending subscription fee is included in the settlement invoice. - Ensure each reports are reviewed and signed-off by Billing Manager a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. b) Reconciliation reports: - Based on a professional judgment, select an appropriate sample amongst all bill runs done during the period under review. - For selected items, obtain the reconciliation between subscriber data against the subscribers covered by the bill runs - Ensure it contains relevant explanation for observed discrepancies and actions were taken accordingly if it was applicable. - Verify it has been reviewed by the Billing Manager. a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. b) Fixed bills validation report: - Based on a professional judgment, select an appropriate sample amongst all bill runs done during the period under review. - For selected items, obtain the signed reconciliation invoices generated for fixed bill customer and the fixed reload on their account in the Prepaid platform. - Reperform reconciliation by tracing data reconciled to supporting documents (data source and tick marks visible) - Obtain documentation related to reconciliation differences identified and assess relevancy of differences explanations - Ensure the reconciliation is reviewed and signed-off by the Billing Manager. a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. - Obtain and review the SQL query used to perform the reconciliation. b) Mediation Output Vs Billing Input Vs Billing Output reconciliation reports: - Based on a professional judgment, select the sample of daily reports for reconciling Mediation output versus Postpaid Billing Input and Output. - Ensure that the reconciliation is done in terms on number of EDRs, in Minutes and bytes. - Ensure all discrepancies are investigated and explained. - Reperform reconciliation by tracing data reconciled to supporting documents (data source and tick marks visible) - Ensure reconciliation reports are signed-off on daily basis by the Billing Manager. Note: In case of filtering at the interconnect Billing System Input, ensure that the number of rejected EDRs and corresponding Minutes is clearly described in the reconciliation documentation. a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. b) Reconciliation between invoices generated Vs invoices printed Vs sent out: - Based on a professional judgment, select an appropriate sample amongst all bill runs done during the period under review. - For selected items, obtain and review the reconciliation reports between invoices generated Vs invoices sent out. - Ensure that in case of delivery failure, corrective actions are taken and documented. - Ensure the reconciliation report is reviewed and signed-off by the Billing Manager. a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. b) Overdue subscriber status report: - Obtain and review the barring / dunning policy. - Based on a professional judgment, select the sample from the period under review. - For selected dates, obtain reports grouping all overdue customers. - Check if their status has been compared with the theoretical status they should have as per the barring / dunning policy. - Check that report and analysis have been signed off by Credit and Collection Manager. - In case of no follow up done for high outstanding customers, check adequate documentation is performed with reasoning. - Obtain MIC policy section on non billed subscribers - Based on a professional judgment, select an appropriate sample amongst all bill runs done during the period under review. - For selected items, obtain formal report of non-revenue generating traffic - Ensure it is compliant with MIC policy - Ensure it is reviewed and signed-off by Billing Manager and CFO-1
25
10
Inspection
Low
Reperformance
25
10
Reperformance
Med.
Reperformance
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Med.
Rely
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Rely
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Rely
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
Med.
Rely
25
10
Reperformance
Med.
Rely
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Rely
Inspection
Med.
Reperformance
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Rely
- Based on a professional judgment, select an appropriate sample amongst all bill runs done during the period under review. - For selected items, obtain all Journal Vouchers related to Postpaid costs and revenues. - Trace back the relevant bookings revenue reports extracted from the Postpaid Billing system. - Reperform reconciliation (by tracing data reconciled to supporting documents (data source and tick marks visible)) - Ensure the CFO-1 has reviewed and validated journal entries before posting.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
Low
Reperformance
- Based on a professional judgment, select an appropriate sample amongst all bill runs done during the period under review. - For selected items, obtain signed reconciliation report of Postpaid revenue & cost booked in the accounting system with the revenue/cost from the Postpaid billing system & the invoices sent out/received. - Reperform reconciliation ( by tracing data reconciled to supporting documents (data source and tick marks visible) - Obtain documentation related to reconciliation differences identified and assess relevancy of differences explanations - Ensure the reconciliation report is signed on time by the CFO a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. - Obtain and review the SQL query used to perform the reconciliation. b) Switch Output Vs Mediation Input reconciliation reports: - Based on a professional judgment, select the sample of daily reports for reconciling Switch output versus Mediation Input during the period under review. - Ensure that the reconciliation is done in terms on number of EDRs, Minutes and bytes. - Ensure all discrepancies are investigated and explained. - Reperform reconciliation by tracing data reconciled to supporting documents (data source and tick marks visible) - Ensure reconciliation reports are signed-off on daily basis by the CTO-1. - Obtain the list of new and changed tariffs that occurred during the period under review. - On the sample selected, ensure a feasibility and profitability analysis has been performed by Go-To-Market department for the sample selected. - Ensure the feasibility and profitability analysis has been reviewed and signed-off by Category Manager before the tariff implementation.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
Med.
Independent
25
10
Reperformance
Med.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Reperformance Walkthrough
- Obtain the list of new and changed tariffs that occurred during the period under review. - On the sample selected during the period under review, ensure a formal approval obtained for each new/changed tariff and that it is signed-off
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
a) Review functional/ Technical documentation: - Obtain and review the SQL query (or report technical documentation) used to extract manual changes to subscriber balance. - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) Review approval for adjustments: - Obtain the list of all balance changes done manually on the Prepaid Billing system during the period under review. - On the sample selected, obtain the related approval of balance changes done by Customer Support. The approval depends of the threshold amount and has to be in line with the MIC policy No.B4.3.2. - Ensure the approval is obtained and signed-off before the change of the balance in the Prepaid Billing system.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) Exception report on prepaid traffic: - Based on a professional judgement, select the sample from the period under review. - For selected months, obtain exception report related to traffic which can not be rated, and for which default rating was not successfully applied - Ensure it has been reviewed by Billing Manager on a monthly basis - Ensure adequate corrective actions are taken - Based on a professional judgement, select the appropriate sample of months during the period under review. - Review the guidelines for testing and ensure they are documented and approved. All tested transactions are done based on the guideline. - For selected months, obtain the test transactions matrix related to the prepaid traffic and other transactions. - Ensure that scenarios tested represent at least 90% of all transactions (including e-pin, on-net traffic, off-net traffic, international, peak, off-peak, off-off-peak for all kind of prepaid subscription) - Ensure root cause analysis is performed and documented for any exception identified. - Ensure tests report have been signed off by the Billing Manager -1 on a monthly basis and whenever a change occurred.
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) Forfeiture review: - Based on a professional judgement, select the appropriate sample of months during the period under review. - For selected months, obtain the report for de-activation / expiry of scratch card/e-pins - Ensure reports are the same as per the approved validity. - Ensure monthly reports are signed off by a Billing Manager.
Inspection
non-key
Walkthrough
- Obtain the list of all scratch card generation that occurred during the period under review from the Prepaid system. - For the sample selected, obtain the document supporting new PINs generation and ensure they are signed-off by the Category Manager before their generation.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Obtain the list of all scratch card generation that occurred during the period under review. - For the sample selected, obtain the approval request signed-off by the Warehouse Manager for each selected activation in the Prepaid Billing system. - Ensure the approval is obtained prior scratch cards activation.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Obtain the Commercial Policy during the period under review. - Ensure that it contains rules for accepting a dealer and acceptable commissions granted to dealers. - Ensure that the Commercial Policy is reviewed and formally approved. - Ensure that the Commercial Policy is up-to-date (updated after any change) and has been reviewed within the last 7 months.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Obtain the list of new dealers from the e-pin platform created during the period under review. - For the sample selected, obtain the credit assessment application form with a Yes/No indication on whether the dealer complies with the commercial policy or not (refer to P18 IC26) - Ensure the credit assessment form is reviewed and signed-off by the Credit and Collection Manager.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Obtain the list of the acceptance of new dealers who do not comply with the Commercial Policy during the period under review. - For the sample selected, obtain the credit assessment exception form signed-off by the GM & CFO
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) Commission parameter changes review: - Based on a professional judgement, select and obtain the appropriate sample of reports with all commission parameter changes during the period under review. - Ensure that reports are reviewed and signed-off by the Category Manager. a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) Commission parameter changes review: '- Obtain the list of all manual credit upload to the dealer balances during the period under review. - For the sample selected, obtain E-Pin request form signed-off by the Financial Responsible (CFO-1) or Consumer Manager - Ensure that commissions granted are in line with the Commercial Policy. - Ensure e-pin credit uploads are reconciled with the proof of the actual payment (e.g. bank statement, cash receipt, etc). - Observe whether the SMSC and prepaid platform (and if relevant the ePIN platform) verify the identity of the requestor, validity of the request and balance of the requestor before processing the request for a balance transfer. - Request system documentation or to ensure that the deduction of the e-Pin accounts happens prior to the additions to subscriber accounts.
25
10
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
a) Review functional/ Technical documentation: - Obtain and inspect the query used to perform the reconciliation. - Obtain functional/technical requirements related to an automated reconciliation b) Reconciliation reports: - Based on a professional judgement, select the appropriate sample of daily reconciliation reports in the period under review. - For selected reports, obtain the signed reconciliation report to ensure that the MSISDNs count, status and subscriber profiles in the Switch customer DB (HLR) and Billing system and Prepaid are reconciled on a daily basis. The subscriber profiles includes all services (e.g. Ring Back Tone, Roaming, SMS, MMS, GPRS, Voice Mail ...) and the type of subscription (i.e. prepaid or postpaid) - Reperform reconciliation by tracing data reconciled to supporting documents (data source and tick marks visible). - Obtain documentation related to reconciliation differences identified and assess relevancy of differences explanations - Ensure reports are reviewed and approved on a daily basis by the Billing Manager. "- Obtain the list of new and changed tariffs that occurred during the period under review. - On the sample selected, ensure an accounting impact analysis has been performed by Finance department as per current Pricing change approval policy and related templates. - Ensure the accounting impact analysis has been reviewed and signed-off by the CFO before the tariff implementation."
25
10
Reperformance
Low
Reperformance
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
High
Independent
a) Review functional/ Technical documentation: - Obtain and inspect the query used to generate changes or addition of tariff reports. In case of alarm report, obtain and review settings of the alarm. Make sure it does include tariff changes related to interconnect, roaming, postpaid, prepaid and wireless. - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) Changes review: - Based on a professional judgement, select the appropriate sample of daily reports summarizing any changes or addition of tariffs - Cross check changes with the tariff change request forms. - Ensure reports are reviewed and approved on a daily basis by the Category Manager a) Review functional/ Technical documentation: - Obtain and review the SQL query used to perform the reconciliation. - Obtain functional/technical requirements related to an automated reconciliation b) EDR Reconciliation reports: - Based on a professional judgement, select the appropriate sample of daily reconciliation reports for EDRs generated by the prepaid platform and the ones generated by the Switch - Ensure all types of events are reconciled: voice, SMS, MMS, GPRS, content events, etc - Ensure that the reconciliation is done in terms of number of EDRs, Minutes and Bytes. - Ensure all discrepancies are investigated and explained. - Ensure reconciliation reports are signed-off on time by the Billing Manager.
