Let's understand all three with an example of PURCHASE TO PAY (P2P):

 Purchase to Pay: P2P can be broken down into four main components;

1. Purchases: 

User department sends PR to manager for approval. After approval P.O is generated manually and then input into computer or may be raised directly by the computer system. 

{When an employee working in a specific department (i.e., marketing, operations, sales, etc.) wants to purchase something required for carrying out the job, he/she will submit a purchase Requisition (PR) to a manager for approval. Based on the approved PR a Purchase Order (PO) is raised. The PO    may be raised manually and then input into the computer system or raised directly by the computer system.

2. Goods Receipt:

PO is sent to vendor, vendor sends goods against PO, Receiving staff check delivery note, PO etc, check quality and quantity, GRN is raised either manually and entered into computer system or raised directly by computer system. 

{The PO is then sent to the vendor, who will deliver the goods as per the specifications mentioned in the PO. When the goods are received at the warehouse, the receiving staff checks the delivery note, PO number etc. and acknowledges the receipt of the material. Quantity and quality are checked and any unfit items are rejected and sent back to the vendor. A Goods Receipt Note (GRN) is raised indicating the quantity received. The GRN may be raised manually and then input into the computer system or raised directly by the computer system.}

3. Invoice Processing: 

Vendor sends invoice, AP enters invoice details into computer, vendor invoice is checked independently and also with GRN.

{The vendor sends the invoice to the accounts payable department who will input the details into the computer system. The vendor invoice is checked with the PO to ensure that only the goods ordered have been invoiced and at the negotiated price. Further the vendor invoice is checked with the GRN to ensure that the quantity ordered has been received.}

4. Payment: If there is no mismatch between the PO, GRN and vendor invoice, the payment is released to the vendor based on the credit period negotiated with the vendor.

Purchase Cycle – Sample Controls

Controls based on the mode of implementation: 

(i) Manual control

(ii) Automated control

(iii) Semi-automated control

Now see the control:

(i) Manual Control: Manually verify that the goods ordered in PO (A) are received (B) in good quality and the vendor invoice (C) reflects the quantity & price are as per the PO (A).

(ii) Automated Control: The above verification is done automatically by the computer system by comparing (D), (E) & (F) and exceptions highlighted.

(iii) Semi-Automated Control: Verification of Goods Receipt (E) with PO (D) could be automated but the vendor invoice matching could be done manually in a reconciliation process (G).

Importance of IT Controls

IT Control objectives;

“A statement of the desired result or purpose to be achieved by implementing control procedures within a particular IT activity” 

IT controls play very important role in providing clear policy and good practices for directing and monitoring performance of IT to achieve enterprise objectives. It’s the duty of management to devise a good control system.

IT Controls perform dual role:

(i) They enable enterprise to achieve objectives; and

(ii) They help in mitigating risks.

There are various issues which give birth to the need of IT controls like;

Need to control costs  

Remain competitive

Need for compliance with internal and external governance 

IT controls promote reliability and efficiency

To allow the organization to adapt to changing risk environments. 

To enhances the organization’s resiliency etc.


IT controls are subset of organization’s internal controls. It controls objectives are related to CIA (Confidentiality, Integrity and Availability) of data and overall management of IT functions of business enterprises.

It is of 2 types:

(a) IT General Controls (ITGC)

(b) Application Controls

(a) Information Technology General Controls (ITGC)

ITGC also known as Infrastructure Controls pervade across different layers of IT environment and information systems and apply to all systems, components, processes, and data for a given enterprise or systems environment.

General controls include, but are not limited to:


Some General controls:: Keeping CBS(Core banking system) in Mind::


Information Security Policy

The security policy is approved by the senior management and encompasses all areas of operations of bank and drives access to information across the enterprise and other stakeholders.


Administration, Access, and Authentication

IT should be administered with appropriate policies and procedures clearly defining the levels of access to information and authentication of users.



Separation of key IT functions

Bank should have separate IT organization structure with key demarcation of duties for different personnel within IT department and to ensure that there are no Segregation of Duties conflicts.


Management of Systems Acquisition and Implementation

Software solutions for CBS are most developed acquired and implemented. Hence, process of acquisition and implementation of systems should be properly controlled.


Change Management

As per changing compliance requirements, technology environment, and business processes etc. IT solutions should be deployed and changed on continuous basis with management approval.



Backup, Recovery and Business Continuity

Bank relies on IT heavily which makes it imperative to have appropriate BCP, backup, off-site data center and disaster recovery etc.



Proper Development and Implementation of Application Software

Development and implementation of solutions must be properly controlled by using standard software development process.



Confidentiality, Integrity and Availability of Software and data files

Security is implemented to ensure Confidentiality, Integrity and Availability of information.


Incident response and management

There may be various incidents created due to failure of IT. These incidents need to be appropriately responded and managed as per pre-defined policies and procedures.


Monitoring of Applications and supporting Servers

The Servers and applications running on them are monitored to ensure that servers, network connections and application software along with the interfaces are working continuously.


Value Add areas of Service Level Agreements (SLA)

SLA with vendors is regularly reviewed to ensure that the services are delivered as per specified performance parameters.


User training and qualification of Operations personnel

The personnel deployed have required competencies and skill-sets to operate and monitor the IT environment.

(c) Application Controls

            Application Controls are controls which are implemented in an application to prevent or detect and correct errors.
            These controls are in-built in the application software to ensure accurate and reliable processing.

            These are designed to ensure completeness, accuracy, authorization and validity of data capture and transaction processing.
Example: In banking, application software ensures automatic calculation of interest based on pre-defined rates, only transactions of the day are accepted by the system, Withdrawals are not allowed beyond limits, etc.
Request for DEMO Talk to Our Expert