Education

Risks and Controls for specific Business Processes

Business Processes - Risks and Controls


There is need to implement various suitable controls to meet the requirements of the control objectives. These controls can be manual, automated or semi-automated provided the risk is mitigated. 


        Based on the scenario, the controls can be preventive, Detective or Corrective. 


Levels of control check:


In computer systems, controls should be checked at three levels;

1. Configuration

2. Master

3. Transaction level


1. Configuration


        Configuration refers to the way a software system is set up. 


        Configuration is the methodical process of defining options that are provided. 


        When any software is installed, values for various parameters should be set up (configured) as per policies and business process work flow and business process rules of the enterprise. 


        The various modules of the enterprise such as purchase, Sales, Inventory, Finance, and User Access etc. have to be configured. 


        Configuration will define how software will function and what menu options are displayed. 


        Some examples of configuration are given below:


        Mapping of accounts to front end transactions like purchase and sales

        Control on parameters Creation of Customer Type, Vendor Type, year-end process

        User activation and deactivation

        User Access & privileges - Configuration & its management

        Password Management


2. Masters


        Masters refer to the way various parameters are set up for all modules of software, like purchase, Sales, Inventory, and Finance etc. These drive how the software will process relevant transactions. 


        

The masters are set up first time during installation and these are changed whenever the business process rules or parameters are changed. 

        

Any changes to these data have to be authorized by appropriate personnel and these are logged and captured in exception reports. 


        The way masters are set up will drive the way software will process transactions of that type. 



For example: The Customer Master will have the credit limit of the customer. When an invoice is raised, the system will check against the approved credit limit and if the amount invoiced is within the credit limit the invoice will be created if not the invoice will be put on ‘credit hold’ till proper approvals are obtained.


Examples:


        Vendor Master: Credit period, vendor bank account details, etc.

        Customer Master: Credit limit, Bill to address, Ship to address, etc.

        Material Master: Material type, Material description, Unit of measure, etc.

        Employee Master: Employee name, designation, salary details, etc.


3. Transactions


                Transactions refer to the actual transactions entered through menus and functions in the application software, through which all transactions for specific modules are initiated, authorized or approved. 


For example:


        Sales transactions

        Purchase transactions

        Stock transfer transactions

        Journal entries

        Payment transactions


  Some examples of risks and controls for some business processes, an illustrative check-list of risks and controls;


[Students are advised to use charts while dealing with this check list of risks and controls for various business processes. In your syllabus there are six processes mentioned in this chapter, however there are other processes as well which are dealt in other chapters. While using the charts must follow the instructions mentioned there. Charts are included in Master chart book.]


1. Procure to Pay (P2P) – Risks and Controls


        Procure to Pay (Purchase to Pay or P2P) is the process of obtaining and managing the raw materials needed for manufacturing a product or providing a service. 


Masters


Risks and Control Objectives (Masters-P2P)



 

Risk

Control Objective

1

Unauthorized changes to supplier master file.

Only valid changes are made to the supplier master file.

2

All valid changes to the supplier master file are not input and processed.

All valid changes to the supplier master file are input and processed.

3

Changes to the supplier master file are not correct.

Change to the supplier master file is accurate.

4

Changes to the supplier master file are delayed and not processed in a timely manner.

Changes to the supplier master file are processed in a timely manner.

5

Supplier master file data is not up to date.

Supplier master file data remain up to date.

6

System access to maintain vendor masters has not been restricted to the authorized users.

System access to maintain vendor masters has been restricted to the authorized users.


Transactions:

Risks and Control Objectives (Transactions-P2P)


 

Risk

Control Objective

1

Unauthorized requisitions are ordered.

Purchase orders are placed only for approved requisitions.

2

Purchase orders are not entered correctly in the system.

Purchase orders are accurately entered.

3

Purchase orders issued are not input and processed.

All purchase orders issued are input and processed.

4

Amounts are posted in accounts payable for goods or services not received.

Amounts posted              to accounts payable represent goods or services received.

5

Amounts posted to accounts payable are not properly calculated and recorded.

Accounts payable amounts are accurately calculated and recorded.

6

Amounts for goods or services received are not input and processed in accounts payable.

All amounts for goods or services received are input and processed to accounts payable.

7

Amounts for goods or services received are recorded in the wrong period.

Amounts for goods or services received are recorded in the appropriate period.

8

Accounts payable amounts are adjusted based on unacceptable reasons.

Accounts payable are adjusted only for valid reasons.