25
10
Inspection
Med.
Rely
25
10
Inspection
High
Independent
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) Review manual adjustments on Prepaid: - Based on a professional judgement, select the appropriate sample of daily reports during the period under review - For the sample selected, ensure the validation of all balance adjustments has been validated against corresponding approvals done by Customer Support. - Ensure that reports are signed on a daily basin by the Consumer Manager and CFO. a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) Review negative balance: - Based on a professional judgement, select the appropriate sample of weekly reports during the period under review - Ensure that these balances have been reviewed by the Billing Manager -1 on a weekly basis (This includes also the instances where customers would normally have a negative balance but received a 0 balance because the prepaid platform does not allow / cannot handle negative balances) - Ensure the adequate explanations are provided on identified negative balances with right supporting documentation. a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) Review free traffic, zero rated and default rated traffic: - Based on a professional judgement, select the appropriate sample of weekly reports during the period under review. - Obtain selected reports listing all free traffic, zero rated traffic and default rated traffic - Ensure all exceptions are investigated and adequate actions are taken. - Ensure it has been reviewed by Billing Manager
25
10
Inspection
Med.
Reperformance
Inspection
Med.
Rely
Inspection
Med.
Reperformance
- Based on a professional judgement, select the appropriate sample of month during the period under review. - For selected months, obtain the regular post hoc testing result report. - Obtain the approved tariff from the Go-To-Market Department - Ensure the re-rating is performed with correct tariff as per approved tariffs list. - Ensure the re-rating covers all type of traffic (all prepaid EDRs) for selected day - Ensure the report is signed-off on a monthly basis by the Billing Manager - Ensure adequate corrective actions are taken a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) CDRs sequence numbering review: - Based on a professional judgement, select the appropriate sample of reports related to the check on EDR sequence numbering in the Prepaid platform during the period under review. - For selected items, obtain signed-off exception report or daily report on missing sequence numbers. - Ensure that issues have been documented and signed-off by the Billing Manager.
Inspection
Low
Rely
25
10
Inspection
High
Independent
Reperformance
Med.
Rely
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) Expired revenue reconciliation: - Based on a professional judgement, select the appropriate sample of months during the period under review. - For selected months, obtain the non usage accounts and expired balance report from the Prepaid system. - For selected months, obtain the expired scratch cards and vouchers. - Review the forfeiture and corresponding subscriber's balances have been removed. - Ensure the reconciliation is reviewed and signed-off by the CFO and differences have relevant explanations 5 a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) IN integrity review: - Based on a professional judgement, select the appropriate sample of weeks during the period under review. - For selected weeks, obtain the reconciliation between prepaid usage and the delta of the opening and closing balance of accounts - Reperform the reconciliation with figures extracted based on the following model: the opening balance - usage (voice and data) + top-ups + promotional credits +/- subscriber balance adjustments - expired subscriber credit = closing balance. - Ensure any discrepancies have been identified and explained. Verify the quality and relevancy of the explanation - Ensure the reconciliation report is reviewed and signed-off by the Billing Manager and Finance Responsible (CFO-1) - Based on a professional judgement, select the appropriate sample of months during the period under review. - For selected months obtain all Journal Vouchers related to Prepaid. - Trace back the relevant bookings value with details from SC17. - Ensure the CFO-1 reviewed and validated journal entries before posting. - Based on a professional judgment, select the appropriate sample of months during the period under review. - For selected month, obtain signed reconciliation report of prepaid revenue in the accounting system with the revenue from the prepaid billing system. - Reperform reconciliation (by tracing data reconciled to supporting documents (data source and tick marks visible) - Obtain documentation related to reconciliation differences identified and assess relevancy of differences explanations - Ensure the reconciliation report is signed on time by the CFO - Ensure the Tigo Lends You platform report is included in the deferred revenue reconciliation. 3 Reperformance High Independent
Reperformance
Low
Rely
Reperformance
Low
Reperformance
- Obtain and review security controls on the process documentation describing the PIN/HRN life cycle from the creation to their printing. - Obtain the documentation of access rights & actual access security settings in system(s) and database(s) to ensure that the scratch card PINs / HRNs are protected by means of appropriate access security controls and/or encryption continuously. - Check the function of the persons that have access, ensure it is relevant and identify any possible segregation of duties issues. - Ensure only authorized employees own the key allowing to decrypt PIN code - Check that PIN/HRN policies and procedures have been reviewed on a bi-annually basis. - Obtain the related technical documentation
Inspection
Med.
Reperformance
Inspection
Med.
Reperformance
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) Reconciliation: - Obtain the list of all scratch card generation that occurred during the period under review. - For the sample selected, obtain the report to ensure all scratch cards defined on the prepaid platform are received. - Ensure the reconciliation is performed against the approved PIN/HRN requests (IC20) - Ensure that the Warehouse Manager performs this control, whilst the Financial Responsible (CFO-1) has to review and approve this reconciliation. a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) Duplicate usage review: - Based on a professional judgement, select and obtain the appropriate sample of duplicated scratch card reports or alarms generated by the system - Ensure that exception are documented (obtain and trace to supporting documentation) - Ensure review by Billing Manager a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) Commission parameter changes review: - Based on a professional judgement, select and obtain the appropriate sample of reports on e-pin credit given to the dealers in the e-pin platform - Ensure they are reconciled against money receipt in Billing System (Cash Management) - Ensure that any differences are explained. - Ensure that reconciliation reports are signed-off on a daily basis by the CFO-1. a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) E-Pin integrity review: - Based on a professional judgement, select the appropriate sample of days during the period under review. - For selected days obtain the reconciliation of all e-Pin account balances - Reperform the reconciliation with figures extracted based on the following model: Opening Balance minus transfer out plus transfer in plus/minus adjustments (if any) equals to the closing balance. - Ensure any discrepancies have been identified and explained. Verify the quality and relevancy of the explanation - Ensure the reconciliation report is reviewed and signed-off by the Billing Manager and Finance Responsible (CFO-1)
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Rely
25
10
Inspection
Med.
Reperformance
25
10
Inspection
High
Reperformance
25
10
Reperformance
High
Independent
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) E-Pin output is reconciled with Prepaid Platform Input: - Based on a professional judgement, select the appropriate sample of days during the period under review. - For selected days obtain the reconciliation between e-Pin output with Prepaid Platform Input. - Ensure the reconciliation is done at the account level. - Ensure any discrepancies have been identified and explained. Verify the quality and relevancy of the explanation. - Ensure the reconciliation report is reviewed and signed-off by the Billing Manager.
25
10
Inspection
Med.
Independent
a) Review functional/ Technical documentation: - Obtain and inspect the query used to obtain the list of new postpaid subscribers b) Credit check review: - Obtain the list of all new Postpaid Wireless subscriber from the period under review - Based on a professional judgment, select an appropriate sample amongst the list of new postpaid subscribers - Ensure new accepted subscribers comply with the commercial policy and adequate documentation is done as per commercial policy for credit check. - For the sample selected obtain credit check form signed-off by the Credit and Collection Manager -1
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Obtain the list of the acceptance of new Postpaid Wireless subscribers who do not comply with the Credit Policy during the period under review. - For the sample selected, obtain the credit assessment and exception subscriber acceptance forms signed-off by the Credit and Collection Manager.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Obtain the list of the discounts granted to Wireless Postpaid subscribers during the period under review. - For the sample selected, obtain the exceptional discount acceptance form signed-off by the Credit and Collection Manager with adequate reasoning for doing so.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) Discount Reports review: - Based on a professional judgement, select the daily samples during the period under review. - For selected dates, obtain the discount reports. - Ensure all discounts granted which are not part of a discount plan are justified. - Ensure reports are reviewed signed-off by the Consumer Manager. - Obtain the list of all new Wireless subscribers during the period under review. - Based on a professional judgment, select an appropriate sample amongst the list. - For selected items, obtain charging report for subscribers and ensure it is signed-off by the Billing team.
25
10
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) Credit Limit review: - Based on a professional judgement, select the daily reports in the period under review. - For selected reports, obtain the report related to changes to critical subscriber data (both in the Switch and Postpaid Billing systems) - Ensure that each provisioned change is matched with an approved change. All exceptions must be explained. - Ensure reports are reviewed and signed-off by the Consumer Manager
25
10
Inspection
non-key
Walkthrough
- Based on a professional judgment, select an appropriate sample amongst all bill runs done during the period under review. - For selected items, ensure that additional material taken by customers is charged.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Obtain the formal procedure that describes how the pre and post bill run are performed. - Based on a professional judgment, select an appropriate sample amongst all bill runs done during the period under review. - For selected items, ensure it has been approved by the Billing Manager. - Verify it contains relevant explanation for discrepancies.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. b) Reconciliation reports: - Based on a professional judgment, select an appropriate sample amongst all bill runs done during the period under review. - For selected items, obtain the reconciliation between subscriber data against the subscribers covered by the bill runs. - Ensure it contains relevant explanation for observed discrepancies. - Verify it has been reviewed basis by the Billing Manager. - Obtain the list of CPE moved out of the warehouse during the period under review - Based on a professional judgment, select an appropriate sample amongst the list of out movements - Obtain the copy of installation order done by the warehouse Manager (or the orignal one) for each selected movements - Ensure that each order were amended with the provided CPE and signed off by the Warehouse Manager
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Based on a professional judgment, select the sample from the period under review. - For selected dates, obtain signed reconciliation report of disconnection instructions and received CPEs in warehouse - Ensure allocation of charges for non received CPEs - Ensure the reconciliation is reviewed by Credit and Collection Manager - Ensure any discrepancies have been identified and explained. Verify the quality and relevancy of the explanation a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) Reconciliation reports: - Based on a professional judgement, select the daily reconciliation reports in the period under review. - For selected reports, obtain the signed reconciliation report to ensure that the subscriber numbers and profiles (including status) - Reperform reconciliation by tracing data reconciled to supporting documents (data source and tick marks visible). - Obtain documentation related to reconciliation differences identified and assess relevancy of differences explanations - Ensure reports are reviewed and approved on a daily basis by the Billing Manager.
