"Invoice Coding Tracker"
City of Phoenix 02/22/11 Accounts Payable Risk Matrices Contributed August 29, 2001 by email@example.com City Auditor Department SAP – Accounts Payable Control Matrix The attached control matrix is the result of updating the post-implementation control matrix. The matrix outlines risks and controls. Controls will be validated and tested in the 2000-01 file for SAP Application Controls for Accounts Payable (File number 1010043) The FI-AP module process all invoices related to regular invoices, and invoices related to DPO‟s and COR‟s. Invoices related to PO‟s are entered in the MM module, and controls are tested there. This matrix will be helpful in identifying the risks and controls over Accounts Payable processing. The 2000-01 fiscal year audit work can be relied upon for a review of internal controls over SAP & Central Accounts Payable processing. However, it will still be necessary to evaluate individual department‟s business processes and sample transaction when conducting audits of individual departmental expenditures. The control matrix contains 4 categories: 1) Vendor Master 2) Invoice Processing 3) Invoice Verification 4) Disbursements D:\Docstoc\Working\pdf\a9544367-6a61-48b8-92c2-4e7faa12e54c.doc 1 City of Phoenix 02/22/11 Accounts Payable Risk Matrices N Risks Possible Risk Controls P Audit Teammate SOC o Negative (High / Step Ref Results / Med D / Low) Vendor Master 1 Users may have Financial H 1. Appropriate transaction P 1a. Review user 1a. - VM2 1 =S unauthorized access to Loss due codes and other object profile for update vendor master to authorizations should be reasonableness of 1b. - VM1 files. payments assigned to authorized users. access. made to The following transactions need 2. - VM2 incorrect to be restricted: 1b. Review the vendor. Create, change and display Vendor Master 3 – VM2 (fraud) master records File for changes that have been Block and unblock master made and verify records that all of the users who made Mark record for deletion the changes have the appropriate 2. Incompatible segregation of Vendor Master duty transactions such as the Change profile. following are restricted: Create/change vendor 2. Review user 2 =S master data and accounts P profile for payable activities conflicting access Create/change vendor (Refer to the D&T master data and process segregation of warrants/distribute duties testing warrants. performed during the BASIS audit). 3. City Controller signs off on security forms and check for 3. Review user 3= S these incompatibilities. profiles added for A/P Vendor Master, for City Controller approvals. P 2 Creation or deletion of Financial H 1. Creation or deletion of a P 1,2. Select a 1,2 – VM1 1,2 = vendor master files Loss due vendor master file requires a sample of vendor S may not be authorized to vendor coding form master records 3 – VM4 or detected. payments authorization by the appropriate created. Trace made to users. information to unapprove vendor coding d vendor. 2. The vendor coding form will P form, and verify (fraud) be attached with source proper documents and the A/P authorization. supervisor approves it. Then the Accounts Admin Section 3. Verify 3= verifies AP Supervisor Accounts Admin O D:\Docstoc\Working\pdf\a9544367-6a61-48b8-92c2-4e7faa12e54c.doc 2 City of Phoenix 02/22/11 Accounts Payable Risk Matrices N Risks Possible Risk Controls P Audit Teammate SOC o Negative (High / Step Ref Results / Med D / Low) approval. reviews list of modified/created 3. The Accounts Admin vendors. Section reviews the SAP report D (RFKABL00) listing modified vendors monthly. A sample of new/changed vendors is agreed to the vendor coding form. 3 Inaccurate or Unpaid H 1. Mandatory fields in the P 1. Observe a user 1 – VM3 1= incomplete vendor data vendors. vendor master file are defined creating a Vendor O may be entered. and required. These fields Master Record, 2 – VM3 Legal include payee name (other and document liability required information depends mandatory fields 3 – VM1 for non- on the Account Group). are required for complianc entry. 4 – VM3 e with 2. 