9

Credit notes and other adjustments are recorded in the wrong period.

Credit notes and other adjustments are recorded in the appropriate period.

10

Disbursements are made for goods and services that have not been received.

Disbursements are made only for goods and services received.

11

Disbursements are not accurately calculated and recorded.

Disbursements are accurately calculated and recorded.

12

All disbursements are not recorded.

All disbursements are recorded.

13

Disbursements are recorded for an inappropriate period.

Disbursements are recorded in the period in which they are issued.

14

System access to process transactions has not been restricted to the authorized users.

System access to process transactions has been restricted to the authorized users.


Order to Cash (O2C) – Risks and Controls


        Order to Cash (OTC or O2C) is a set of business processes that involve receiving and fulfilling customer requests for goods or services.

 

An order to cash cycle consists of multiple sub-processes including:


1. Customer order: Customer order is documented;

2. Order fulfilment: Order is fulfilled or service is scheduled;

3. Delivery note: Order is shipped to customer or service is performed;

4. Invoicing: Invoice is created and sent to customer;

5. Collections: Customer sends payment /Collection; and

6. Accounting: Payment is recorded in general ledger.


Masters

Risks and Control Objectives (Masters-O2C)


 

Risk

Control Objective

1

The customer master file is not maintained properly and the information is not accurate.

The customer master file is maintained properly and the information is accurate.

2

Invalid changes are made to the customer master file.

Only valid changes are made to the customer master file.

3

All valid changes to the customer master file are not input and processed.

All valid changes to the customer master file are input and processed.

4

Changes to the customer master file are not accurate.

Changes to the customer master file are accurate.

5

Changes to the customer master file are not processed in a timely manner.

Changes to the customer master file are processed in a timely manner.

6

Customer master file data is not up-to-date and relevant.

Customer master file data is up to date and relevant.

7

System access to maintain customer masters has not been restricted to the authorized users.

System access to maintain customer masters has been restricted to the authorized users.


Transactions

Risks and Control Objectives (Transactions-O2C)



 

Risk

Control Objective

1

Orders are processed exceeding customer credit limits without approvals.

Orders are processed only within approved customer credit limits.

2

Orders are not approved by management as to prices and terms of sale.

Orders are approved by management as to prices and terms of sale.

3

Orders and cancellations of orders are not input accurately.

Orders and cancellations of orders are input accurately.

4

Order entry data are not transferred completely and accurately to the shipping and invoicing activities.

Order entry data are transferred completely and accurately to the shipping and invoicing activities.

5

All orders received from customers are not input and processed.

All orders received from customers are input and processed.

6

Invalid & unauthorized orders are input and processed.

Only valid & authorized orders are input and processed.

 

7

Invoices are generated using unauthorized terms and prices.

Invoices are generated using authorized terms and prices.

8

Credit notes and adjustments to accounts receivable are not accurately calculated and recorded.

Credit notes and adjustments to accounts receivable are accurately calculated and recorded.

9

Goods shipped are not invoiced.

All goods shipped are invoiced.

10

Credit notes for all goods returned and adjustments to accounts receivable are not issued in accordance with organization policy.

Credit notes for all goods returned and adjustments to accounts receivable are issued in accordance with organization policy.

11

Invoices are raised for invalid shipments.

Invoices relate to valid shipments.

12

Credit notes do not pertain to a return of goods or other valid adjustments.

All credit notes relate to a return of goods or other valid adjustments.

13

Invoices are not recorded in the system.

All invoices issued are recorded.

14

Credit notes issued are not recorded in the system

All credit notes issued are recorded.

15

Invoices are recorded in the wrong period.

Invoices are recorded in the appropriate period.

16

Credit notes are recorded in the wrong period.

Credit notes issued are recorded in the appropriate period.

17

Cash receipts are not recorded in the period in which they are received.

Cash receipts are recorded in the period in which they are received.

18

Cash receipts data are not entered correctly.

Cash receipts data are entered for processing accurately.

19

Cash receipts data are not valid and are not entered in the system for processing more than once.

Cash receipts data are valid and are entered for processing only once.

20

Cash discounts are not accurately calculated and recorded.

Cash discounts are accurately calculated and recorded.

21

Collection of accounts receivable is delayed and not properly monitored.

Timely collection of accounts receivable is monitored.

22

System access to process transactions has not been restricted to the authorized users.

System access to process transactions has been restricted to the authorized users.


Request for DEMO Talk to Our Expert