Reperformance
non-key
Walkthrough
25
10
Reperformance
Low
Rely
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. b) Reconciliation between invoices generated Vs invoices printed Vs sent out: - Based on a professional judgment, select an appropriate sample amongst all bill runs done during the period under review. - For selected items, obtain and review the reconciliation reports between invoices generated Vs invoices printed Vs sent out. - Ensure that in case of delivery failure, corrective actions are taken and documented. - Ensure the reconciliation report is reviewed and signed-off by the Billing Manager. - Obtain MIC policy section on non billed subscribers - Based on a professional judgment, select the sample from the period under review. - For selected month, obtain formal report of non-revenue generating traffic - Ensure it is compliant with MIC policy - Ensure it is reviewed and signed-off by Billing Manager and CFO-1
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Rely
- If estimated yearly population > 50 --> select 10% of - If estimated yearly population > 50 --> select 10% of available population, up to 25 available population, up to 10 - If estimated yearly population < 50 --> select all population - If estimated yearly population < 50 --> select all population available, up to 5 available, up to 5
Inspection
Low
Rely
- Based on a professional judgment, select an appropriate sample amongst all bill runs done during the period under review. - For selected items, obtain all Journal Vouchers related to Wireless costs and revenues. - Trace back the relevant bookings revenue reports extracted from the Wireless Billing system. - Reperform reconciliation (by tracing data reconciled to supporting documents (data source and tick marks visible)) - Ensure the CFO-1 has reviewed and validated journal entries before posting.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
Low
Reperformance
- Based on a professional judgment, select an appropriate sample amongst all bill runs done during the period under review. - For selected items, obtain signed reconciliation report of Postpaid Wireless revenue & cost booked in the accounting system with the revenue/cost from the Postpaid Wireless billing system. - Reperform reconciliation ( by tracing data reconciled to supporting documents (data source and tick marks visible) - Obtain documentation related to reconciliation differences identified and assess relevancy of differences explanations - Ensure the reconciliation report is signed on time by the CFO a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. b) Overdue subscriber status report: - Obtain and review the barring / dunning policy. - Based on a professional judgment, select the sample from the period under review. - For selected dates, obtain reports grouping all overdue customers. - Check if their status has been compared with the theoretical status they should have as per the barring / dunning policy. - Check that report and analysis have been signed off by Credit and Collection Manager. - Obtain a list of new Local Senior Management and Regional equivalents hired during the period under review. - Select the number of employees to be tested. - For each selected employee obtain both hiring package and contract. - Verify that each package of new GM/GM-1 has been reviewed and formally approved. - Verify contract data are in line with approved package (i.e. employee details, salary, bonus amount/percentage, etc.). - Obtain a list of all new employees other than Local Senior Management and Regional equivalents hired during the period under review. - Select the number of employees to be tested. - For each selected employee obtain the contract. - Verify that the contract has been reviewed and formally approved.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
Med.
Reperformance
Inspection
Low
Rely
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Obtain a list of all employees which were subject to annual performance evaluation (some employees hired too recently may not be subject yet to evaluations). - Select the number of employees to be tested. - For each selected employee obtain the annual performance evaluation form. - Ensure it was reviewed and formally approved before promotion period.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- For each selected month obtain the reports including commissions and other variable pay elements (overtime, paid off, sickness, holidays, absence, personal expenses). - Ensure they are reviewed and formally approved. - Obtain the list of all Local Senior Management and Regional equivalents. - Select the number of employees to be tested. - For each selected employee obtain the calculation of effective bonus and related supporting documentation (i.e.: assessment of individual performance and general bonus performance criteria communicated by headquarters). - Ensure arithmetical accuracy. - Ensure each calculation was reviewed and formally approved.
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
non-key
Walkthrough
- Obtain the list of all employees other than Local Senior Management and Regional equivalents. - Select the number of employees to be tested. - For each selected employee obtain the calculation of effective bonus and related supporting documentation (i.e.: assessment of individual performance and general bonus performance criteria communicated by headquarters). - Ensure arithmetical accuracy. - Ensure each calculation was reviewed and formally approved.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
non-key
Walkthrough
- Obtain the quarterly mapping between job positions within the company and related cost center code. - Reperform the mapping to ensure that: a) All identical job positions bear the same cost center code. b) All the job positions included in the list are active (no expired or inactive positions must be included) c) All the cost center codes included in the list are active (no expired or inactive codes must be included) - Ensure that any discrepancy is properly explained and that corrective action has been taken. - Ensure mapping was reviewed and formally approved.
Reperformance
Low
Rely
- For each selected month, obtain the returns kept on file (taxes and social security) and communicated by the third party service provider. - Ensure that any unusual item has been properly investigated and explained. - Verify the returns have been reviewed and formally approved.
Inspection
non-key
Walkthrough
- For each selected month, obtain the analytical review between current month payroll accounts and previous month. - Ensure that the analytical review includes all the costs related to employees: not only salaries, also other personnel expenses, etc. - Verify that all variations equal or above 10% have been properly investigated and explained. - In case of errors, ensure that corrective actions have been taken and documented. - Ensure that the analytical review has been reviewed and formally approved. 1) For each selected month, obtain a list of the Payroll System changes made during the month: a) Recruitments (employees added to payroll database). b) Dismissals (employees removed from payroll database). c) Changes in variable pay elements (overtime, paid off, sickness, holidays, absence, personnel expenses). d) Changes in salary and benefits. e) Changes in deduction rates (social payments and others). f) Changes due to employee's complaints. 2) Select 10% of the changes made during the month (sample must include all above categories). 3) For each change selected, obtain the personnel action form or any document evidencing HR Responsible approval (or Head of Performance and Reward approval for changes related to Local Senior Management and Regional equivalents) 4) Ensure that the above mentioned changes were reviewed and formally approved before being communicated to the third party service provider.
Inspection
non-key
Walkthrough
Inspection
Low
Reperformance
- For each selected month, obtain the 3 pay slips that have been reconciled with personal data (in total, obtain 6 pay slips). - Ensure that reconciliation between pay slip communicated by third party service provider and personal data of the employee has been properly evidenced (existence of tick marks and/or cross references). - Ensure that any discrepancy has been investigated and explained. - Reperform the reconciliation to ensure clerical accuracy. - Ensure reconciliation has been reviewed and formally approved.
Reperformance
Med.
Reperformance
- Obtain the computation of the bonus accrual for each selected quarter and related supporting documentation. - Verify arithmetical accuracy and reasonableness of calculation. - Tie out the accrual's computation vs. accounting records. - Ensure computation has been reviewed and formally approved.
Reperformance
non-key
Walkthrough
- For each selected month, obtain the reconciliation performed between individual pay slip, fund request details and total cash disbursement related to payroll payment. - Ensure reconciliation has been properly evidenced (existence of tick marks and/or cross references). - Ensure that any discrepancy has been investigated and explained. - Reperform the reconciliation to ensure clerical accuracy. - Ensure reconciliation has been reviewed and formally approved. - For each selected month, obtain the fund request form. - Ensure the fund request form has been reviewed and formally approved by both the Human Resources department (GM-1 or GM-2) and CFO before transfer of cash to the payroll bank account. - Obtain the list of subscriber billing complaints during the period under review. - For sample selected complaints, ensure they are reveiwedby the Billing Manager. - Ensure corrective actions are taken.
Reperformance
non-key
Walkthrough
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. b) Billing adjustments review: - Obtain the list of billing adjustments during the period under review. - For sample selected adjustments, ensure they are validated and signed-off by the Billing Manager. - Obtain the list of Interconnect/Roaming billing adjustments during the period under review. - For sample selected adjustments, ensure they are validated and signed-off by the Billing Manager and CFO.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Obtain the audit log recording all massive billing adjustments which occurred during the period under review. - For sample selected adjustments, ensure they are validated and signed-off by the GM and Customer Manager. - Check there is adequate documentation and logs evidence for a massive adjustment.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Based on a professional judgment, select the sample from the period under review. - For selected month, obtain reconciliation of billing adjustments with their approvals signed-off - Reperform reconciliation ( by tracing data reconciled to supporting documents (data source and tick marks visible) - Obtain documentation related to reconciliation differences identified and assess relevancy of differences explanations - Ensure the reconciliations are reviewed and signed-off by the CFO. a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. b) Billing adjustments review: - Obtain the list of billing adjustments during the period under review. Ensure the inclusion of all the revneue streams. - For the sample selected, ensure they are validated and signed-off based on MIC Policy. - Based on a professional judgment, select the sample from the period under review. - For selected month, obtain the Journal Voucher related to Billing adjustments to be executed into the accounting system - Check it has been reviewed by the CFO-1 - Based on a professional judgment, select the sample from the period under review. - For selected month, obtain the signed reconciliation report to ensure that the reconciliation is performed between the credit and debit notes in the different billing systems and the credit and debit notes recorded in the accounting system on a monthly basis. - Reperform reconciliation ( by tracing data reconciled to supporting documents (data source and tick marks visible) - Obtain documentation related to reconciliation differences identified and assess relevancy of differences explanations - Check it has been reviewed by the CFO-1 - Check the list of report/batch changes during the period under review. - Obtain the MIC Policy. - For the sample selected, obtain functional/technical requirements, test results and end-user approval on the development of this exception report. - Ensure the report for the subscriber reporting is designed in order to be in line with the MIC Policy. - Ensure the functional description and the alignment of this description with the MIC policy are signed-off.
Reperformance
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Rely
Inspection
Low
Rely
Reperformance
Med.
Independent
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Based on a professional judgment, select the sample from the period under review. - For selected weeks obtain the Reporting Package and ensure section related to subscriber numbers has been reviewed by GM (COO if existing) and CFO - Obtain Supporting documentation (Both in Billing Systems) and check for number accuracy against original numbers reported.
Reperformance
non-key
Walkthrough
- Obtain the list of report/batch changes during the period under review. - Obtain the MIC Policy. - For the sample changes selected, obtain functional requirements and check it has been approved by IT Responsible and Consumer Manager and CFO or Finance Responsible (CFO-1) - Check it is in line with accounting principles
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. b) Validation of the number of subscribers : - Check the list of number of subscribers recording during the period under review. - Obtain the MIC Policy. - For sample recording selected, obtain subscriber number report and check it has been reviewed by Consumer Manager - Obtain drafted recording of the number of subscribers and ensure they are approved by the CFO or Finance Responsible (CFO-1). - Check validation has been performed prior to disclosure. - For the period under review obtain a General Ledger report. - Identify all the invoices related to intercompany transactions / accounts. - Select the sample to be tested and obtain the related invoices. - Ensure that each invoice has been reviewed and formally approved.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
-For the sample selected, obtain the approved "Intercompany reconciliation". - Obtain the Trial Balance. - Obtain valid documentation in order to confirm all the intercompany balances (e-mails from counterparty, etc.) - Reperform the reconciliation by noting that all intercompany disclosures must be supported by valid documentation (Note that amounts and concepts have been completely and correctly disclosed in the reconciliation as per TB and supporting documents). - Ensure that any differences identified have been investigated and resolved. - Ensure reconciliation is reviewed and formally approved before Consolidation process takes place.
