Topside Controls Discussion Memorandum
Auditor Guidance:
Objective:
The objective of this memorandum is for Corporate Internal Audit
colleagues to document topside control discussions conducted with
market leaders. This documentation is a necessary component of our
field audits in order to comply with SOX 404 guidelines, the COSO
framework, and to allow reliance by the external auditors.
When:
This memorandum should be completed during the first week of the
audit, and included in TeamMate as part of the audit’s work papers.
How:
This memorandum should be completed through discussions with
the Finance Director, BT Director, Site Leader or other relevant
members of management. The memorandum should be completed
through discussions with multiple members of management if there
are multiple processes under review. For example, at a site where
both financial processes and a data center are within the SOX 404
scope, the auditor should complete this memorandum by speaking
with both a finance representative and a local CIT representative.
Documentation:
This document includes an example of a completed memorandum.
The example does not represent a “best practice”. It was designed to
provide the auditor with an example of the level of detail expected
for the documentation of the responses received. The completed
memorandum does not need to be accompanied by supporting
documentation, unless it is considered material to the audit.
Impact on rating:
Neither the individual responses to this memorandum nor the overall
results of the memorandum will be assigned a rating. The
memorandum responses should only be used as part of the
determination of the overall evaluation of the audit results. For
example, if through our audit testing, we found that duties between
colleagues were not properly segregated and by completing the
memorandum we learned that the Pfizer Values were not well
communicated, we may want to consider the results of the
memorandum when assessing the overall significance of the audit
finding.
Corporate Internal Audit
Topside Controls
Discussion Template
MEMORANDUM
DATE: (Enter Date)
SUBJECT: Topside Control Discussions at the Markets – (Enter Market Name)
AUDITOR: (Name)
PLEASE LIST ALL COLLEAGUES AT THE MARKET SITE WITH WHOM
YOU DISCUSSED THIS DOCUMENT:
(Names)
OBJECTIVE: The objective of this memorandum is for Corporate Internal Audit
colleagues to document topside control discussions conducted with market leaders. This
documentation is a necessary component of our field audits in order to comply with SOX
404 guidelines, the COSO framework, and to allow reliance by the external auditors.
DISCUSSION QUESTIONS
Employee Related Matters
1. Management must convey the message that integrity and ethical values cannot be
compromised, and employees must receive and understand that message.
Specifically, management must stress the importance of ethical conduct with
regards to financial reporting and compliance with applicable laws and
regulations. Describe the tools management uses to convey this message and how
it ensures all colleagues attempt to achieve the highest standards of conduct.
How are the Leader Behaviors and Pfizer’s Values conveyed and enforced with
employees? Are they communicated and reinforced on a regular (annual or semiannual) basis, or only upon hire? Which employees receive and sign the Blue
Book? Is the Blue Book signed annually? Who maintains the certifications and
follows up on missing ones?
Management teaches an “Integrity and Ethics” course to all new employees
when they start. This course shows the importance of values at Pfizer to new
employees.
2
Employees who work with the financial reporting process are given continuous
training on financial ethics and informed of any new financial standards that
need to be addressed in their work.
All new employees receive and sign the Blue Book. In addition, new employees
must complete an on-line tutorial of the Blue Book within 31 days of their start
date. Corp. HR oversees this process and follows up with individuals who have
yet to complete the on-line course.
The continuous training provided to employees who work with financial
reporting ensures that employees are aware of any new laws and regulations
pertaining to financial reporting ethics.
Employees are made aware of the anonymous compliance hotline via
information provided in their new hire orientation materials.
Pfizer Values and Leader Behavior posters and paraphernalia are present in
common areas including the cafeteria and entry foyer. The Pfizer Values and
Leader Behaviors are reinforced to employees through periodic emails and
messages from Senior Management.
2. Management must specify the level of competence needed for particular jobs, and
translate the desired levels of competence into requisite knowledge and skills.
Explain how management ensures responsibilities are assigned to the right people
with the right skills to get the job done effectively. Provide information on the
site’s major training programs, hiring and promotion policies, frequency of
performance reviews, job description procedures, etc. Also, describe how
management conveys to colleagues the importance of developing and enhancing
the skills and knowledge necessary to perform their responsibilities.
Part of the recruiting process is ensuring that candidates have the required
education and experience levels necessary to do the job effectively. This is done
initially through reviewing resumes, conducting interviews and speaking with
references. If the decision is made to hire an individual, they are in turn placed
in a role that fits their experience and education level. At the time of hiring, they
are given a job description memo as part of their orientation kit, confirming
what was discussed during the hiring interview.
Training is given to everyone when they are first hired, and as necessary as job
requirements and/or laws and regulations change. This consists of training
specific to the job, such as software/hardware or applications training.
Hiring is done both through internal and external resources. Documented hiring
principles state that hiring is performed without regard to ethnicity, religion,
age, and gender. Promotions are given as deserved and when there is a need by
3
the organization. Performance reviews occur annually, with some reviews
occurring on a project basis, depending on the length of the project.
Training to increase job performance is encouraged for all employees.
