Education
Business Processes - Risks and Controls
There is need to implement various suitable controls to meet the requirements of the control objectives. These controls can be manual, automated or semi-automated provided the risk is mitigated.
Based on the scenario, the controls can be preventive, Detective or Corrective.
Levels of control check:
In computer systems, controls should be checked at three levels;
1. Configuration
2. Master
3. Transaction level
Configuration refers to the way a software system is set up.
Configuration is the methodical process of defining options that are provided.
When any software is installed, values for various parameters should be set up (configured) as per policies and business process work flow and business process rules of the enterprise.
The various modules of the enterprise such as purchase, Sales, Inventory, Finance, and User Access etc. have to be configured.
Configuration will define how software will function and what menu options are displayed.
Mapping of accounts to front end transactions like purchase and sales
Control on parameters Creation of Customer Type, Vendor Type, year-end process
User activation and deactivation
User Access & privileges - Configuration & its management
Password Management
Masters refer to the way various parameters are set up for all modules of software, like purchase, Sales, Inventory, and Finance etc. These drive how the software will process relevant transactions.
The masters are set up first time during installation and these are changed whenever the business process rules or parameters are changed.
Any changes to these data have to be authorized by appropriate personnel and these are logged and captured in exception reports.
The way masters are set up will drive the way software will process transactions of that type.
For example: The Customer Master will have the credit limit of the customer. When an invoice is raised, the system will check against the approved credit limit and if the amount invoiced is within the credit limit the invoice will be created if not the invoice will be put on ‘credit hold’ till proper approvals are obtained.
Examples:
Vendor Master: Credit period, vendor bank account details, etc.
Customer Master: Credit limit, Bill to address, Ship to address, etc.
Material Master: Material type, Material description, Unit of measure, etc.
Employee Master: Employee name, designation, salary details, etc.
3. Transactions
Transactions refer to the actual transactions entered through menus and functions in the application software, through which all transactions for specific modules are initiated, authorized or approved.
For example:
Sales transactions
Purchase transactions
Stock transfer transactions
Journal entries
Payment transactions
Some examples of risks and controls for some business processes, an illustrative check-list of risks and controls;
[Students are advised to use charts while dealing with this check list of risks and controls for various business processes. In your syllabus there are six processes mentioned in this chapter, however there are other processes as well which are dealt in other chapters. While using the charts must follow the instructions mentioned there. Charts are included in Master chart book.]
1. Procure to Pay (P2P) – Risks and Controls
Procure to Pay (Purchase to Pay or P2P) is the process of obtaining and managing the raw materials needed for manufacturing a product or providing a service.
Masters
Risks and Control Objectives (Masters-P2P)
|
Risk |
Control Objective |
1 |
Unauthorized changes to
supplier master file. |
Only valid changes are made to
the supplier master file. |
2 |
All valid changes to the
supplier master file are not input and processed. |
All valid changes to the
supplier master file are input and processed. |
3 |
Changes to the supplier master
file are not correct. |
Change to the supplier master
file is accurate. |
4 |
Changes to the supplier master
file are delayed and not processed in a timely manner. |
Changes to the supplier master
file are processed in a timely manner. |
5 |
Supplier master file data is
not up to date. |
Supplier master file data
remain up to date. |
6 |
System access to maintain
vendor masters has not been restricted to the authorized users. |
System access to maintain
vendor masters has been restricted to the authorized users. |
Transactions:
Risks and Control Objectives (Transactions-P2P)
|
Risk |
Control Objective |
1 |
Unauthorized requisitions are ordered. |
Purchase orders are placed only for approved requisitions. |
2 |
Purchase orders are not entered correctly in the system. |
Purchase orders are accurately entered. |
3 |
Purchase orders issued are not input and processed. |
All purchase orders issued are input and processed. |
4 |
Amounts are posted in accounts payable for goods or services not
received. |
Amounts posted to
accounts payable represent goods or services received. |
5 |
Amounts posted to accounts payable are not properly calculated and
recorded. |
Accounts payable amounts are accurately calculated and recorded. |
6 |
Amounts for goods or services received are not input and processed in
accounts payable. |
All amounts for goods or services received are input and processed to
accounts payable. |
7 |
Amounts for goods or services received are recorded in the wrong
period. |
Amounts for goods or services received are recorded in the
appropriate period. |
8 |
Accounts payable amounts are adjusted based on unacceptable reasons. |
Accounts payable are adjusted only for valid reasons. |
9 |
Credit notes and other adjustments are recorded in the wrong period. |
Credit notes and other adjustments are recorded in the appropriate period. |
10 |
Disbursements are made for goods and services that have not been
received. |
Disbursements are made only for goods and services received. |
11 |
Disbursements are not accurately calculated and recorded. |
Disbursements are accurately calculated and recorded. |
12 |
All disbursements are not recorded. |
All disbursements are recorded. |
13 |
Disbursements are recorded for an inappropriate period. |
Disbursements are recorded in the period in which they are issued. |
14 |
System access to process transactions has not been restricted to the
authorized users. |
System access to process transactions has been restricted to the
authorized users. |
Order to Cash (O2C) – Risks and Controls
Order to Cash (OTC or O2C) is a set of business processes that involve receiving and
fulfilling customer requests for goods or services.