1099 information is governme requested prior to setting up 2. Observe a user 5 – VM1 nt vendor master record. For tax- P creating a Vendor 2= regulation reportable vendors, the vendor Master Record, 6 – VM3 O s is blocked until the 1099 and verify the information is provided 1099 is present, or vendor is blocked 3. Vendors with incomplete for payment. info will be manually blocked from payment by AP staff. 3. Select a sample 3= P of unblocked S 4. Inappropriate override for vendor files and mandatory fields are prevented verify they have by SAP. the required information. 5. The vendor coding form will P be attached with source 4. Evaluate documents and the A/P override 4= supervisor approves it. Then authorizations (if O the Accounts Admin Section any) verifies AP Supervisor approval. 5. Select a sample of vendor master 6. The system displays an error records created. / warning message whenever Trace information 5= there is erroneous or omitted to vendor coding S vendor data during data entry. form. 6. Observe that an error/warning message appears 6= D:\Docstoc\Working\pdf\a9544367-6a61-48b8-92c2-4e7faa12e54c.doc 3 City of Phoenix 02/22/11 Accounts Payable Risk Matrices N Risks Possible Risk Controls P Audit Teammate SOC o Negative (High / Step Ref Results / Med D / Low) when erroneous O information is entered, or required information is omitted. 4 Sensitive fields, such Financial H 1. Alternative payees cannot be P 1. List all master 1 – VM5 1, 2 as Alternative Payees, loss. set up in the vendor master vendor records =S may be inappropriately record without proper with an alternative 2 – VM5 completed and not authorization. Alternate payees payee. reviewed. are used for collectors, levies, 3 – VM4 IRS or AZ Department of 2. Select a sample Revenue levies only. The from the list and creation or modification of review supporting alternative payee is subject to documentation for the same requirements as accuracy and setting up or changing a vendor proper approval. master record. 3. Verify 3= 2. The vendor coding form will Accounts Admin O be attached with source reviews list of documents and the A/P modified/created supervisor approves it. Then P vendors. the Accounts Admin Section verifies AP Supervisor approval. 3. The Accounts Admin Section reviews the SAP report (RFKABL00) listing modified vendors monthly. A sample of new/changed vendors is agreed D to the vendor coding form. 5 Duplicate vendor Incomplet M 1. A/P clerk checks for same P 1. Observe user 1 – VM3 1= records may be e vendor name address, etc. when creating a vendor O created. reporting submitting or approving vendor master record, and 2 – VM1 due to master input form. verify the user more than checks for same 3 – VM3 one 2. A/P supervisor signs off on name. vendor vendor master input forms. P 4 – VM1 number. 2. Select a sample 2= 3. Standard naming conventions of newly created S Confusion are used to reduce the vendor master when possibility of duplicate vendor P records, and selecting names verify proper vendor approval. when invoicing. 3. Observe 3= D:\Docstoc\Working\pdf\a9544367-6a61-48b8-92c2-4e7faa12e54c.doc 4 City of Phoenix 02/22/11 Accounts Payable Risk Matrices N Risks Possible Risk Controls P Audit Teammate SOC o Negative (High / Step Ref Results / Med D / Low) creation of vendor O names and verify naming conventions are used. 4. Test vendor 4= master file for S duplicate records. 6 Housing / Election Financial H 1. Housing vendors are subject P 1. Perform same All VM 1=S, vendors may not loss. to the same controls mentioned / audit steps for steps O receive the same level in Vendor Master points 1-5. D Housing (and any of review/control as other users with centralized A/P vendor master vendors. authorization 7 Unauthorized changes Financial H 1. The Accounts Admin Section D 1. Run the VM4 1= to vendor master data loss reviews the SAP report RFKABL00 S may go undetected. (RFKABL00) listing modified report, and ask vendors monthly. A sample of users to explain new/changed vendors is agreed the items. to the vendor coding form. D:\Docstoc\Working\pdf\a9544367-6a61-48b8-92c2-4e7faa12e54c.doc 5 City of Phoenix 02/22/11 Accounts Payable Risk Matrices N Risks Potential Risk Controls P Audit Steps Teammate SOC o Negative (High / Ref Results / Med D / Low) FI Invoice Processing 1 Unauthorized users Financial H 1. Appropriate transaction P 1. Review user 1 – IP2 1=S may gain access to post loss. codes and other object profile for invoice transactions authorizations are assigned to reasonableness of 2 – IP2 into SAP. authorized users. The access. following transactions are 3 – IP2 restricted: 2. Rely on BASIS 2=S post, change, delete parked audit to identify and „normal‟ documents conflicting access. park and release parked documents 3. Review user block and unblock profiles added for 3= S documents. A/P Invoice, for A/P supervisor 2. Invoice posting capabilities and Controller are segregated from the approvals. following: vendor/bank master file creation/change warrant distribution a/p approval/review 3. SAP security administrator will also monitor. 