Reperformance
non-key
Walkthrough
- From the contracts database, obtain the list of all new contracts / agreements issued during the period under review. - Filter the contracts by selecting only the ones referring to Intercompany transactions (loans and TSF). - Select in this list the samples to be tested and obtain the related contracts (Note that sample must include agreements where the Operation is the charging company and agreements where the Operation is the charged company). - Verify for each sample selected that the contract was reviewed and formally approved.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Med.
Reperformance
- For the sample selected, obtain the approved fair value calculation of unquoted securities. - Verify that the model to perform such calculation has been properly reviewed by Accounting responsible, tying each input in the model against valid support documentation. - Verify arithmetical accuracy. - Ensure that the fair value calculation of unquoted securities has been reviewed and formally approved. - For the sample selected, obtain the approved fair value computation. - Verify that each assumption for all unquoted financial assets has been properly reviewed by CFO to correctly assess their fair value. - Ensure that the fair value computation has been reviewed and formally approved. - For each sample selected, obtain the list of installations completed during the month; - Ensure the list has been reviewed and formally approved (check sign-off and date); - Ensure the list is communicated to the AMNET Region accounting department (i.e. e-mail, memo, etc) before closing the month. - Obtain a list of all new IRU agreements such as IRU agreements which have been changed over the period under review; - Select in this list the samples to be tested and for each one obtain the conclusions on IRU classification (classification as a service agreement or as a lease); - Ensure that the classification is in line with MIC Policy Manual; - Ensure appropriate supporting documents exist to support the conclusions and ensure proper review and approval of the conclusions before booking of the IRU (check sign-off and date). - Obtain a list of all new IRU agreements such as IRU agreements which have been changed over the period under review, classified as a lease; - Select in this list the samples to be tested and for each one obtain the conclusions on lease classification (classification as a financial lease or an operating lease); - Ensure that the classification is in line with IAS 17; - Ensure appropriate supporting documents exist to support the conclusions and ensure proper review and approval of the conclusions before booking of the IRU (check sign-off and date).
Inspection
non-key
Walkthrough
Inspection
Low
Reperformance
Inspection
Low
Rely
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Med.
Independent
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Med.
Independent
- Obtain a list of all new IRU agreements such as IRU agreements which have been changed over the period under review, classified as a financial lease; - Select in this list the samples to be tested and for each one obtain the "Leasing amortization table"; - Review the accuracy of the discounted value and all data as per the lease amortization table by reperforming their computation and ensuring compliance with the terms and conditions of the financial lease agreements; - Verify that the amounts computed in the "Leasing amortization table" tie with the accounting records; - Ensure that the "Leasing amortization table" has been reviewed and formally approved before booking (check sign-off and date).
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
Med.
Reperformance
- Obtain a list of all new IRU agreements such as IRU agreements which have been changed over the period under review, classified as an operating lease; - Select in this list the samples to be tested and for each one obtain the "computation of the straight line rent"; - Review the accuracy of all data as per the computation of the straight line rent and ensure compliance with the terms and conditions of the operating lease agreements; - Verify that the amounts as per the "computation of the straight line rent" tie with the accounting records; - Ensure that the "computation of the straight line rent" has been reviewed and formally approved before booking (check sign-off and date).
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
Low
Reperformance
- Obtain a list of all changes to existing IRU / Network capacity agreements, over the period under review; - Select in this list the samples to be tested and for each one obtain an evidence that the change such as related assumptions in terms of IRU accounting (classification as a service agreement or as a lease, classification as an operating lease or as a financial lease) have been reviewed and formally approved.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Med.
Rely
- For the sample selected, obtain the list of IRU assets that are impaired / no longer in use; - Ensure the list has been reviewed and formally approved (check sign-off and date) before booking or updating any data in the accounting records (if applicable). - For each sample selected obtain the monthly reconciliation between accounting and lease amortization table; - Reperform the reconciliation by tying the IRU's GBV, NBV and depreciation charge as per the accounting system with the amortization table data; - Ensure that any discrepancy has been properly explained and investigated; - Ensure that the reconciliation was reviewed and formally approved (check sign-off and date). - For each sample selected obtain the Cost allocation sheet; - Ensure that the Cost allocation sheet has been reviewed and formally approved (check sign-off and date) before recharge to each country.
Inspection
Low
Rely
Reperformance
Low
Reperformance
Inspection
Low
Rely
- Based on the samples selected for SC1, obtain the "Installations' requirements forms". - Ensure that these forms have been reviewed and formally approved (check sign-off and date). - Obtain an evidence that they were communicated to the Local Technical area (i.e. e-mail, memo, etc).
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Otain a list of all agreements regarding Programming Contents (issued during the period under review). - Select from this list the samples to be tested and for each one review that an agreement exists - Ensure that Content agreements have been properly approved
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Rely
- For each sample selected, obtain the schedule approved for the month. - Ensure the list has been properly approved (check sign-off and date). - Obtain an evidence that the list is communicated to the Regional Programming Department (e.g. e-mail, memo, etc)
Inspection
Med.
Rely
- For each sample selected, obtain the "cost computation report". - Ensure that the calculation made by the Programming department is accurate by tying the primary elements of the calculation to the agreement's' terms and conditions (e.g. number of subscribers per type of package, country, cost per subscriber, etc.). - Ensure that any difference identified has been investigated and resolved before approval. - Ensure arithmetical accuracy. - Ensure final computation is duly reviewed and approved (e.g. tick marks, sign-off, date, etc.). - For the sample selected, monthly accrual needs to be compared with the actual invoice for that month received from programmers - Variations between accrual and invoice above 10% need to be explained - Ensure the accrual was properly approved (check sign-off and date). - For each sample selected obtain the monthly reconciliation between programmers invoices and payments made - Reperform all reconciliations by tying the primary elements invoices, payments and calculations. - Ensure differences have been identified, investigated and corrected. - Verify that all reconciliations were reviewed and formally approved (check sign-off and date).
Reperformance
Med.
Reperformance
Reperformance
Med.
Independent
Reperformance
Med.
Independent
- Obtain the list of new and changed tariffs that occurred during the period under review. - On the sample selected, ensure a feasibility analysis (including cost/benefit analysis, a market study, a comparison with the competitors, etc) has been performed by Go-To-Market department for the sample selected. - Ensure the feasibility analysis has been reviewed and signed-off by Category Manager before the tariff implementation. - Obtain the list of new and changed cable TV product, tariff and/or promotion that occurred during the period under review. - On the sample selected during the period under review, ensure a formal approval obtained for each new/changed tariff and that it is signed-off by GM and CFO.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
a) Review functional/ Technical documentation: - Obtain and inspect the query used to obtain the list of new corporate cable TV subscriber, new residential cable TV subscriber with a digital cable TV package b) Credit check review: - Obtain the list of all new corporate cable TV subscribers and residential cable TV subscriber with a digital cable TV package and Pay-Per-View (Pay Per View) option for the period under review. - Based on professional judgment, select an appropriate sample amongst the list of new cable TV subscribers - Ensure new accepted subscribers comply with the commercial policy and adequate documentation is done as per commercial policy for credit check. - For the sample selected obtain credit check form signed-off by the Credit and Collection Manager -1
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report - Obtain the commercial policy and ensure the report is in line with defined rules. b) Exception to the Credit Check Cable TV subscriber review: - Obtain the list of the acceptance of new subscribers who do not comply with the Credit Policy during the period under review. - For the sample selected, obtain the credit assessment exception form signed-off by the Credit and Collection Manager and ensure it was done before acceptance a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) Discount and free usage review: - Obtain the list of the discounts or free usage given to the corporate subscriber during the period under review. - For the sample selected, ensure they are part of the report containing all discounts or free usage which is signed-off by the Credit and Collection Manager with adequate reasoning for doing so.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) Outstanding work orders Review: - Based on a professional judgement, select the daily reports in the period under review. - For selected reports, ensure that they contains all outstanding cable TV work orders. - Ensure reports are reviewed and signed-off by the Installations Head - Obtain the list of all new /changed cable TV subscriber during the period under review. - Based on a professional judgment, select an appropriate sample amongst the list. - For selected items, ensure that all additional material used at the installation time was part of the charging report for subscribers and ensure it is signed-off by the Billing team.
25
10
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this report b) Changes to Subscriber data review: - Based on a professional judgement, select the daily reports in the period under review. - For selected reports, obtain the report related to changes to critical subscriber data (in the television billing system and the television network platform) - Ensure that each provisioned change is matched with an approved change. All exceptions must be explained. - Ensure reports are reviewed and signed-off by the Consumer Manager
25
10
Inspection
non-key
Walkthrough
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. b) EDRs rejection reports: - Based on a professional judgment, select the sample of daily rejection reports during the period under review. - For each report selected, ensure that the source of the rejection is identified (if possible) and the problem is resolved in order to prevent the event from happening in the future. - Ensure that rejected usage records are recuperated if possible and obtain resolution evidence or confirmation of the resolution. - Ensure reports are reviewed by the Billing Staff. - Obtain the formal procedure that describes how the pre and post bill run are performed. - Based on a professional judgment, select an appropriate sample amongst all bill runs done during the period under review. - Verify it contains relevant explanation for discrepancies. - For selected items, ensure that sample tests report has been approved by the Billing Manager.
