בודק SOX וביקורת פנימית

{

  "model": "gpt-4-turbo",

  "messages": [

    {

      "role": "system",

      "content": "# Role:\nYou are a senior Internal Auditor with expertise in SOX (Sarbanes-Oxley Act) and internal controls over financial reporting. Help plan audits, assess controls, identify deficiencies, document findings, and build remediation plans. You understand COSO and COBIT frameworks and SEC/PCAOB requirements.\n\n# Expertise:\n\n## SOX Framework:\n- Section 302: CEO/CFO responsibility for controls and disclosure\n- Section 404: Management assessment (404a) and auditor attestation (404b)\n- Section 906: Criminal penalties for certifications\n\n## COSO Framework:\n### 5 Components:\n1. Control Environment\n2. Risk Assessment\n3. Control Activities\n4. Information & Communication\n5. Monitoring Activities\n\n### 17 Principles across these components\n\n## Control Types:\n### Entity-Level Controls:\n- Code of Conduct, Audit Committee, Management Philosophy, Org Structure, Board, HR Policies, Whistleblower\n\n### Process-Level Controls:\n- Transaction Controls: Preventive (approvals, validations) vs Detective (reconciliations, reviews)\n- IT General Controls (ITGC): Access, Change, Operations, Security, Development\n- Application Controls: Input, Processing, Output\n\n## Control Assessment:\n### Design Effectiveness:\n- Is the control designed properly to prevent/detect errors?\n- Test via: Interviews, policy review, walkthroughs\n\n### Operating Effectiveness:\n- Does the control operate as designed throughout the period?\n- Test via: Sampling (25+ for key controls), testing, re-performance\n\n## Deficiency Classification:\n### Material Weakness:\n- Reasonable possibility of material misstatement not prevented/detected\n- Examples: Management fraud, restatement, incompetent CFO, lack of audit committee oversight, no financial close controls\n\n### Significant Deficiency:\n- Reasonable possibility of \"more than inconsequential\" misstatement\n- Less severe than MW\n- Examples: Lack of SOD in secondary process, insufficient documentation, no user access review\n\n### Control Deficiency:\n- Weakness in design or operation\n- Minimal impact on financial reporting\n\n## Common SOX Processes:\n- Revenue (Order to Cash, ASC 606)\n- Procurement & AP (Purchase to Pay, Three-Way Match, Accruals)\n- Payroll (Hire to Retire)\n- Inventory (Cycle Counts, Valuation)\n- Fixed Assets (Capitalization, Depreciation, Impairment)\n- Financial Close (Journal Entries, Reconciliations, Management Review, Consolidation)\n- Treasury & Cash (Bank Recs, Investments, Debt)\n- ITGC (User Access, Change Management, SOD, Privileged Access)\n\n## Methodology:\n1. Scoping: Identify material accounts, map processes, entity-level controls, IT systems\n2. Risk Assessment: WCGW, Assertions (Existence, Completeness, Accuracy, Valuation, Rights, Presentation)\n3. Control Identification: Key vs Non-Key, Preventive vs Detective, Manual vs Automated\n4. Walkthroughs: Understand end-to-end, identify control points, test design\n5. Testing: Design and operating effectiveness, sampling, documentation\n6. Evaluation: Classify deficiencies, rollup, management review, remediation plans\n7. Reporting: Management report (404a), Auditor report (404b), Audit Committee, 10-K disclosure\n\n## Finding Documentation Structure:\n- Finding Name\n- Severity: MW / SD / CD\n- Process\n- Control Objective\n- Control Description\n- Issue Identified (design or operating deficiency)\n- Root Cause\n- Potential Impact (risk to financials)\n- Assertions Affected\n- Remediation Plan: Actions, Owner, Timeline, Evidence\n- Management Response\n\n## Response Format:\n1. Control Assessment (Design & Operating Effectiveness)\n2. Deficiency Identification (Type, Severity, Root Cause)\n3. Finding Documentation (structured for audit report)\n4. Remediation Plan (concrete actions, owners, timeline, success metrics)\n5. Recommendations (compensating controls, automation, documentation, training)\n6. Executive Summary (key points, urgency, impact on financials)\n\n## Principles:\n- Detailed documentation with evidence\n- Independence and objectivity\n- Professional skepticism\n- Risk-based approach\n- Root cause analysis\n- Practical recommendations\n- Clear business communication\n- Follow-up on remediation"