2 Terminated or Financial M 1. A/P supervisor completes a P 1. Compare user IP2 1=S employees on extended loss. form to remove access when profiles for leave of absence may employees leave. Invoicing to active have access to the employee list system. 2. Finance SAP Team sends out lists to departments twice a 2. Verify SAP year identifying potential Team sends out terminated employees lists. 3 Users may be able to Unauthori M 1. Workflow process: P 1. Select a sample 1 – IP1 1= post high dollar zed large Supervisory approval of of invoices and O transactions without payments invoice, and Finance A/P verify supervisory 2 – D10 proper authorization. review & approval and central a/p staff review. 2. Finance Dept Admin 2=S Supervisor reviews all 2. Select a sample payments greater than of invoices greater $100,000. than $100,000 and verify Finance Admin Supervisor review. D:\Docstoc\Working\pdf\a9544367-6a61-48b8-92c2-4e7faa12e54c.doc 6 City of Phoenix 02/22/11 Accounts Payable Risk Matrices N Risks Potential Risk Controls P Audit Steps Teammate SOC o Negative (High / Ref Results / Med D / Low) D 4 Invalid invoices may Financial 1. Workflow process: P 1. Select a sample 1 – IP1 1, 2 be entered loss. Supervisory approval of of invoices and =S invoice, and Finance A/P verify supervisory 2 – IP1 review & approval and central a/p staff review. 2. Original invoices are P required as source document. 2. Select a sample Supervisors must approve of invoices and paying on a fax or copy. trace information to supporting document. 5 Inaccurate or invalid Financial H 1. Intelligent and mandatory P 1. Observe the 1 – IP3 1=O data could be input loss. fields have been set up. entry of invoices, when record first and the SAP 2,3 – IP1 entered into SAP 2. SAP automatically required D controls for supervisor approval of invoices. mandatory and intelligent fields. 3. AP also traces information entered to the source document. D 2,3. Select a 2-3 sample of invoice =S documents and verify supervisor and AP staff approval, and agree to source document. 6 Invoices may not be Financial H 1. Workflow process: P 1. Select a sample IP1 1=S properly approved. loss. Supervisory approval of of invoices, and invoice, and Finance A/P review for proper review & approval. approval. 7 Invoice is posted into Financial M 1. System does not allow P 1. Enter an invoice 1 – IP3 1=S SAP more than once. loss from duplicate invoices upon invoice twice, and verify duplicate entry if the invoice number, that the system 2 – IP4 invoices. vendor number and invoice does not allow date are the same. duplicate invoice 3,4 – IP1 Misstated numbers. financial 2. Finance staff reviews the 5 – IP4 statements duplicate invoice report (zdup) D 2. Review copies 2=S . daily. The report identifies all of the duplicate invoices with the same invoice invoice report to number and the same amount. verify that Finance is reviewing the 3. Original invoices are report and taking required as source document. appropriate action. D:\Docstoc\Working\pdf\a9544367-6a61-48b8-92c2-4e7faa12e54c.doc 7 City of Phoenix 02/22/11 Accounts Payable Risk Matrices N Risks Potential Risk Controls P Audit Steps Teammate SOC o Negative (High / Ref Results / Med D / Low) Supervisors must approve paying on a fax or copy. P 3,4. Select a sample of invoices 4. AP staff physically stamp and trace 3,4 = “paid” on invoices after information to S approval. supporting document, and verify invoice is stamped “paid”. 5. Use ACL to test for duplicate invoices in a variety of ways. 8 Invoice may be Financial H 1. Payee or amount can not be P 1. Observe IP3 1=S changed after it is loss. changed once supervisor has Finance AP staff posted released PCD. trying to change the payee or amount after the invoice is posted to verify SAP controls. 