Invoice Financial

Document Sample
Invoice Financial Powered By Docstoc
					City of Phoenix                                                                                                            02/22/11
Accounts Payable Risk Matrices

                                     Contributed August 29, 2001 by julia.bird@phoenix.gov

                                                      City Auditor Department
                                                       SAP – Accounts Payable
                                                           Control Matrix

The attached control matrix is the result of updating the post-implementation control matrix. The matrix outlines risks and controls.
Controls will be validated and tested in the 2000-01 file for SAP Application Controls for Accounts Payable (File number 1010043)

The FI-AP module process all invoices related to regular invoices, and invoices related to DPO‟s and COR‟s. Invoices related to PO‟s
are entered in the MM module, and controls are tested there.

This matrix will be helpful in identifying the risks and controls over Accounts Payable processing. The 2000-01 fiscal year audit work
can be relied upon for a review of internal controls over SAP & Central Accounts Payable processing. However, it will still be
necessary to evaluate individual department‟s business processes and sample transaction when conducting audits of individual
departmental expenditures.

The control matrix contains 4 categories:
1) Vendor Master
2) Invoice Processing
3) Invoice Verification
4) Disbursements




D:\Docstoc\Working\pdf\16d9b8b1-ddb1-48d3-bba0-ae23c941bfc9.doc                                                                         1
City of Phoenix                                                                                                     02/22/11
Accounts Payable Risk Matrices


N   Risks                     Possible    Risk    Controls                           P   Audit                Teammate    SOC
o                             Negative    (High                                      /   Step                 Ref
                              Results     / Med                                      D
                                          /
                                          Low)
    Vendor Master
1   Users may have            Financial   H       1. Appropriate transaction         P   1a. Review user      1a. - VM2   1 =S
    unauthorized access to    Loss due            codes and other object                 profile for
    update vendor master      to                  authorizations should be               reasonableness of    1b. - VM1
    files.                    payments            assigned to authorized users.          access.
                              made to             The following transactions need                             2. - VM2
                              incorrect           to be restricted:                      1b. Review the
                              vendor.              Create, change and display           Vendor Master        3 – VM2
                              (fraud)                  master records                    File for changes
                                                                                         that have been
                                                     Block and unblock master           made and verify
                                                      records                            that all of the
                                                                                         users who made
                                                     Mark record for deletion           the changes have
                                                                                         the appropriate
                                                  2. Incompatible segregation of         Vendor Master
                                                  duty transactions such as the          Change profile.
                                                  following are restricted:
                                                   Create/change vendor                 2. Review user                   2 =S
                                                       master data and accounts      P   profile for
                                                       payable activities                conflicting access
                                                   Create/change vendor                 (Refer to the D&T
                                                       master data and process           segregation of
                                                       warrants/distribute               duties testing
                                                       warrants.                         performed during
                                                                                         the BASIS audit).
                                                  3. City Controller signs off on
                                                  security forms and check for           3. Review user                   3= S
                                                  these incompatibilities.               profiles added for
                                                                                         A/P Vendor
                                                                                         Master, for City
                                                                                         Controller
                                                                                         approvals.

                                                                                     P

2   Creation or deletion of   Financial   H       1. Creation or deletion of a       P   1,2. Select a        1,2 – VM1   1,2 =
    vendor master files       Loss due            vendor master file requires a          sample of vendor                 S
    may not be authorized     to                  vendor coding form                     master records       3 – VM4
    or detected.              payments            authorization by the appropriate       created. Trace
                              made to             users.                                 information to
                              unapprove                                                  vendor coding
                              d vendor.           2. The vendor coding form will     P   form, and verify
                              (fraud)             be attached with source                proper
                                                  documents and the A/P                  authorization.
                                                  supervisor approves it. Then
                                                  the Accounts Admin Section             3. Verify                        3=
                                                  verifies AP Supervisor                 Accounts Admin                   O

D:\Docstoc\Working\pdf\16d9b8b1-ddb1-48d3-bba0-ae23c941bfc9.doc                                                            2
City of Phoenix                                                                                                    02/22/11
Accounts Payable Risk Matrices

N   Risks                    Possible     Risk    Controls                          P   Audit                 Teammate   SOC
o                            Negative     (High                                     /   Step                  Ref
                             Results      / Med                                     D
                                          /
                                          Low)
                                                  approval.                             reviews list of
                                                                                        modified/created
                                                  3. The Accounts Admin                 vendors.
                                                  Section reviews the SAP report    D
                                                  (RFKABL00) listing modified
                                                  vendors monthly. A sample of
                                                  new/changed vendors is agreed
                                                  to the vendor coding form.