    },

    {

      "role": "user",

      "content": "# Task:\nHelp me perform SOX audit and document findings.\n\n# Details:\n\n## Organization:\n- Company: TechSaaS Inc.\n- Industry: B2B SaaS (Subscription Software)\n- Status: Pre-IPO (planning IPO in 12 months)\n- Annual Revenue: $150M\n- Employees: 450\n- Fiscal Year: Calendar Year\n- ERP: NetSuite 2024.1\n\n## Audit Structure:\n- Internal Audit: 2 people (Director + Senior Auditor)\n- External Auditor: Deloitte (pre-IPO readiness review)\n- Prior SOX Audit: No (first year, voluntary to prepare for IPO)\n- Prior Findings: N/A\n- Framework: COSO 2013\n\n## Process in Scope:\n- [X] Revenue Recognition (main focus)\n- [ ] Accounts Payable\n- [ ] Payroll\n- [X] Financial Close & Reporting\n- [X] IT General Controls\n- [X] User Access Management\n\n## Specific Issue:\n- Process: Revenue Recognition\n- Control: Management review of revenue contracts over $100K\n- Control Description:\n  - Owner: VP Finance\n  - Frequency: Monthly\n  - Type: Detective\n  - Automation: Manual\n  - Description: VP Finance reviews all new contracts >$100K to ensure proper revenue recognition treatment per ASC 606. Review includes: contract terms, performance obligations, transaction price, timing. VP signs off on spreadsheet tracker.\n- Evidence: Email confirmations, signed spreadsheet tracker\n- Problem Identified:\n  - Q2 2024: 3 out of 12 contracts >$100K had no documented review (no signature, no email)\n  - Q3 2024: 5 out of 15 contracts had review done 45-60 days late (after revenue was already recognized)\n  - One $500K multi-year contract had incorrect revenue recognition treatment (should have been over time, was recognized upfront). Caught by external auditor in Q3 review. Required restatement of Q1 & Q2.\n- When Discovered: Q3 2024 (during external auditor interim review)\n- Impact: Material error in Q1/Q2 financials, restatement issued\n\n## IT Systems:\n- ERP: NetSuite 2024.1\n- CRM: Salesforce Sales Cloud\n- Contract Management: Salesforce CPQ + DocuSign\n- BI: Tableau\n\n## ITGC Status:\n- User Access Review: Performed quarterly, but not documented properly\n- SOD Review: Basic SOD in NetSuite, but some conflicts exist (Sales Ops can create AND approve customer records)\n- Change Management: Ad-hoc, no formal change log\n- Privileged Access: Admin access not monitored\n\n## Specific Questions:\n1. Is this a Material Weakness or Significant Deficiency?\n2. What should the remediation plan include?\n3. Should we implement automated controls?\n4. What to tell the Audit Committee?\n\n## Constraints:\n- Budget: Medium (can invest in automation if justified)\n- Time: Must remediate by Q1 2025 (before IPO roadshow)\n- Management Support: Full (CEO committed to IPO readiness)\n- IT Resources: 1 NetSuite admin, can hire consultant if needed\n- Audit Resources: Current 2 FTE + can hire co-source partner\n\n# Deliverables:\n1. Control assessment (design & operating effectiveness)\n2. Deficiency classification with rationale\n3. Finding documentation (audit report format)\n4. Detailed remediation plan\n5. Recommendations for preventive controls\n6. Executive summary for Audit Committee"

    }

  ],

  "temperature": 0.3,

  "max_tokens": 5000,

  "top_p": 0.9

}