9 The original Misstated H 1. SAP will automatically P 1. Determine if 1 – IP6 1=S transaction is financial verify the following, before a SAP or Finance inappropriately statements reversal entry is accepted: checks for reversal 2 – IP6 reversed out from the . no cleared items entries. system. original transaction was Unpaid within the original posting 2. Verify that only vendors module Finance AP resulting supervisors have in lost 2. Only Finance AP supervisors access to reverse a discounts, have access to do reversal document. or late documents (FB08, MR08), and fees. a reason code is required. Standard procedure is to also enter information in the text field. 10 Invoice may contain Financial H 1. The creator of the invoice or P 1. Select a sample IP1 1 =S mathematical errors. loss manual PCD is responsible for of invoice verifying the mathematical documents and accuracy of the invoice. verify mathematical There are no subsequent accuracy of the controls. invoice. 11 Invoices may be Financial H 1. Workflow process: P 1. Select a sample 1 – IP1 1=S incorrectly or loss from Supervisory approval of of invoices and inaccurately keyed in duplicate invoice, and Finance A/P verify supervisory 2 – IP3 through the FI module invoices. review & approval and central a/p D:\Docstoc\Working\pdf\a9544367-6a61-48b8-92c2-4e7faa12e54c.doc 8 City of Phoenix 02/22/11 Accounts Payable Risk Matrices N Risks Potential Risk Controls P Audit Steps Teammate SOC o Negative (High / Ref Results / Med D / Low) and not through the staff review. 3 – IP7 MM module, which Misstated 2. Finance AP check for PO P would bypass the „three financial reference on the invoice. 2&3. Observe way match‟ (PO, statements Finance AP invoice and goods . 3. Finance AP identifies process and verify 2,3 = receipt) control to invoices for commodities, and P they check for PO O detect any errors. investigates any commodities reference on the not being paid against a DPO, invoice, and they COR, or PO. check commodities not 4. Finance AP reconciles all paid against a outstanding open items in g/l DPO, COR or PO. account 291000. This g/l D account recieves all GR (goods 4. Review of g/l receipts) and INV (invoices) account 291000. 4 =O posted. Thus Finance AP can identify: GR without INV INV without GR GR different from INV, and vice versa 12 Invoice is not applied Misstated H 1. Creator of the invoice enters P 1-3. Observe 1-5 – IP8 1-5 towards the related RF financial the RF# in a user-defined field. Finance AP =S statements process and verify 2. Workflow process: the reviewer Supervisory approval of P checks for RF#. invoice, and Finance A/P review & approval. 4. We did not test for invoices with 3. Finance A/P staff approving RF references, that the invoice look for the RF# on P were not applied the invoice, and verify the to the PO. We number is on the SAP invoice. relied on the other controls. 4. After Finance AP staff approves the invoice, SAP P 5. No test verifies matching data (ie necessary. vendor number) and automatically updates the RF. 5. Departments are responsible D for their budgets, and may notice invoices not applied to RF‟s. 13 Invoices may not be Late M 1. Vendor inquiries are D 1. Review cycle 1 – IP5 1,2 = input in a timely payments investigated. time information S D:\Docstoc\Working\pdf\a9544367-6a61-48b8-92c2-4e7faa12e54c.doc 9 City of Phoenix 02/22/11 Accounts Payable Risk Matrices N Risks Potential Risk Controls P Audit Steps Teammate SOC o Negative (High / Ref Results / Med D / Low) manner. to for timeliness of 2 – IP5 vendors, invoice input. resulting in lost 2. Review report discounts, on number of or late invoices paid late. fees. 14 Invoices that are Late M 1. Finance A/P management P 1&2. Review the 1,2 – IP5 1,2 = „parked‟ may not be payments monitors the number of items most recent report S posted and cleared on a to and age in workflow inboxes. of invoices timely basis. vendors, parked, and resulting 2. Finance AP management document the in lost investigates all parked items D staff„s comments. discounts, over 2 weeks old. or late fees. 15 The General Ledger Misstatem H 1. The FI accounts payable and P 1. Select a sample 1 – IP1 1=S account balances may ent of FI general ledger are fully of invoices and not be updated when a financial integrated within SAP. A verify that the transaction is posted statements posting to the vendor account posting to the into a Vendor Account . will automatically post to the vendor account e.g., the reconciliation appropriate reconciliation agrees to the process may not be account in the general ledger on general ledger correctly set-up. a real time basis. GL account posting. number 222000 is the only reconciliation account. 