Education
Purchase to Pay: P2P can be broken down into four main components;
1. Purchases:
User department sends PR to manager for approval. After approval P.O is generated manually and then input into computer or may be raised directly by the computer system.
{When an employee working in a specific department (i.e., marketing, operations, sales, etc.) wants to purchase something required for carrying out the job, he/she will submit a purchase Requisition (PR) to a manager for approval. Based on the approved PR a Purchase Order (PO) is raised. The PO may be raised manually and then input into the computer system or raised directly by the computer system.
2. Goods Receipt:
PO is sent to vendor, vendor sends goods against PO, Receiving staff check delivery note, PO etc, check quality and quantity, GRN is raised either manually and entered into computer system or raised directly by computer system.
{The PO is then sent to the vendor, who will deliver the goods as per the specifications mentioned in the PO. When the goods are received at the warehouse, the receiving staff checks the delivery note, PO number etc. and acknowledges the receipt of the material. Quantity and quality are checked and any unfit items are rejected and sent back to the vendor. A Goods Receipt Note (GRN) is raised indicating the quantity received. The GRN may be raised manually and then input into the computer system or raised directly by the computer system.}
3. Invoice Processing:
Vendor sends invoice, AP enters invoice details into computer, vendor invoice is checked independently and also with GRN.
{The vendor sends the invoice to the accounts payable department who will input the details into the computer system. The vendor invoice is checked with the PO to ensure that only the goods ordered have been invoiced and at the negotiated price. Further the vendor invoice is checked with the GRN to ensure that the quantity ordered has been received.}
4. Payment: If there is no mismatch between the PO, GRN and vendor invoice, the payment is released to the vendor based on the credit period negotiated with the vendor.
Purchase Cycle – Sample Controls
Controls based on the mode of implementation:
(i) Manual control
(ii) Automated control
(iii) Semi-automated control
Now see the control:
(i) Manual Control: Manually verify that the goods ordered in PO (A) are received (B) in good quality and the vendor invoice (C) reflects the quantity & price are as per the PO (A).
(ii) Automated Control: The above verification is done automatically by the computer system by comparing (D), (E) & (F) and exceptions highlighted.
(iii) Semi-Automated Control: Verification of Goods Receipt (E) with PO (D) could be automated but the vendor invoice matching could be done manually in a reconciliation process (G).
IT Control objectives;
“A statement of the desired result or purpose to be achieved by implementing control procedures within a particular IT activity”
IT controls play very important role in providing clear policy and good practices for directing and monitoring performance of IT to achieve enterprise objectives. It’s the duty of management to devise a good control system.
(i) They enable enterprise to achieve objectives; and
(ii) They help in mitigating risks.
There are various issues which give birth to the need of IT controls like;
Need to control costs
Remain competitive
Need for compliance with internal and external governance
IT controls promote reliability and efficiency
To allow the organization to adapt to changing risk environments.
To enhances the organization’s resiliency etc.
APPLYING IT CONTROLS
IT controls are subset of organization’s internal controls. It controls objectives are related to CIA (Confidentiality, Integrity and Availability) of data and overall management of IT functions of business enterprises.
It is of 2 types:
(a) IT General Controls (ITGC)
(b) Application Controls
(a) Information Technology General Controls (ITGC)
ITGC also known as Infrastructure Controls pervade across different layers of IT environment and information systems and apply to all systems, components, processes, and data for a given enterprise or systems environment.
General controls include, but are not limited to:
Some
General controls:: Keeping CBS(Core banking system) in Mind:: |
||
(i) |
Information
Security Policy |
The security policy is approved by the senior management and
encompasses all areas of operations of bank and drives access to information
across the enterprise and other stakeholders. |
(ii) |
Administration,
Access, and Authentication |
IT
should be administered with appropriate policies and procedures clearly
defining the levels of access to information and authentication of users.
|
(iii) |
Separation
of key IT functions |
Bank should have separate IT organization structure with key
demarcation of duties for different personnel within IT department and to
ensure that there are no Segregation of Duties conflicts. |
(iv) |
Management
of Systems Acquisition and Implementation |
Software solutions for CBS are most developed acquired and
implemented. Hence, process of acquisition and implementation of systems
should be properly controlled. |
(v) |
Change Management |
As
per changing compliance requirements, technology environment, and business
processes etc. IT solutions should be deployed and changed on continuous
basis with management approval.
|
(vi) |
Backup,
Recovery and Business Continuity |
Bank
relies on IT heavily which makes it imperative to have appropriate BCP,
backup, off-site data center and disaster recovery etc.
|
(vii) |
Proper
Development and Implementation of Application Software |
Development
and implementation of solutions must be properly controlled by using standard
software development process.
|
(viii) |
Confidentiality,
Integrity and Availability of Software and data files |
Security is implemented to ensure Confidentiality, Integrity and
Availability of information. |
(ix) |
Incident
response and management |
There may be various incidents created due to failure of IT. These
incidents need to be appropriately responded and managed as per pre-defined
policies and procedures. |
(x) |
Monitoring
of Applications and supporting Servers |
The Servers and applications running on them are monitored to ensure
that servers, network connections and application software along with the
interfaces are working continuously. |
(xi) |
Value
Add areas of Service Level Agreements (SLA) |
SLA with vendors is regularly reviewed to ensure that the services
are delivered as per specified performance parameters. |
(xii) |
User
training and qualification of Operations personnel |
The personnel deployed have required competencies and skill-sets to
operate and monitor the IT environment. |