25
10
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Based on a professional judgment, select the sample from the period under review. - For selected dates, obtain the reconciliation report performed between received disconnection work orders with CPEs received in the warehouse. - Ensure that in case of exception, corrective actions are taken and documented. - Check that report and analysis have been signed off by Credit and Collection Manager. a) Review functional/ Technical documentation: - Obtain and inspect the query used to generate changes and addition of cable TV products/tariffs/promotions reports from Billing system. In case of alarm report, obtain and review settings of the alarm. b) Changes review: - Based on a professional judgement, select the appropriate sample of daily reports summarizing any changes or addition of products/tariffs/promotions of Billing system - Cross check changes with the products/tariffs/promotions change request forms. - Ensure reports are reviewed and approved on a daily basis by the Category Manager. - Obtain the list of changes and addition of cable TV products, tariffs and/or promotions (including bundled offers) that occurred during the period under review. - On the sample selected, ensure an accounting impact analysis has been performed by Finance department as per current Pricing change approval policy and related templates. - Ensure the accounting impact analysis has been reviewed and signed-off by the CFO before the tariff implementation. a) Review functional/ Technical documentation: - Obtain and inspect the query used to perform the reconciliation. - Obtain functional/technical requirements related to an automated reconciliation b) Reconciliation reports: - Based on a professional judgement, select the appropriate sample of daily reconciliation reports in the period under review. - For selected reports, obtain the signed reconciliation report to ensure that the subscriber numbers and profiles in television network platform and television billing system are reconciled on a daily basis. The subscriber profiles includes all services (e.g. PPV) and the type of subscription. - Reperform reconciliation by tracing data reconciled to supporting documents (data source and tick marks visible). - Obtain documentation related to reconciliation differences identified and assess relevancy of differences explanations - Ensure reports are reviewed and approved on a daily basis by the Billing Manager. a) Review functional/ Technical documentation: - Obtain and review the SQL query used to perform the reconciliation. - Obtain functional/technical requirements related to an automated reconciliation b) EDR Reconciliation reports: - Based on a professional judgement, select the appropriate sample of daily reconciliation reports for Pay Per View usage records generated by the television billing system and the ones generated by television network platform. - Ensure all discrepancies are investigated and explained. - Ensure reconciliation reports are signed-off on time by the Billing Manager. - Based on a professional judgment, select an appropriate sample amongst all bill runs done during the period under review. - Obtain the commercial policy. - For selected items, ensure that additional material (as per the commercial policy) required during the installation which was not included in the basic fee is charged.
Inspection
non-key
Walkthrough
25
10
Inspection
Low
Rely
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Med.
Independent
25
10
Reperformance
Low
Rely
25
10
Inspection
Low
Rely
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Rely
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. b) Reconciliation reports: - Based on a professional judgment, select an appropriate sample amongst all bill runs done during the period under review. - For selected items, obtain the reconciliation between subscriber data against the subscribers covered by the bill runs. - Ensure it contains relevant explanation for observed discrepancies. - Verify it has been reviewed by the Billing Manager. - Based on a professional judgment, select the sample from the period under review. - Obtain reports containing rejected EDRs which could not be corrected. - Review adequate reasoning on rejected EDRs which could not be processed. - Ensure selected reports are reviewed and signed-off by Billing manager, Local Revenue Assurance Manager and CFO.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Rely
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Med.
Rely
a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. b) Reconciliation between invoices generated Vs invoices printed Vs sent out: - Based on a professional judgment, select an appropriate sample amongst all bill runs done during the period under review. - For selected items, obtain and review the reconciliation reports between invoices generated Vs invoices printed Vs sent out. - Ensure that in case of exception, corrective actions are taken and documented. - Ensure the reconciliation report is reviewed and signed-off by the Billing Manager. - Based on a professional judgment, select an appropriate sample amongst all bill runs done during the period under review. - For selected items, obtain all Journal Vouchers related to Cable TV costs and revenues. - Trace back the relevant bookings revenue reports extracted from the TV Billing Platform - Reperform reconciliation (by tracing data reconciled to supporting documents (data source and tick marks visible)) - Ensure the CFO-1 has reviewed and validated journal entries before posting.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Rely
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
Low
Reperformance
- Based on a professional judgment, select an appropriate sample amongst all bill runs done during the period under review. - For selected items, obtain signed reconciliation report of Cable TV revenue & cost booked in the accounting system with the revenue/cost from the television billing system. - Reperform reconciliation ( by tracing data reconciled to supporting documents (data source and tick marks visible) - Obtain documentation related to reconciliation differences identified and assess relevancy of differences explanations - Ensure the reconciliation report is signed on time by the CFO a) Review functional/ Technical documentation: - Obtain functional/technical requirements, test results and end-user approval on the development of this exception report. b) Overdue subscriber status report: - Obtain and review the collection / barring policy. - Based on a professional judgment, select the sample from the period under review. - For selected dates, obtain reports grouping all overdue customers. - Check if their status has been compared with the theoretical status they should have as per the barring / dunning policy. - Check that report and analysis have been signed off by Credit and Collection Manager.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
Low
Reperformance
Inspection
Med.
Reperformance
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Inspection
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
- Obtain the list of all critical systems, platforms, applications and databases. - For each critical system, platform, application and database, obtain and inspect the print copy of the catalogue and/or description of the testing environment. - Ensure that the testing environment is separated logically and/or physically from the production environment, that it allows adequate stress, unit and end-to-end testing, that it reflects as much as possible the live environment (data in kind and quantity), and that it is available for sufficient testing time. - Ensure that the print copy of the catalogue and/or description of the testing environment has been formally reviewed and approved. - In case there is no separate testing environment for a critical system, platform, application or database, ensure that there are specific adequate procedures and guidelines in place for testing (including details of mitigating factors and measures in place to prevent negative impact of testing) and that they have been formally reviewed and approved. - Obtain and inspect the list of changes to systems, platforms, applications and databases (logs if any), especially changes to critical ones. - Based on professional judgement, select a representative sample of changes for the period under review. - For each selected item, determine whether users and relevant stakeholders were informed of the change implementation.
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
- Obtain the Logical Access Management Policy (or Security Policy). - Determine whether the management of user accounts for joiners, job changes and job termination is part of the policy (for both employees and contractors, for local and remote access...). - Ensure that the Logical Access Management Policy (or Security Policy) has been formally reviewed and approved within the last 7 months. - Obtain evidence that the Logical Access Management Policy (or Security Policy) has been formally communicated. - Obtain and inspect the formal inventory of personal data and sensitive information. - Ensure that security means are enabled to protect the integrity and privacy of these personal data and sensitive information. - For the last quarter, ensure that the security set-up has been adequately and formally reviewed and approved. - Obtain and inspect the backup policy to verify whether the backup terms are appropriate (all critical element considered in scope and backup frequency requirements). - Based on professional judgement, select the sample for the period under review. - For each of the selected days, obtain and inspect the Backup journals to ensure that backups were run as per the backup policy (at least daily for data and weekly for configurations) for all critical systems, platforms, applications and databases. - Ensure that the backups ran successfully to completion (or failure was explained and timely remediated). - Ensure that the backup journals have been formally reviewed and approved. - Obtain and inspect the Disaster Recovery Plan. - Ensure that the DRP addresses the critical systems, platforms, applications and databases as a minimum requirement. Ensure that the DRP has been formally reviewed and approved within the last 7 months.
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
25
10
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
- Obtain and inspect the Disaster Recovery Plan. - Obtain and inspect the DRP test results (if a real disaster occur and lead to the deployment of the plans, then this is considered as the sample item) - Verify that the DRP was tested within the last year. - Ensure that the DRP test results have been formally reviewed and approved. - Obtain and inspect the Incident and Problem Management Policy and Procedures. - Ensure that it defines handling, analysis and resolution mechanisms of non-standard events (incidents), including escalation procedures, supplier involvement if appropriate and clear description of the process. - Ensure that the Incident and Problem Management Policy and Procedures have been formally reviewed and approved within the last 7 months. - Obtain evidence that the Incident and Problem Management Policy and Procedures have been formally communicated. - Obtain and inspect the Events and Incidents Journals for the period under review. - Based on professional judgement, select a representative sample of significant IT events or incidents and failures for the period under review. - For each of the selected events, incidents and failures, ensure that they have been formally reviewed and approved immediately. - For each of the selected events, incidents and failures, ensure that it has been communicated and resolved in a timely manner. - Based on professional judgement, select a 2 month sample for the period under review. - For each of the selected months, obtain and inspect the Events and Incident's Journals. - Ensure that all significant IT events or incidents and failures of the Events and Incident's Journals (including the resolution activities and status) have been formally communicated. - Ensure that the Events and Incident's Journals have been formally reviewed and approved. - Obtain and inspect the document defining and listing authorized, tolerated and unauthorized software. - Ensure that the list of authorized, tolerated and unauthorized software has been formally reviewed and approved within the last 7 months. - Ensure that the list of authorized, tolerated and unauthorized software has been formally communicated throughout the company. - Obtain and inspect the document defining and listing authorized, tolerated and unauthorized software. - Obtain and inspect the document which formalized the review of software installed and used. - Ensure that the review addresses all the computers and machines (user PCs and servers). - Ensure that any unauthorized software installed has been reported and reacted upon. - Ensure that the review of software installed and used has been formally reviewed and approved. - Based on professional judgement, select the sample for the period under review. - For each of the selected months, obtain and inspect the job scheduling checklists of all critical systems, platforms, applications and databases to determine whether they have been formally reviewed and approved. - Obtain and inspect the operating procedures. - Ensure that all operation procedures have been documented, updated and formally reviewed and approved within the last 7 months.
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
Inspection
non-key
Walkthrough
- Obtain and inspect the operating procedures. - Ensure that the listing of all potential suspicious activities have been updated and formally reviewed and approved within the last 7 months.
Inspection
non-key
Walkthrough
- Obtain and inspect the list of changes to systems, platforms, applications and databases (logs if any), especially changes to critical ones. - Based on professional judgement, select a representative sample of changes for the period under review. - For each selected item, obtain the corresponding change request form. - Determine whether the selected change was formally authorized by before the change had been processed.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Med.
Reperformance
- Obtain and inspect the list of changes to systems, platforms, applications and databases (logs if any), especially changes to critical ones. - Based on professional judgement, select a representative sample of changes for the period under review. - For each selected item, obtain the corresponding change request form. - Determine whether the selected change was subject to an impact analysis (in particular regarding controls that may be impaired) reviewed . - Ensure that appropriate actions were taken to modify or redesign these controls (if necessary) to retain their integrity
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Rely
- Obtain and inspect the list of changes to systems, platforms, applications and databases (logs if any), especially changes to critical ones. - Based on professional judgement, select a representative sample of changes for the period under review. - For each selected item, obtain the corresponding change request form. - Determine whether the selected change was subject to the formalization of a test plan, a roll-out plan and a roll-back plan. - Ensure that these test plan, roll-out plan and roll-back plan had been formally reviewed and approved prior to implementation of the change. - Obtain the list of all interfaces between critical systems, platforms, applications and databases. - For each interface, obtain the last testing results. - Ensure the testing results are no more than 3 years old. - Ensure that the test results confirm that data transmissions are complete, accurate and valid. - Ensure that the interface test results have been formally reviewed and approved. - Obtain the list of individual changes that occurred on existing interfaces during the period under review. - Based on professional judgement, select a representative sample of changes to interfaces for the period under review. - For each selected item, obtain the interface test results. - Ensure that the test results confirm that data transmissions are complete, accurate and valid. - Ensure that the interface test results have been formally reviewed and approved. - Obtain and inspect the list of changes to systems, platforms, applications and databases (logs if any), especially changes to critical ones. - Based on professional judgement, select a representative sample of changes for the period under review. - For each selected item, obtain the corresponding change request form including the test plan approved. - Determine whether the test plan was followed for testing the change. - Determine whether the test results were formally documented, reviewed and approved before the change had been implemented (live in the production environment).