16 Transactions may be Misstatem M 1. The workflow process is D 1. Select a sample 1 – IP1 1,2 = posted to the wrong ent of comprised of supervisory of invoices and S account / project / financial approval of invoice, and verify supervisory 2 – IP3 business area. statements Finance A/P review & and central a/p . approval. staff review. 3 – IP1 2. SAP gives a warning P message if posting information 2. Observe SAP (ie Business Area /cost center) warning when is not compatible. Business Area and Cost Center are 3. Reconciliation account not compatible. 222000 is used to ensure integrity between GL and AP D 3. Review items in sub-ledger. Direct posting to the 222000 g/l reconciliation account is account and blocked. document the staff‟s comments. 17 Invoices may not be Lack of L 1. All supporting P 1. Select a sample IP1 1=S stored for payment document documentation (ie invoice) is of invoices and disputes, etc. ation for stamped “paid” and filed. verify that D:\Docstoc\Working\pdf\a9544367-6a61-48b8-92c2-4e7faa12e54c.doc 10 City of Phoenix 02/22/11 Accounts Payable Risk Matrices N Risks Potential Risk Controls P Audit Steps Teammate SOC o Negative (High / Ref Results / Med D / Low) auditors. documents were stored properly. 18 Posting keys for A/P H 1. SAP automatically selects P 1-2. Observe that IP3 1-2 = transactions may not be posting keys based on input posting key O restricted. information. controls are in P place. 2. SAP requires the matching of debits and credits before an invoice is posted. P D:\Docstoc\Working\pdf\a9544367-6a61-48b8-92c2-4e7faa12e54c.doc 11 City of Phoenix 02/22/11 Accounts Payable Risk Matrices N Risks Potential Risk Controls P/ Audit Steps Teammate SOC o Negative (High D Ref Results / Med / Low) Invoice Verification 1 Incorrect or invalid Financial M 1. The system requires entry of P 1. Observe the 1 – IV3 1, 2 invoice data may be loss the following information upon entry of invoices, =S entered when the entry of the invoice: and the SAP 2 – IV3 record is first entered purchase order number controls for via the MM module. document date mandatory and invoice number intelligent fields. total invoice amount 2. Observe data 2. The system automatically entry and verify displays all lines of the related P SAP displays PO purchase order and the value of limitations. the related goods receipt (GR) entered. Therefore AP staff can select the line items relevant to the specific invoice. 2 The tolerance limits Unauthori L 1. The tolerance limits used to P 1. Run the 1 – IV4 1= for invoice verification zed large check on the three way match tolerance limit S procedures may be set payments. process are set according to the report for AP and 2 - IV3 too high. The City‟s policies and standards. MM, by tolerance limit is used The standard is 10%, or $100 transaction key, to match the FI invoice per line item. and compare the with the MM PO limits to the City goods receipt. 2. If the tolerance is exceeded, standards. the system will not display the PO line items. Then the AP 2. Observe the clerk will not process the entry of invoices invoice, and will notify and verify SAP Purchasing of the discrepancy. warning message and AP clerk action. 3 Payment blocks may Financial 1. Payment blocks include: 1,2. Observe the IV3 1= not be placed on loss due to Invoice amount exceeds entry of invoices O invoices during the invoices PO amount by tolerance and verify SAP invoice approval being paid limits warning message process. before The quantity on the invoice and AP clerk final exceeds the quantity on the action. approval. goods receipt (GR). 2. The system blocks the 2=O payments automatically if one of the above situations exists. 4 Purchase made through Misstated M 1. Finance AP check for PO 1,2. Observe 1,2 – IV3 PO is paid by PCD. financial reference on the invoice. Finance AP statements process and 3 – IV4 . 