Established hiring processes, promotion guidelines and training programs are
controls in place to ensure that the right employees are hired for the right jobs,
and are given the necessary training to succeed at their positions. These
programs are communicated to employees from the time they are hired
throughout their tenure.
3. A comprehensive new hire training program helps ensure all employees are aware
of Pfizer’s mission statement, values and employee expectations. What are the
tools employed to ensure new hires are fully aware of Leader Behaviors, Pfizer’s
Values and the Blue Book? What other types of training are colleagues given
when they are hired to ensure they are aware of both Pfizer and local market
performance expectations? What training is given related to job specific
functions? Is there a management leadership program in place to help employees
make a smooth transition into a management position?
New hires are given an in-depth orientation, and provided with a new employee
binder. All information contained in the binder is included on the local Pfizer
intranet website. The orientation binder includes discussion of Pfizer’s Leader
Behaviors and Values, and includes a copy of the Blue Book. Employees are
required to complete a Blue Book module course online within 31 days of hire.
Employees are also given training on applications they are expected to use on the
job.
The orientation program acts as a control to ensure that employees are aware of
Pfizer’s mission statement, values and employee expectations. The orientation
program includes a review of the organization structure of Pfizer, compliance
hotline information, the Open Door Policy and Pfizer’s mission statement. The
job specific training programs act as controls to ensure that the employees are
educated on the company systems and can be productive and efficient in their
day-to-day activities.
Newly promoted managers are sent to management and leadership seminars so
they can better adjust to their new role and develop the necessary leadership,
communication, motivation, and negotiation skills.
4. Options to anonymously report non-compliance practices and colleague
knowledge of these options are critical components of an effective control
environment. What are the vehicles available to colleagues to report potential
compliance issues anonymously? How are colleagues informed about these
4
vehicles? Is there any reason an employee would not be aware of how to report a
compliance issue (no formal orientation, transfer from another division, etc.)?
Pfizer has set up an anonymous compliance hotline for all employees.
Employees who have concerns with compliance issues can contact this number
and air their concerns anonymously, without fear of repercussions. Employees
are made aware of this number when they are first hired as part of their
orientation packet, as well as given access to it through the Pfizer intranet
website.
Local management recently sent out an email to all local employees reminding
them of the compliance hotline and how to use it appropriately. They also gave a
business conduct presentation to their employees last month.
5. Management must ensure that colleagues’ job descriptions and responsibilities
adequately integrate with the internal control framework of the organization. Do
most functions have written job descriptions? How often are these job
descriptions updated? Do job descriptions include specific references to internal
control related responsibilities?
Most functions have written job descriptions, kept both by HR and the
department manager. These job descriptions are updated when the departments
structure changes, or when systems changes cause the job description to change.
The job descriptions do include specific references to internal control
responsibilities, and each employee is in charge of ensuring that the controls in
place for their position are operating effectively. The operating effectiveness is
monitored by a department manager on a regular basis.
6. Colleague education of Pfizer’s Open Door Policy (ODP) as well as regular
communication of ODP is an integral part of the firm’s leadership culture. How
does the site promote Pfizer’s Open Door policy? Does management believe that
managers and process owners have ready access to senior management when
addressing significant issues?
Pfizer’s open door policy is communicated to employees as part of their
orientation. Employees are encouraged to contact their supervisors, or if need
be, any level above their direct supervisor to communicate any issues they
perceive that require management attention. Management believes that
everyone has access to senior management when addressing significant issues.
New employees are introduced to site management when they are hired to make
the employee feel comfortable when talking to management. The site’s local
intranet website provides a link to the Corporate Open Door Policy.
5
7. Management and personnel continuity are critical success factors in the operation
of an effective internal control environment. Has there has been significant
turnover of the colleagues who perform internal controls activities related to its
annual primary processes in the last year? Has there been significant turnover of
the members of senior management who review internal control activities related
to annual primary processes in the last year? Is mandatory vacation required of
employees, and if so, what functions?
Recently there was a significant amount of turnover in senior management. As a
result, a plan was developed and executed to ensure internal controls sound.
The plan included providing training to new or relocated employees,
reemphasizing the overall control structure, introducing the new organizational
structure, introducing communication, and information sharing methods, etc.
All restructuring activities were reviewed with corporate.
8. The existence and communication of a vision statement and mission must be part
of management’s overall strategy. Does the site have a vision statement or a
mission? If so, how is the vision statement communicated to colleagues? How is
the company wide mission statement communicated to employees?
A vision statement/mission exists at the site, and is communicated to employees
in various ways. Both the site specific and company wide vision statements are
communicated to employees through orientation, training programs, posters in
the workplace, weekly newsletters, and office stationery/decorating items.
Business Related Matters
9. For an entity to be effectively controlled, it must have established objectives.
Entity-wide objectives include broad statements of what an entity desires to
achieve, and are supported by related strategic plans. What are management’s
current entity-wide objectives and describe the process the site follows to identify
them. How does management ensures these objectives are aligned with the
division and Pfizer goals? Explain how they ensure these objectives are
effectively conveyed throughout the organization and into employee objectives.
Current site wide objectives include…(auditor should list the site’s objectives ).