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Rely
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - 1 every 3 years
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5 - 1 every 3 years
Inspection
Low
Rely
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
High
Independent
- Obtain and inspect the list of changes to systems, platforms, applications and databases (logs if any), especially changes to critical ones. - Based on professional judgement, select a representative sample of changes for the period under review. - For each selected item, obtain the corresponding change request form. - Determine whether the change results were reviewed by the Business Owner showing approval of the change implemented.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
High
Independent
- Obtain the list of all changes to critical systems, platforms, applications and databases. - Based on professional judgement, select a representative sample of changes for the period under review. - For selected changes, obtain and inspect the change requests and ensure that documentation impact assessment has been formalized. - If updated, ensure that documentation has been reviewed and formally approved.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Reperformance
- Obtain the list of all critical systems, platforms, applications and databases. - For each critical system, platform, application and database, obtain and inspect the list of available documentation and support service plan (including location) and ensure it is kept in the mentioned location. - Ensure that it has been formally reviewed and approved.
Inspection
Low
Reperformance
- Obtain the list of all end-user applications. - Based on professional judgement, select a representative sample of changes for the period under review. - For selected changes, obtain and inspect the change requests and ensure that documentation impact assessment has been formalized. - If updated, ensure that documentation has been reviewed and approved.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Low
Rely
- Obtain the list of all end-user applications. - For each end-user application, obtain and inspect the list of available documentation and support service plan (including location) and ensure it is kept in the mentioned location. - Ensure that it has been formally reviewed and approved. - Obtain and inspect the list of emergency changes to systems, platforms, applications and databases (logs if any), especially emergency changes to critical ones. - Based on professional judgement, select a representative sample of emergency changes for the period under review. - For each selected item, obtain the corresponding emergency change form. - Determine whether the selected emergency change was formally reviewed and authorized. - Obtain the list of all positions/functions in the company and the related job descriptions. - Verify that each job description specifies the profiles/accesses to be allocated to the corresponding position/function. - Obtain and inspect the matrix of profiles to determine whether all positions/functions have been considered. - Verify whether the matrix of profiles is in line with all the job descriptions and roles in the organization. - Ensure that it has been reviewed within last 7 months. - Ensure that it has been formally reviewed and approved.
Inspection
Low
Rely
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Med.
Rely
Med.
Reperformance
- Obtain and inspect the list of joiners, job changes and job terminations, for employees, contractors, vendors and non-client personnel. - Based on professional judgement, select a representative sample of access request forms (provisioning and deprovisioning) for the period under review. - For each selected item, determine whether selected forms were adequately prepared, reviewed and approved. - Verify in the relevant systems, platforms, applications and databases that the access rights have been granted (in case of provisioning) or revoked (in case of deprovisioning) as per the details of the approved provisioning/deprovisioning form.
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Med.
Reperformance
- Based on professional judgement, select the appropriate sample of month for the period under review. - For each selected month, obtain the list of transfers and leavers from Human Resources Department. - For each transfer and leaver of the list, obtain systems' evidences that the access rights have been updated accordingly (modified for transfers or revoked/suspended for leavers). - For each selected month, ensure that the review of transfers and leavers has been formally reviewed and approved.
Med.
Reperformance
- Obtain and inspect the access rights review performed. - Ensure that the scope of the access rights review is complete (i.e. at least all critical systems, platforms, applications and databases). - For each critical system, platform, application and database, ensure that the effective access rights (system capture) are in line with employee's position and responsibilities in the company (job description) and that these are still aligned with need-to-have and segregation of duties principles. - For each critical system, platform, application and database, ensure that all users have a unique user ID by which they can be identified (any exception to this rule must be well documented, rationalized and approved). - For each critical system, platform, application and database, identify temporary accounts, generic accounts, applicative accounts and ensure that they are legitimate and adequately supported by documentation and explanations. - Ensure that the access rights review has been reviewed and approved.
High
Independent
- Obtain and inspect the access rights review related to the migration of new/modified systems, platforms, applications and databases. - Ensure that the scope of the access rights review is complete (i.e. at least all critical systems, platforms, applications and databases). - Based on effective access rights (system capture), determine which accounts are authorized migrate new/modified systems, platforms, applications and databases into the production environment. - Determine whether the job descriptions of the personnel capable to migrate new/modified systems, platforms, applications and databases into the production environment, specify such an authority for these positions/functions. - Ensure that these personnel (authorized to migrate new/modified systems, platforms, applications and databases into the production environment) are not authorized to perform any development, in order to comply with Segregation of Duties principles. - Ensure that the access rights review related to the migration of new/modified systems, platforms, applications and databases has been formally approved. - Obtain and inspect the list of usernames (and corresponding persons) with privileged/powerful access rights to systems, platforms, applications and databases. - Ensure that this list is in line with the access actually implemented in systems (system capture). - Ensure that such privileged/powerful access rights are part of the job description of the persons using these usernames. - Ensure that access to powerful operating system commands is limited to the appropriate IT users. - Ensure that the list of usernames with privileged/powerful access rights to systems, platforms, applications and databases has been formally reviewed and approved.
High
Reperformance
High
Independent
- Obtain the updated list of end-user computing tools. - For each end-user computing tool (such as spreadsheets and other end-user programs), obtain the user access rights related to it (e.g. access rights to the directory/folder where it is stored and used from the system capture). - Ensure that the list of user access rights to end-user computing tools has been formally reviewed and approved.
Med.
Reperformance
- Based on professional judgement, select the appropriate sample for the period under review. - For each selected month, obtain the reviewed list of vendors/contractors accounts and the related access rights (system capture). - Ensure that the scope of the list is complete (i.e. at least all critical systems, platforms, applications and databases). - Obtain the access request forms related to each cotracto. - Verify whether each vendor/contractor access is limited in terms of access rights granted and time of activity defined in the access request form. - Verify whether each existing vendors/contractors account is legitimate vs. the provisioning and deprovisioning dates defined in the access request form. - Ensure that the list of vendors/contractors accounts and the related access rights has been formally reviewed and approved. - Based on professional judgement, select the appropriate sample for the period under review. - For each selected month, obtain the list of user accounts with remote access capability granted to vendors, contractors and employees (system capture). - Ensure that the scope of the list is complete (i.e. at least all critical systems, platforms, applications and databases). - Obtain the remote connection request forms related to the vendors, contractors and employees who have remote connection capabilities. - Ensure that remote connection is appropriately limited in terms of time window of activity (e.g. no 24h/7d activation) in line with the need-to-have. - Ensure that only vendors, contractors and employees that currently need to access Tigo infrastructure remotely, can actually connect remotely. - Ensure that the list of user accounts with remote access capability granted to vendors, contractors and employees, has been formally reviewed and approved. - Obtain the logs of remote connections for each critical system, platform, application and database. - Based on professional judgement, select a representative sample of remote accesses to these for the period under review. - For each selected item, ensure that the activities were adequately supported by a remote connection request form and the description of activities planned. - Ensure that the logs of activities from remote connections vs. planned activities have been formally reviewed and approved.
Med.
Rely
Med.
Reperformance
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
- If estimated yearly population > 50 --> select 10% of available population, up to 10 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Med.
Reperformance
- Based on professional judgement, select the appropriate sample for the period under review. - For each selected month, obtain the reports on remote connections to critical systems, platforms, applications and databases. - Ensure that the reports contain details (and description of activities) related to all approved remote connection request forms. - Ensure that the reports have been formally reviewed and approved. - Obtain and inspect the security setup review for critical protected areas. - Ensure that critical password files, authorization tables, communications software, encryption keys and critical installation programs are stored in logically protected areas or otherwise protect from read-and-write access. - Ensure that the security setup documentation has been formally reviewed and approved and access to critical protected areas is granted to authorized users only.
Inspection
Med.
Reperformance
Inspection
High
Reperformance
For each critical system, platform, application and database, obtain the password complexity rules and ensures that password controls are in effect and consider minimum security rules (where technically feasible): - Minimum password length of 8 characters, - Password complex composition is enforced: password must be composed of alpha-numeric characters at least (characters and digits). Additional complexity can be implemented (e.g. not words in dictionary, use of symbols), - Passwords are forced to be changed every 90 days at least (passwords of administrator accounts can have a one year validity), - Unsuccessful login attempts must be logged and reviewed. Complementary security practices can also be considered: - Initial log-on uses a one time password, - History of the last 6 passwords can not be used for password renewal, - 5 unsuccessful log on attempts allowed before lockout (where business continuity is not impacted), - Idle session time out after 10 minutes. Ensure that the review of password controls has been performed within the last 7 months and has been formally approved.
Inspection
Med.
Reperformance
- Obtain and inspect the policy defining retention periods, backup and storage terms of information. - Ensure that it defines backup terms (frequency, media, etc.), storage terms (on-site, off-site, access, etc.) and retention periods for information from critical systems, platforms, applications and databases (both data and parameters/configurations), as well as any information considered as sensitive in the company's data/information classification. - Ensure that the retention periods, backup and storage terms have been formally reviewed and approved within the last 7 months. - Based on professional judgement, select the sample for the period under review. - For each of the selected months, obtain and inspect the backup journals covering all days of the month to determine whether they have been formally reviewed and approved. - Obtain and inspect the restore journals for the last 7 months. - Determine whether restore tests occurred for information from all critical systems, platforms, applications and databases (both data and parameters/configurations), as well as for any information considered as sensitive in the company's data/information classification. - Ensure that the restore tests were successful. - Ensure that the backup restoration journal and the corresponding restoration results have been formally reviewed and approved. - Obtain and inspect the list of authorized individuals allowed to access to the back-up media. - Determine whether access to backup media is commensurate with the function and/or profile of the authorized individuals. - Ensure that only formally authorized individuals can access the backup media (both on-site and off-site). - Ensure that the review of accesses to backups vs. the authorizations has been formally reviewed and approved for the last quarter.
Inspection
Low
Rely
Inspection
High
Independent
Inspection
Med.
Reperformance
Inspection
Med.
