Compliance Gap Analysis Template

1 Oct 2024 / Theodore Lebsack Complete

Score 15 / 17 (88.24%) Flagged items 11 Actions 2

Conducted on 01.10.2024 13:30 PST

Prepared by Theodore Lebsack

2415 N Burdick St, Kalamazoo, MI

49007, USA
Location (42.3157036,
-85.58445019999999)

1/11
1.Flaggeditems&Actions
Flagged items & Actions 11 flagged, 2 actions

Flagged items 11 flagged, 0 actions

Regulatory/Compliance Requirements / Regulations / Regulations 1

Current Compliance Status Partially Compliant

Regulatory/Compliance Requirements / Regulations / Regulations 2

Current Compliance Status Non-Compliant

Regulatory/Compliance Requirements / Regulations / Regulations 3

Current Compliance Status Partially Compliant

Risk Management / Risks / Risks 1

Risk Impact High

Risk Management / Risks / Risks 1

Likelihood High

Risk Management / Risks / Risks 1

Priority High

Risk Management / Risks / Risks 2

Risk Impact High

Risk Management / Risks / Risks 2

Likelihood High

Risk Management / Risks / Risks 2

Priority High

Risk Management / Risks / Risks 3

Likelihood High

Risk Management / Risks / Risks 3

Priority High

Other actions 2 actions

Risk Management / Action Plan / Action Plan 1

Responsible Department/Person

Finance, Internal Audit

To do | Assignee: Latte Norwich | Priority: High | Due: 11.10.2024 12:00 PST | Created by:
SafetyCulture Staff

Comprehensive review of all controls

Hi Norwich, please make sure to forward your findings by our meeting next week.
2/11
Risk Management / Action Plan / Action Plan 3

Corrective Action

Enforce record retention policies with periodic audits of both physical and electronic records.

To do | Assignee: SafetyCulture Staff | Priority: High | Due: 04.10.2024 12:00 PST | Created
by: SafetyCulture Staff

Digitize files

Hi Admin Staff, please digitize the remaining files in the filing room.

3/11
2.Regulatory/ComplianceRequirements-0/2(0%)
Regulatory/Compliance Requirements 3 flagged, 0 / 2 (0%)
2.1.Regulations-0/2(0%)
Regulations 3 flagged, 0 / 2 (0%)
2.1.1.Regulations1-0/1(0%)
Regulations 1 1 flagged, 0 / 1 (0%)

Requirements (Attach file if needed)

CEO/CFO must certify the accuracy of financial reports and internal controls over financial reporting (ICFR).

Source of Requirements (Regulation/Policy/Standard)

Sarbanes–Oxley Act Section 302

Relevant Department/s

Finance, Executive Management

Current Compliance Status Partially Compliant

Current State

The CFO certifies the accuracy of financial reports, but ICFR documentation is incomplete in some areas.

Required State

Full documentation of ICFR controls, including all critical reporting areas.

2.1.2.Regulations2
Regulations 2 1 flagged

Requirements (Attach file if needed)

Company must have internal controls for financial reporting, audited by an independent external auditor
and certified by management.

Source of Requirements (Regulation/Policy/Standard)

Sarbanes–Oxley Act Section 404

Relevant Department/s

Finance, Internal Audit

Current Compliance Status Non-Compliant

Current State

Internal audit department lacks a formal ICFR framework; external audit team identified deficiencies.

Required State

Establish a formal ICFR framework, and address deficiencies found in external audit.
2.1.3.Regulations3-0/1(0%)
Regulations 3 1 flagged, 0 / 1 (0%)

4/11
Requirements (Attach file if needed)

The company must retain all audit, financial, and electronic records for at least seven years.

Source of Requirements (Regulation/Policy/Standard)

Sarbanes–Oxley Act Section 802

Relevant Department/s

IT, Legal

Involve manpower from the Admin Team to do the scanning of physical documents

Current Compliance Status Partially Compliant

Current State

Records retention policy exists but lacks enforcement in the IT department; some electronic records are
missing.

Required State

Enforce stricter records retention policies, especially for digital files across all departments.