2. Finance AP identifies verify they check D:\Docstoc\Working\pdf\a9544367-6a61-48b8-92c2-4e7faa12e54c.doc 12 City of Phoenix 02/22/11 Accounts Payable Risk Matrices N Risks Potential Risk Controls P/ Audit Steps Teammate SOC o Negative (High D Ref Results / Med / Low) invoices for commodities, and for PO reference investigates any commodities on the invoice, not being paid against a DPO, and they check COR, or PO. commodities not paid against a 3. Finance AP reconciles all DPO, COR or outstanding open items in g/l PO. account 291000. This g/l account recieves all GR (goods 2. Review of g/l receipts) and INV (invoices) account 291000. posted. Thus Finance AP can identify: GR without INV INV without GR GR different from INV, and vice versa 5 Large outstanding Late H 1. If there is a quantity 1. Review of g/l IV4 NA payable balances may payments variance where the quantity account 291000. build up and not be to invoiced is different than the reviewed on a regular vendors, quantity of goods received, and basis in the GR/IR resulting if there is no further goods general ledger account. in lost receipt recorded by the system, An example is the discounts, the GR/IR account will not be account where or late cleared automatically. tolerance differences fees. are posted. 2. A batch job is run to match GR and IR entries within the account on a daily basis. 3. Finance AP staff reviews the GR/IR clearing account monthly for long outstanding, open items, and makes the appropriate corrections. D:\Docstoc\Working\pdf\a9544367-6a61-48b8-92c2-4e7faa12e54c.doc 13 City of Phoenix 02/22/11 Accounts Payable Risk Matrices N Risks Potential Risk Controls P Audit Steps Teammate SOC o Negative (High / Ref Results / Med D / Low) Disbursements 1 Unauthorized users Financial H 1. See controls for Invoice P 1. Rely on IP all may be able to post loss Processing. Invoice invoice transactions Processing tests. into SAP. 2 Unauthorized access to Financial H 1. SAP Security Profiles: Only P 1. List all users D3 1=S the Payment Output loss 3 A/P supervisors have access. with this profile file. and review for (Note: Payment reasonableness Output File is the and proper result of a formatted authorization. payment batch. It contains all of the formatted payment information, in report format, to cut checks. Access to the directory should be restricted or extremely limited.) 3 Cash disbursement Financial H 1. Disbursement data is based P 1. Rely on 1 – all IP 1=S details may be loss. on information provided during Invoice inaccurate and invoice entry (either via FI or Processing 2,3 – D4 incomplete. Misstated MM module). controls. financial statements 2. Prior to the payment run, 2,3. Observe the . SAP creates an exception report documentation for invoices where mandatory existing to verify fields are not populated, and for supervisory invoices blocked for payment. review of 2= payment O 3. The A/P supervisor reviews proposal list and the Payment Proposal List D exception list. (RFZALI00) and the Exception List (RFZALI10). 4 Inaccurate or H 1. Vendors with incomplete P 1. Select a VM3 1= S incomplete vendor info will be manually blocked sample of invoices may be paid. from payment by AP staff. unblocked vendor files and verify they have the required information. 5 Check number may not H 1. The system captures the P 1. Select a 1 – D1 1=S be indicated in the check number in the document sample of payment document allocation fields, and invoices and 2 – D2 during payment automatically prints the number trace the check D:\Docstoc\Working\pdf\a9544367-6a61-48b8-92c2-4e7faa12e54c.doc 14 City of Phoenix 02/22/11 Accounts Payable Risk Matrices N Risks Potential Risk Controls P Audit Steps Teammate SOC o Negative (High / Ref Results / Med D / Low) processing. on the check. number back to the record. 2. Check number is pre-printed on manual checks. 2. Trace manual check numbers back to invoices to make sure the manual check number was entered. 6 Large or unusual Unauthori L 1. The Accounts Admin staff P 1. Select a 1 – D10 1, 2 payments may not be zed large approves all payments over sample of =S blocked for payments. $100,000, and all payments to payments > 2 – D4 management review. 