Rely
- Based on professional judgment, select the sample for the period under review. - For each of the selected weeks, and for each critical system, platform, application, database and Firewall, obtain the logs of unauthorized activities. - For each unauthorized activity, ensure that it has been documented and reacted upon in an appropriate manner. - For each unauthorized activity, ensure that it has been formally reviewed and approved. - Based on professional judgement, select a 2 month sample for the period under review. - For each of the selected months, obtain and inspect the logs of unauthorized activities for network activity and for all critical platforms, systems, applications and databases. - Ensure that all unauthorized activities from the logs (including the actions taken) have been formally communicated. - Ensure that the monthly reports on unauthorized activities have been formally reviewed and approved. - Obtain and inspect the batch jobs schedules for each critical system, platform, application and database. - Based on professional judgement, select the sample for the period under review. - For each of the selected days, obtain and inspect the job scheduling checklists to ensure that batch jobs ran as per the job schedules for all critical systems, platforms, applications and databases. - Ensure that the batch jobs ran successfully to completion (or failure was explained and timely remediated). - Ensure that the job scheduling checklists and related results have been formally reviewed and approved.
Inspection
High
Independent
Inspection
High
Independent
25
10
Inspection
Med.
Rely
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 2
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
Professional judgement
Reperformance
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Professional judgement
a
2 Inspection Professional judgement
Reperformance
Professional judgement
Reperformance
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 1
Inspection
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 2 (scratch cards : 5)
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 2
Professional judgement
Professional judgement a
Inspection
Professional judgement
Reperformance
Professional judgement
Reperformance
Professional judgement
2 (scratch cards : 5)
Reperformance
Professional judgement
Inspection
Professional judgement
1 1
Inspection Inspection
Reperformance
Professional judgement
Reperformance
Professional judgement
1 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 1 Inspection
Inspection
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 2
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 1
Reperformance
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated population > 50 -> select 10% of available population, up to 25 - If estimated population < 50 -> select all population available, up to 5
Inspection
Professional judgement
Inspection
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5 if control automated: 1 If control manual: 5
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5 2
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5 - if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 1
Reperformance
Professional judgement
Reperformance
Professional judgement
Inspection
Professional judgement
Reperformance
Professional judgement
Inspection
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5 2
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 2
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 2
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Reperformance
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5 1
Inspection
Professional judgement
Inspection
Professional judgement
25
Reperformance
Professional judgement
If weekly: 5 If daily: 25
Reperformance
Professional judgement
Reperformance
Professional judgement
Inspection
Professional judgement
Reperformance
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 2
Inspection
Professional judgement
Reperformance
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 2 Reperformance
Professional judgement
Professional judgement
Reperformance
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
Professional judgement
Reperformance
Professional judgement
Reperformance
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 Quarterly: 1 Ad hoc: - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Professional judgement
Reperformance
Professional judgement
25
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 Quarterly: 1 Annually: 1 Ad hoc: - If estimated population > 50 -> select 10% of available population, up to 25 - If estimated population < 50 -> select all population available, up to 5
Inspection
Professional judgement
Reperformance
Professional judgement
Reperformance
Professional judgement
Reperformance
Professional judgement
Reperformance
Professional judgement
Inspection
Professional judgement
Reperformance
Professional judgement
Inspection
Professional judgement
Reperformance
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5 1
Inspection
Professional judgement
Professional judgement
Professional judgement
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
a) Inspection
Professional judgement
b) Inspection
Inspection
Professional judgement
25
Reperformance
Professional judgement
25
Reperformance
Professional judgement
Inspection
Professional judgement
Reperformance
Professional judgement
Reperformance
Professional judgement
Reperformance
Professional judgement
Inspection
Professional judgement
Reperformance
Professional judgement
Reperformance
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 1
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
25
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Professional judgement a
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - 1 every 3 years
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 1 Inspection
Professional judgement
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 1
Inspection
Professional judgement
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5
Professional judgement
Professional judgement
1 Note: test may be performed via Walkthrough test Obtain the list of user access rights to determine whether they have been quarterly reviewed by the IT Responsible.
Professional judgement
All IT Staff Note: test may be performed via Walkthrough test - Obtain list of access rights (IT staff) - Review users with access rights to migrate systems, ensure that the function of the person in the company is relevant for the granted access
Professional judgement
All IT Staff Note: test may be performed via Walkthrough test - Obtain list of access rights (IT staff) - Review users with access rights to migrate systems, ensure that the function of the person in the company is relevant for the granted access 1
Professional judgement
Professional judgement
Professional judgement
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5
Inspection
Professional judgement
Inspection
Professional judgement
1 Note: test may be performed via Walkthrough test Obtain and inspect the security setup for critical protected areas to determine whether (a) security setup documentation has been signed by the IT Responsible and (b) access to critical protected areas is granted to authorized users only.
Inspection
Professional judgement
1 Note: test may be performed via Walkthrough test Obtain and inspect the security setup for critical network and systems to determine whether (a) security setup documentation has been signed by the IT Responsible and (b) access to critical network and systems is granted to authorized users only.
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
1 Note: test may be performed via Walkthrough test Obtain and inspect the list of IT user access rights to determine whether (a) they have been signed off by the Security Officer and (b) access to issue access to the back-up is limited to the appropriate IT users. 5
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
25
Inspection
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 1
Inspection
Professional judgement
Inspection
Professional judgement
25
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 2
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Professional judgement a
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Professional judgement
1 Note: test may be performed via Walkthrough test On a sample basis, obtain and inspect selected changes (especially changes to systems and applications providing control over financial reporting) to determine whether such changes have been tested, reviewed and approved by (a) the appropriate person and (b) business owner before being introduced into the production environment.
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - 1 every 3 years
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5
Inspection
Professional judgement
Professional judgement
Professional judgement
1 Note: test may be performed via Walkthrough test Obtain the list of user access rights to determine whether they have been quarterly reviewed by the IT Responsible.
Professional judgement
Professional judgement
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5
Inspection
Professional judgement
Inspection
Professional judgement
All IT Staff Note: test may be performed via Walkthrough test - Obtain list of access rights (IT staff) - Review users with access rights to migrate systems, ensure that the function of the person in the company is relevant for the granted access
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 25
Inspection
Professional judgement
Inspection
Professional judgement
25
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Examine supporting documentation to validate reliability of exception report + inspect 25 exception reports (+ select a sample of items in each selected report for further investigation; document total samples examined in working papers)
Reperformance
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Reperformance
Professional judgement
Reperformance
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 25
Inspection
Professional judgement
Inspection
Professional judgement
25
Inspection
Professional judgement
25
Inspection
Professional judgement
25
Inspection
Professional judgement
25
Inspection
Professional judgement
10
Professional judgement
25
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 2 Reperformance
Professional judgement
Professional judgement
Professional judgement
25
Inspection
Professional judgement
25
Inspection
Professional judgement
25
Inspection
Professional judgement
Inspection
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5
Inspection
Professional judgement
Inspection
Professional judgement
Professional judgement a
25
Inspection
Professional judgement
25
Reperformance
Professional judgement
10
Professional judgement a
Examine supporting documentation to validate reliability of exception report + inspect 25 exception reports (+ select a sample of items in each selected report for further investigation; document total samples examined in working papers)
Reperformance
Professional judgement
10
Professional judgement
25
Inspection
Professional judgement
Inspection
Professional judgement
Reperformance
Professional judgement
Reperformance
Professional judgement
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 25
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
25
Inspection
Professional judgement
25
Inspection
Professional judgement
25
Inspection
Professional judgement
25
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 2
Inspection
Professional judgement
Inspection
Professional judgement
25
Inspection
Professional judgement
Inspection
Professional judgement
25
Inspection
Professional judgement
25
Inspection
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 25
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
25
Reperformance
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5 - if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5
Inspection
Professional judgement
Inspection
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5
Inspection
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5
Reperformance
Professional judgement
25
Reperformance
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5
Inspection
Professional judgement
Inspection
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5
Inspection
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5
Reperformance
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5
Reperformance
Professional judgement
10
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 1
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 25
Inspection
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Professional judgement
Inspection
Professional judgement
25
Reperformance
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5 25
Inspection
Professional judgement
Inspection
Professional judgement
25
Inspection
Professional judgement
25
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Reperformance
Professional judgement
10
Reperformance
Professional judgement
Reperformance
Professional judgement
Reperformance
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Professional judgement
25
Inspection
Professional judgement
25
Inspection
Professional judgement
25
Reperformance
Professional judgement
25
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 25
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 25
Inspection
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Professional judgement
Professional judgement
25
Reperformance
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5
Inspection
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5 - if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5
Inspection
Professional judgement
Reperformance
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5
Reperformance
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 2
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
Professional judgement
Reperformance
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Reperformance
Professional judgement
Reperformance
Professional judgement
Reperformance
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Reperformance
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Professional judgement
Inspection
Professional judgement
Reperformance
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Professional judgement
Reperformance
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Reperformance
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 2
Inspection
Professional judgement
Reperformance
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 Inspection
Professional judgement
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 1
Reperformance
Professional judgement
Professional judgement
Professional judgement
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 2
Professional judgement
Professional judgement
Professional judgement
Professional judgement
Professional judgement
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Professional judgement
Professional judgement
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Professional judgement
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 5
Professional judgement
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 25
Professional judgement
Professional judgement
25
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Professional judgement
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Professional judgement
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Professional judgement
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Professional judgement
Professional judgement
Professional judgement
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Professional judgement
Professional judgement
Professional judgement
a 1
Professional judgement
a 1
Professional judgement
a
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 Professional judgement
Professional judgement
Professional judgement
Professional judgement
Professional judgement
Professional judgement
Professional judgement
Professional judgement
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 1 Inspection
Professional judgement
Professional judgement
Professional judgement
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 1
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
a
25 Inspection Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
a
1 Inspection Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 2
Inspection
Professional judgement
Inspection
Professional judgement
a
1 Inspection Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
a
1 Inspection Professional judgement
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Professional judgement
Inspection
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 - 1 every 3 years
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5
Professional judgement
Inspection
Professional judgement
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 1 Inspection
Professional judgement
Professional judgement
a
- If estimated yearly population > 50 --> select 10% of available population, up to 25 - If estimated yearly population < 50 --> select all population available, up to 5 1 Inspection Professional judgement
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5
Professional judgement
Professional judgement
1 Note: test may be performed via Walkthrough test Obtain the list of user access rights to determine whether they have been quarterly reviewed by the IT Responsible.
Professional judgement
All IT Staff Note: test may be performed via Walkthrough test - Obtain list of access rights (IT staff) - Review users with access rights to migrate systems, ensure that the function of the person in the company is relevant for the granted access
Professional judgement
All IT Staff Note: test may be performed via Walkthrough test - Obtain list of access rights (IT staff) - Review users with access rights to migrate systems, ensure that the function of the person in the company is relevant for the granted access 1
Professional judgement
Professional judgement
Professional judgement
Professional judgement
- if estimated population > 50 -> select 10% of available population, up to 25 - if estimated population < 50 -> select all population available, up to 5
Inspection
Professional judgement
Inspection
Professional judgement
1 Note: test may be performed via Walkthrough test Obtain and inspect the security setup for critical protected areas to determine whether (a) security setup documentation has been signed by the IT Responsible and (b) access to critical protected areas is granted to authorized users only.