An order to cash cycle consists of multiple sub-processes including:
1. Customer
order: Customer order is documented;
2. Order
fulfilment: Order is fulfilled or service is
scheduled;
3. Delivery
note: Order is shipped to customer or service is performed;
4. Invoicing:
Invoice is created and sent to customer;
5. Collections: Customer sends payment /Collection; and
6. Accounting: Payment is recorded in general ledger.
Masters
Risks and Control Objectives (Masters-O2C)
|
Risk |
Control Objective |
1 |
The customer master file is not
maintained properly and the information is not accurate. |
The customer master file is
maintained properly and the information is accurate. |
2 |
Invalid changes are made to the
customer master file. |
Only valid changes are made to
the customer master file. |
3 |
All valid changes to the
customer master file are not input and processed. |
All valid changes to the
customer master file are input and processed. |
4 |
Changes to the customer master
file are not accurate. |
Changes to the customer master
file are accurate. |
5 |
Changes to the customer master
file are not processed in a timely manner. |
Changes to the customer master
file are processed in a timely manner. |
6 |
Customer master file data is
not up-to-date and relevant. |
Customer master file data is up
to date and relevant. |
7 |
System access to maintain
customer masters has not been restricted to the authorized users. |
System access to maintain
customer masters has been restricted to the authorized users. |
Transactions
Risks and Control Objectives (Transactions-O2C)
|
Risk |
Control Objective |
1 |
Orders are processed
exceeding customer credit limits without approvals. |
Orders are processed only
within approved customer credit limits. |
2 |
Orders are not
approved by management as to prices and terms of sale. |
Orders are approved by
management as to prices and terms of sale. |
3 |
Orders and
cancellations of orders are not input accurately. |
Orders and cancellations of
orders are input accurately. |
4 |
Order entry data are
not transferred completely and accurately to the shipping and invoicing
activities. |
Order entry data are
transferred completely and accurately to the shipping and invoicing
activities. |
5 |
All orders received
from customers are not input and processed. |
All orders received from
customers are input and processed. |
6 |
Invalid &
unauthorized orders are input and processed. |
Only valid & authorized
orders are input and processed.
|
7 |
Invoices are
generated using unauthorized terms and prices. |
Invoices are generated using
authorized terms and prices. |
8 |
Credit notes and
adjustments to accounts receivable are not accurately calculated and
recorded. |
Credit notes and adjustments to
accounts receivable are accurately calculated and recorded. |
9 |
Goods shipped are not
invoiced. |
All goods shipped are invoiced. |
10 |
Credit notes for all
goods returned and adjustments to accounts receivable are not issued in
accordance with organization policy. |
Credit notes for all goods
returned and adjustments to accounts receivable are issued in accordance with
organization policy. |
11 |
Invoices are raised
for invalid shipments. |
Invoices relate to valid
shipments. |
12 |
Credit notes do not
pertain to a return of goods or other valid adjustments. |
All credit notes relate to a
return of goods or other valid adjustments. |
13 |
Invoices are not
recorded in the system. |
All invoices issued are
recorded. |
14 |
Credit notes issued
are not recorded in the system |
All credit notes issued are
recorded. |
15 |
Invoices are recorded
in the wrong period. |
Invoices are recorded in the
appropriate period. |
16 |
Credit notes are
recorded in the wrong period. |
Credit notes issued are
recorded in the appropriate period. |
17 |
Cash receipts are not
recorded in the period in which they are received. |
Cash receipts are recorded in
the period in which they are received. |
18 |
Cash receipts data
are not entered correctly. |
Cash receipts data are entered
for processing accurately. |
19 |
Cash receipts data
are not valid and are not entered in the system for processing more than
once. |
Cash receipts data are valid
and are entered for processing only once. |
20 |
Cash discounts are
not accurately calculated and recorded. |
Cash discounts are accurately
calculated and recorded. |
21 |
Collection of
accounts receivable is delayed and not properly monitored. |
Timely collection of accounts
receivable is monitored. |
22 |
System access to
process transactions has not been restricted to the authorized users. |
System access to process
transactions has been restricted to the authorized users. |