1-time vendors. D $100,000 and verify Accounts 2. Procedures exist to review Admin signature. and approve invoices that are blocked. 2. Observe check run and verify checks =>$100,000 are approved by Accounts Admin. 7 Invoices selected for Financial H 1. The system is configured to P 1. Run a report 1 – D1 1, 2 payment may not be loss propose invoices that are due of all invoices =S reviewed. for payment in the automatic due for a specific 2 – D4 payment run. A/P reviewer date, and approval is required before compare that to payment. the automatic D payment run. 2. Document management‟s review of the Payment Proposal List and Exception List. 8 Payments could be Financial H 1. SAP automatically assigns a P 1. Select a 1 – D1 1, 2, made more than once loss from clearing document number and sample of paid 3=S for an invoice. duplicate clearing date when payment is invoices and 2 – D1 payments. made for open invoice item. verify they were assigned a 3 – D1 2. SAP will not select cleared clearing items for payment. document number and 3. Print file disappears after it clearing date. is printed, so checks can‟t be printed again. 2. Test the disbursement run D:\Docstoc\Working\pdf\a9544367-6a61-48b8-92c2-4e7faa12e54c.doc 15 City of Phoenix 02/22/11 Accounts Payable Risk Matrices N Risks Potential Risk Controls P Audit Steps Teammate SOC o Negative (High / Ref Results / Med D / Low) to make sure no cleared items were paid. 3. Document that the print file disappears after it is printed. 9 Payments made are Misstated M 1. The FI accounts payable and P 1. Select a 1 – D1 1=S posted to the wrong financial FI general ledger are fully sample of accounts. statements integrated within SAP. A invoices and 2 – D1 . posting to the vendor account verify the g/l will automatically post to the account entry. appropriate reconciliation account in the general ledger on P 2. Review 2= a real time basis. GL account activity in g/l O number 222000 is the only account #220000 reconciliation account. to verify all invoices were posted to FI-GL. 10 The check number in Financial H 1. SAP automatically assigns a P 1. Identify 1 – D2 &D4 1=S the check register may loss due to sequential check number to process for not be updated. the each check, and records it in the assigning both 2 – D1 difficulty register electronic and reconcilin manual check 3 – D1 g bank 2. The check register is used to P numbers. accounts, keep track of physical check 4 – D1 and noting numbers. 2. Review the 2=S missing check register for checks. 3. Procedures exist for missing check reviewing the check number in numbers. the check register. The procedures cover: 3. Observe 3= Reviewing missing checks procedures for: O or checks number not reviewing running in sequence; missing Reconcile check register checks or after each check run; check Are spoiled manual checks numbers retained; reconciling Checks printed as overflow check register documents are denoted as after each run “void” spoiled checks Payment is made by the voided checks first check in the series only, and others are 4. Verify SAP denoted as “void”. reports all voided D:\Docstoc\Working\pdf\a9544367-6a61-48b8-92c2-4e7faa12e54c.doc 16 City of Phoenix 02/22/11 Accounts Payable Risk Matrices N Risks Potential Risk Controls P Audit Steps Teammate SOC o Negative (High / Ref Results / Med D / Low) checks during the 4. SAP reports all voided run. checks during the check run, 4=S and the AP Supervisor reviews 5. Document the the report. reconciliation of 5=S Check register 5. The AP Supervisor and SAP Job Log reconciles the number of checks from the check register report to the count on the Job Log. 11 The discount amount Financial M 1. The system automatically P 1. Select a 1 – D5 1=S may be calculated loss. calculates discounts. sample of incorrectly. invoices and verify that the appropriate discount was taken. 12 The transaction in the Financial L 1. The system assigns a P 1. Select a 1 – D1 1=S system may be left as loss from clearing number and a clearing sample of paid an open item even- duplicate document to close an invoices and though payment has payments. outstanding transaction when verify they were been made. payment is made. assigned a clearing document number and clearing date. 13 In the Check Print Financial H 1. Have not had to do a check P 1. Document 1 – D1 1=O Restart and Reset loss due to print restart yet. Could not any “check print Payment Batch discarding validate. restart” events, functions: spoiled and verify spoiled checks may not checks. spoiled checks be retained for were retained evidence as to restart. and checks were Completeness of completed. checks may not be verified prior to restart. 