Inspection
Professional judgement
1 Note: test may be performed via Walkthrough test Obtain and inspect the security setup for critical network and systems to determine whether (a) security setup documentation has been signed by the IT Responsible and (b) access to critical network and systems is granted to authorized users only.
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
a
1 Inspection Professional judgement
1 Note: test may be performed via Walkthrough test Obtain and inspect the list of IT user access rights to determine whether (a) they have been signed off by the Security Officer and (b) access to issue access to the back-up is limited to the appropriate IT users.
Inspection
Professional judgement
Inspection
Professional judgement
Inspection
Professional judgement
25
Inspection
Professional judgement
Sample Size ELC # Control Objective (COSO) (All L1) 1 MIC Policy Manual is approved by the BOD, kept updated and adequately communicated and available to all staff members. Control Requirements MIC Policy Manual must include at least the following sections: - Code of Ethics - Golden rules - Human Resources - Disciplinary procedures - Bonus and compensation - New hire training/orientation - Hiring policy - Accounting and Finance - Financial Reporting - Information security - Corporate governance policy - Whistle-blower policy - Nominating committee duties - SOX Controls - Internal Controls - Authority Matrix Human Resources department organizes a training / communication on the major sections of the MIC Policy Manual. Responsible Human Resources Responsible Frequency Control Formalization Applicable Section COSO Framework Control Environment - Integrity and Ethical Values Information and communications Existence: 1 Communication: 10 employees
Effectiveness Assessment Remediation Existing & Adequate ? Communicated adequately ? Monitored adequately ? Action step Responsible Target date F/P/N/NA Comments Reference F/P/N/NA Comments Reference F/P/N/NA Comments Reference
According to Evidence that the last version of MIC Policy C business evolution Manual has been adequately communicated to all staff members
2 Board / Management ensure a training module or a communication on the importance and understanding of MIC Policy Manual is periodically given to management and staff.
Annually
3 The makeup of the board of directors, including the number of Directors are appointed once a year during the local AGM. directors, their background and expertise, their independence (for outside board members), is appropriate given the nature of the company.
Local AGM
Annually
E, C, M
Control Environment - Board participation in governance and oversight Control Activities Monitoring Risk Assessment Control Environment - Board participation in governance and oversight Control Activities Monitoring Risk Assessment Control Environment - Board participation in governance and oversight Control Environment Monitoring
Reperf.
The following topics are discussed and approved during local BOD meetings: - Financial Statements - Authority Matrix
Local BOD
Annually
Local BOD minutes related to: - The Financial Statements approval - The Authority Matrix approval
E, C, M
5 The standard board meeting scheduling process ensures the Board of Director meet regularly to perform management oversight. 6 The internal control system over financial reporting is assessed to identify 1) potential deficiencies and weaknesses in the design or operation of internal control 2) fraud.
A Board meeting planning is set up on an annual basis at the beginning of GM the year. Disclosures are formalized in the companys quarterly financial statements GM and local CFO on the state of internal control over financial reporting.
Annually
Quarterly
Reperf.
7 Management structure is diverse and is overseen by a Board of Directors. Management ensures that critical tasks are segregated and supported by adequate back-up.
Once a year, HR department updates the general organization chart and the Human Resources organization charts related to all departments (Accounting & Finance, IT, Responsible and GM HR, Legal, etc). HR department ensures that job descriptions are formalized for every position within the company. In particular, HR department ensures that a back up has been identified for each critical position and that there is segregation of duties for tasks allocated.
Annually
- General organization chart and organization E,M charts per department approved by Human Resources Responsible and GM - Job descriptions approved by Human Resources Responsible - List of back-ups approved by Human Resources Responsible Yearly follow-up of external audit management letter point of action reviewed and approved by GM and local CFO. E
Indept
8 Issues identified by the external auditors are resolved timely by management and reported to the Audit Committee.
A proper follow-up of external audit management letter points of actions is GM and local CFO maintained by the GM and communicated to the Head of Internal Audit.
Annually
Monitoring
Indept
9 A Business Continuity Plan (BCP) that covers all critical business functions is in place, is formalized and is tested on a regular basis.
A Business Continuity Plan (BCP) that covers all critical business functions is in place, is formalized and is tested on a regular basis.
GM
Annually
10 Management ensures that budgets and forecasts are prepared timely to Budgets are prepared annually and forecasts are prepared biannually. reflect changing conditions in the business.
Local CFO
Control Activities
Reperf.
11 Management ensures that actual results are monitored continuously throughout the year against budget.
Actual results are compared with budgets and forecasts. Significant variations are investigated and related explanations are properly formalized.
Local CFO
Monthly
E,M
Control Activities
Indept
12 Management ensures override of controls and exceptions to established policies and procedures are communicated to Compliance Officer.
Override of controls and exceptions to established policies and procedures Compliance Officer are documented in a log book by the Compliance Officer. Appropriate follow up and actions are taken to address these exceptions.
Annually
Log book of controls overridden by management is disclosed with evidence of appropriate actions taken.
E,M
Reperf.
PricewaterhouseCoopers Confidential
3/24/2012
Control Requirements Personal goals are determined on an annual basis and their achievement discussed during the performance evaluation process. Potential overload and training need are assessed as well. During the annual performance review, the employee will sign a declaration which certifies his reading, understanding and approval of the Code of Ethics.
Frequency Annually
Control Formalization Evaluation form including the following: - Annual personal goals - Assessment of goals' achievement - Reassessment of goals - Individual training need section duly completed - Quantification and assessment of overload - Declaration of the employee which certifies his reading, understanding and approval of the Code of Ethics E
Applicable Section
COSO Framework Control Environment - Commitment to competence - Management philosophy and operating style
13 The annual performance evaluation process is set up on an annual basis in order to review and discuss annual goals, personal achievements, training need, potential overload and compliance with the code of ethics.
14 As part of the hiring process, Human Resources and/or management ensure that candidates have adequate knowledge, competencies and experience to fulfill his current and future responsibilities.
Human Resources Each time a candidate is interviewed, a competency evaluation form Responsible summarizing the candidate's skills is duly completed and signed by the Human Resources Responsible. The candidate's CV is also kept by the HR department.
Each hiring
10 employees
Indept
15 Human Resources ensures communication of expected behaviors through various means to discourage personnel from engaging in dishonest, illegal or unethical acts. Human Resources ensures conducting new hire training/orientation.
Each time a new employee is hired, Human Resources will provide this new employee with an orientation package and the employee handbook.
Each hiring
- Orientation package - Employee handbook - Evidence that each new employee has received the above mentioned two documents
E,C
10 employees
Reperf.
16 Change Management policy is formalized, reviewed and available across the company.
Change management policy exists and includes sections on: 1) change request process and authorization mechanisms 2) testing principles and operational procedures to be applied per change scenario (for recurring type of changes) 3) management of emergency changes.
Annually
- Change management policy control requirements E,C,M exist - Change management policy is available across the company (for example available on intranet) - Change management policy is approved - Security policy control requirements exist - Security policy is available across the company (for example available on intranet) - Security policy is approved E,C,M
The security policy exists and includes the following sections: Group COO and GM - Definition of physical areas and zones and their criticality level (including definition of security levels, criticality classification of zones: IT room, Inventory/stock, Finance Department, etc.) - Section on physical security on critical areas and zones (including but not limited to IT hardware and related IT assets) - Section of physical security systems and elements actually in place to protect assets and areas from physical damages (appropriate environmental monitoring and hazard suppression systems are in place for each defined physical zone in accordance with its criticality level: electronic threats, fire suppression, uninterrupted power service, air-conditioning, elevated floors, etc.) - Section on physical access control systems to facilities on need-to-be and zoning principles with identification, authorization and exception procedures where needed - Section on logical security and access to sensitive data and information. Ownership Policy (including system vs. owner matrix) exists and includes Group COO and GM the following: - Definition of each critical system, platform, application and database and the corresponding owners - Definition of each critical/sensitive/private data and information, the security measures in place to ensure privacy and the corresponding owners
Annually
Reperf.
Annually
- Ownership policy control requirements exist - Ownership policy is available across the company (for example available on intranet) - Ownership policy is approved
E,C,M
Indept
19 The provisioning / deprovisioning forms for physical access to nonThe physical access provisioning/deprovisioning forms for public areas are reviewed and approved to grant users only the physical - employees (joiners, job changes, job termination), - contractors, vendors and third parties access they need. are approved by the Head of Department and the Human Resources Department.
For each request The physical access forms are signed-off for physical access, relocation or departure
Control Activities
15 employees
Indept
Physical access rights of employees, contractors, vendors and third parties Security Officer and Human Resources are reviewed against their required access. Responsible
Bi-annually
Control Activities
The actual physical access attempts to secured areas are reviewed against the list of authorized people. Unauthorized attempts are reported and investigated.
Quarterly
Logs of (attempt to) user physical access to restricted areas are approved
Control Activities
Reperf.
PricewaterhouseCoopers Confidential
3/24/2012
Control Requirements
Frequency Quarterly
Control Formalization Logs of (attempt to) malicious activities and intrusions are approved E
Applicable Section
22 Malicious logical activities attempts are monitored through use of Various elements are implemented to prevent malicious logical intrusions specific systems and elements (including antivirus management, analysis (firewall, routers, virus prevention software, etc). A managed Intruder Detection System is in place to alert the company of malicious logical of firewall logs, Intrusion Detection System implementation). activities and security violations. The alarms and logs made available by these elements are reviewed and acted upon. 23 Legal department and/or third party lawyer provide to management update on new stock exchange, regulatory and legal rules with an analysis of their impacts.
Legal department and/or third party lawyer provide to management update General Counsel on new laws, regulations and stock exchange rules with an analysis of their and/or Third party impacts. lawyer
When required and Written memorandum from General Counsel at least annually and/or third party advisor or new laws, regulations and stock exchange rules with an analysis of their impacts.
Risk Assessment
Reperf.
24 Management ensures that sensitive communications involving customers, regulators and other external parties is tracked.
Legal department keeps track of any sensitive communication (E-mails, letters, memo) with customers, regulators and other external parties.
Legal Counsel
Quarterly
Sensitive communication (E-mails, letters, memo) E with customers, regulators and other external parties kept by Legal Counsel
Risk Assessment
Indept
PricewaterhouseCoopers Confidential
3/24/2012