5/11
3.RiskManagement-12/12(100%)
Risk Management 8 flagged, 2 actions, 12 / 12 (100%)
3.1.Risks-9/9(100%)
Risks 8 flagged, 9 / 9 (100%)
3.1.1.Risks1-3/3(100%)
Risks 1 3 flagged, 3 / 3 (100%)

Compliance Gap

Incomplete internal control documentation: Financial reports may be inaccurate, leading to potential
restatements, penalties, and loss of investor trust.

Risk Impact High

Likelihood High

Priority High
3.1.2.Risks2-3/3(100%)
Risks 2 3 flagged, 3 / 3 (100%)

Compliance Gap

Lack of formal ICFR framework: Inadequate oversight of financial reporting could result in undetected fraud
or material misstatements.

Risk Impact High

Likelihood High

Priority High
3.1.3.Risks3-3/3(100%)
Risks 3 2 flagged, 3 / 3 (100%)

Compliance Gap

Missing electronic records: Missing records could lead to compliance violations, fines, and reputational
damage.

Risk Impact Medium

Likelihood High

Priority High
3.2.ActionPlan-3/3(100%)
Action Plan 2 actions, 3 / 3 (100%)
3.2.1.ActionPlan1-1/1(100%)
Action Plan 1 1 action, 1 / 1 (100%)

Gap Identified

Incomplete internal control documentation.

6/11
 Corrective Action

Conduct a comprehensive review of all internal controls and finalize documentation for all critical areas.

Responsible Department/Person

Finance, Internal Audit

To do | Assignee: Latte Norwich | Priority: High | Due: 11.10.2024 12:00 PST | Created by:
SafetyCulture Staff

Comprehensive review of all controls

Hi Norwich, please make sure to forward your findings by our meeting next week.

Status In Progress

Deadline for Resolution 11.10.2024 12:00 PST

3.2.2.ActionPlan2-1/1(100%)
Action Plan 2 1 / 1 (100%)

Gap Identified

Lack of formal ICFR framework.

Corrective Action

Implement a formal internal control over financial reporting (ICFR) framework and provide employee
training.

Responsible Department/Person

Internal Audit, Finance

Status Pending

Deadline for Resolution 30.10.2024 12:00 PST

3.2.3.ActionPlan3-1/1(100%)
Action Plan 3 1 action, 1 / 1 (100%)

Gap Identified

Missing electronic records of documents located in the filing room

Photo 1

Corrective Action

Enforce record retention policies with periodic audits of both physical and electronic records.

7/11
To do | Assignee: SafetyCulture Staff | Priority: High | Due: 04.10.2024 12:00 PST | Created
by: SafetyCulture Staff

Digitize files

Hi Admin Staff, please digitize the remaining files in the filing room.

Responsible Department/Person

IT, Legal

Status Pending

Deadline for Resolution 30.10.2024 12:00 PST

8/11
4.MonitoringandReview-3/3(100%)
Monitoring and Review 3 / 3 (100%)
4.1.ComplianceTracking-3/3(100%)
Compliance Tracking 3 / 3 (100%)
4.1.1.ComplianceTracking1-1/1(100%)
Compliance Tracking 1 1 / 1 (100%)

Monitoring Plan

Audits of internal controls and record-keeping by the Internal Audit team, with corrective actions
documented

Review Frequency Monthly

4.1.2.ComplianceTracking2-1/1(100%)
Compliance Tracking 2 1 / 1 (100%)

Monitoring Plan

External audit conducted annually to evaluate compliance with SOX Sections 302 and 404 requirements

Review Frequency Bianually

4.1.3.ComplianceTracking3-1/1(100%)
Compliance Tracking 3 1 / 1 (100%)

Monitoring Plan

IT department to conduct regular checks of electronic records to ensure compliance with retention policies.

Review Frequency Quarterly

9/11
5.Sign-off
Sign-off

Compliance Gap Analysis Template Reviewed By

Angelica Gaylord
18.10.2024 14:56 PST

Designation of the Reviewer

Chief Compliance Officer

Reviewer's Comment or Feedback

Hi Theo, thanks for working on this. Please see my detailed feedback and let's schedule a meeting to discuss
it it further. Thanks
Compliance Gap Analysis Feedback.pdf

Date Reviewed 18.10.2024 14:30 PST

10/11
6.Mediasummary
Media summary

Photo 1
6.1.
File summary

Compliance Gap Analysis Feedback.pdf

11/11