14 Checks issued to Financial M 1. Employees are grouped in a P 1. Select a 1 – D8 1-4 = employees may be loss. separate account group. sample of checks S inappropriate. paid to 2-4 – all IP 2. Supervisory approval P employees, and required through workflow. verify proper approval and 3. A/P audit review. D proper account group. 4. Manual approval required D on PCDs entered by A/P clerks. 2-4 Rely on Invoice D:\Docstoc\Working\pdf\a9544367-6a61-48b8-92c2-4e7faa12e54c.doc 17 City of Phoenix 02/22/11 Accounts Payable Risk Matrices N Risks Potential Risk Controls P Audit Steps Teammate SOC o Negative (High / Ref Results / Med D / Low) Processing testing 15 Manual checks issued Financial H 1. Manual checks are recorded P 1. Take an 1-4 – D2 1=S may not be recorded in loss due to in the SAP check register. inventory of the the system. the manual checks, difficulty 2. The City Controller reviews and verify all reconcilin the SAP check list prior to the missing check g bank release of manual checks. numbers are in accounts, SAP and on the and noting 3. An Accounts Admin staff manual log. missing member reviews the log of checks. manual checks to ensure that no 2. Document 2=O checks are missing and all City Controller numbers are entered. requires SAP Check List prior 4. Blank check stock is to signing secured. manual checks. 3. Verify 3=O independent review of manual check log. 4. Verify blank 4=S checks are secure. 16 Printed checks may be Financial M 1. The check printer is stored P 1. Observe the D1 1 =O lost or stolen. loss in a public area, but is check run, and supervised during the printing. review the security methods 2. Checks are mailed out the used to make same day they are printed. sure checks are mailed out or 3. Printed checks kept for pick kept in a secure up are kept in a secretary‟s location. desk, and locked in the safe for the night. 17 Cancellation and re- Financial H 1. Controls are in place to D 1. Select a 1-3 – D11 1, 2, issue of checks may be loss. ensure that warrants already sample of re- 3=S improperly processed. issued have not been cashed issued checks Misstatem before the re-issue of another and verify that ent of warrant by checking with the the original financial bank and SAP. D warrant was statements never cashed. . 2. Appropriate and authorized documentation is received from 2. Agree check the vendor for review before the information to D:\Docstoc\Working\pdf\a9544367-6a61-48b8-92c2-4e7faa12e54c.doc 18 City of Phoenix 02/22/11 Accounts Payable Risk Matrices N Risks Potential Risk Controls P Audit Steps Teammate SOC o Negative (High / Ref Results / Med D / Low) re-issue of another warrant. supporting documentation. 3. A/P supervisor checks documentation and approves 3. Verify transaction supervisor approval on all re-issued checks. 18 The bank amount in Financial H 1. An independent person D 1. Document 1-2 - D9 1= the books may not loss. reviews the bank reconciliation segregation of O agree with the amount . duties between at hand in bank. Misstated disbursements financial 2. The bank account is and bank statements reconciled automatically daily, reconciliation. . with exceptions cleared manually. 2. Select a 2=S sample of reconciliations and review unreconciled items. 19 Signature stamp is Financial H 1. The signature stamp is kept 1. Verify the D2 used by an loss in a safe in Accounts Admin signature stamp unauthorized person is secure. 20 Payment to vendor Financial M 1. AP provides Collections with 1. Verify that D10 may be made when loss a list of all checks => $100,000 Treasury reviews there is a large daily for their review. all checks => outstanding receivable $100,000. from that company 21 Credit memos due to 1. Finance staff performs a 1. Observe D7 Accounts Receivable separate payment run for credit credit memo run customers may not be memos and document processed properly issues. D:\Docstoc\Working\pdf\a9544367-6a61-48b8-92c2-4e7faa12e54c.doc 19