Management identifies these objectives based on feedback from customers,
suppliers and employees. Once these objectives are identified, they are
communicated to site senior management to ensure they are in line with overall
company goals and, upon agreement with Corporate, communicated to
employees at the entity.
Site-wide objectives are communicated throughout the organization through
informational newsletters, e-mails, as well as through meetings with managers,
who then relay the objectives down to their team. Colleagues incorporate these
6
objectives into their own development plans. Objectives are generally reviewed
for progress on a semi-annual basis.
10. Within the organization, information is collected at various points and by different
people. Communication standards should be established to ensure information
regarding risks and financial information is shared with the right people in a
timely manner for consideration in making business decisions. How does
management ensure all significant information flows up, down and across the
organization, as appropriate? Describe the site’s organizational structure,
leadership teams or other cross-divisional teams that allow for the effective
sharing of information. How often do these teams meet?
Initiatives include weekly staff meetings held by managers, senior management
conducts quarterly town hall meetings summarizing performance, announcing
new hires, significant events, etc., and a monthly local email is distributed.
Organization charts are kept up to date and are available on the site’s intranet.
Several site leadership teams are established to ensure information is
communicated to all colleagues. The Site Leader and his/her direct reports meet
on a monthly basis, the finance management team meets on a weekly basis, the
IT management team meets on a weekly basis, and several cross-divisional teams
meet as needed.
11. Procedures should exist to ensure that the internal control policies and procedures
are updated and reviewed by process owners and management, respectively, on a
periodic basis. A group or individual should be identified as the owner of this
updating and review process. What is the site’s review procedures related to the
documentation of internal controls? How does management update SOPs as
processes change? Who is responsible for reviewing the SOPs related to the
primary annual processes? Is there a local internal audit presence or a controls
champion to ensure that policies and procedures are updated and accurate?
Process owners are responsible for documenting and making changes to internal
controls for their respective processes. Updates are required to be made as soon
as a significant change occurs. In addition, we ask process owners to review
their documentation at least once a year to ensure even minor changes are
properly reflected. Formal SOPs must be reviewed and approved via the site’s
established approval process.
We do not have site internal auditors but have assigned a colleague to be our
Internal Controls Champion. This colleague is responsible for ensuring we have
all the most current internal controls information as provided by Corporate
Internal Audit. This person also helps with the preparation work before
Corporate Internal Audit arrives for an audit.
7
12. An effectively operating control environment requires that the organization
continually make available and disseminate updated information about its internal
controls. What is the process for establishing, updating and disseminating
changes to SOPs and other procedures? How does management ensure changes
to SOPs are communicated and shared with colleagues who are responsible for
performing the procedures? Where are SOPs and other procedural
documentation kept?
SOPs are initially drafted by the process owners and are reviewed and approved
via the site’s established approval process. Changes are made to existing SOPs
as more efficient processes are identified through both internal and external
resources. Communication of SOPs is done periodically via emails and through
training. SOPs are maintained with the process owner, as well as on the site’s
local network.
13. A risk-assessment process should identify and consider the implications of
relevant risks, at both the entity level and activity level on an annual basis. The
risk-assessment process should consider external and internal factors that could
impact achievement of the objectives. It should also analyze the risks and provide
a basis for managing them. Factors external to the entity within its operating
environment should be also considered. Explain how management performs its
risk assessment process and how it manages risk.
A risk assessment process is performed and monitored on an ongoing basis.
External risks are identified through changes in the operating environment,
political climate or the competitive environment. Internal risks are identified
based on knowledge of the business processes, and input from the process
owners. The operating plan identifies potential internal and external risks and a
proposal of how they will be addressed. As other risks are identified during the
year, we ensure Corporate and local leaders are informed of all aspects of the
risk.
The most significant financial reporting related risks are documented in the Risk
Control Matrices (RCMs). Within the RCMs, we have identified controls in
place to mitigate those risks.
14. Management must identify the principal drivers that affect its internal control
environment. Documenting and communicating significant changes to these
drivers (i.e. updated systems, significant transactions or changes in volume, sales,
etc.) increases the effectiveness of our risk assessment and audit process. Does
management expect any significant system or business changes related to its
annual primary processes during the next year? If so, how does management
believe this will affect the internal controls related to its annual primary
processes?
8
Management does not expect any significant system or business changes related
to its annual primary processes during the next year.
OR
In Q3, the site will be replacing the current procurement system with Ariba.
This represents a significant system change for the site. To ensure internal
controls for both the migration and the new system are sound, management has
documented detailed procedures addressing data conversion, validation,
migration, and testing. The site will also perform a post-implementation review.
15. Ensuring records are properly retained is an important aspect of Pfizer’s
commitment to transparency in its operations. Record retention is also required
by several external regulatory agencies to which Pfizer is subject to comply. How
does management ensure records are retained in compliance with both Pfizer
policy and external regulatory requirements?
Management encourages compliance with corporate record retention policies.
For certain types of documentation, retention periods extend beyond corporate
requirements due to local data retention regulations. All division leaders are
made aware of the record retention policies via the local site’s intranet and
occasional reminder emails that are sent. Record retention policies are included
in all new hire orientation binders.
9