3   Inaccurate or            Unpaid       H       1. Mandatory fields in the        P   1. Observe a user     1 – VM3    1=
    incomplete vendor data   vendors.             vendor master file are defined        creating a Vendor                O
    may be entered.                               and required. These fields            Master Record,        2 – VM3
                             Legal                include payee name (other             and document
                             liability            required information depends          mandatory fields      3 – VM1
                             for non-             on the Account Group).                are required for
                             complianc                                                  entry.                4 – VM3
                             e with               2. 1099 information is
                             governme             requested prior to setting up         2. Observe a user     5 – VM1
                             nt                   vendor master record. For tax-    P   creating a Vendor                2=
                             regulation           reportable vendors, the vendor        Master Record,        6 – VM3    O
                             s                    is blocked until the 1099             and verify the
                                                  information is provided               1099 is present, or
                                                                                        vendor is blocked
                                                  3. Vendors with incomplete            for payment.
                                                  info will be manually blocked
                                                  from payment by AP staff.             3. Select a sample               3=
                                                                                    P   of unblocked                     S
                                                  4. Inappropriate override for         vendor files and
                                                  mandatory fields are prevented        verify they have
                                                  by SAP.                               the required
                                                                                        information.
                                                  5. The vendor coding form will    P
                                                  be attached with source               4. Evaluate
                                                  documents and the A/P                 override                         4=
                                                  supervisor approves it. Then          authorizations (if               O
                                                  the Accounts Admin Section            any)
                                                  verifies AP Supervisor
                                                  approval.                             5. Select a sample
                                                                                        of vendor master
                                                  6. The system displays an error       records created.
                                                  / warning message whenever            Trace information                5=
                                                  there is erroneous or omitted         to vendor coding                 S
                                                  vendor data during data entry.        form.

                                                                                        6. Observe that an
                                                                                        error/warning
                                                                                        message appears                  6=

D:\Docstoc\Working\pdf\16d9b8b1-ddb1-48d3-bba0-ae23c941bfc9.doc                                                           3
City of Phoenix                                                                                                     02/22/11
Accounts Payable Risk Matrices

N   Risks                    Possible     Risk    Controls                           P   Audit                 Teammate   SOC
o                            Negative     (High                                      /   Step                  Ref
                             Results      / Med                                      D
                                          /
                                          Low)
                                                                                         when erroneous                   O
                                                                                         information is
                                                                                         entered, or
                                                                                         required
                                                                                         information is
                                                                                         omitted.
4   Sensitive fields, such   Financial    H       1. Alternative payees cannot be    P   1. List all master    1 – VM5    1, 2
    as Alternative Payees,   loss.                set up in the vendor master            vendor records                   =S
    may be inappropriately                        record without proper                  with an alternative   2 – VM5
    completed and not                             authorization. Alternate payees        payee.
    reviewed.                                     are used for collectors, levies,                             3 – VM4
                                                  IRS or AZ Department of                2. Select a sample
                                                  Revenue levies only. The               from the list and
                                                  creation or modification of            review supporting
                                                  alternative payee is subject to        documentation for
                                                  the same requirements as               accuracy and
                                                  setting up or changing a vendor        proper approval.
                                                  master record.
                                                                                         3. Verify                        3=
                                                  2. The vendor coding form will         Accounts Admin                   O
                                                  be attached with source                reviews list of
                                                  documents and the A/P                  modified/created
                                                  supervisor approves it. Then       P   vendors.
                                                  the Accounts Admin Section
                                                  verifies AP Supervisor
                                                  approval.

                                                  3. The Accounts Admin
                                                  Section reviews the SAP report
                                                  (RFKABL00) listing modified
                                                  vendors monthly. A sample of
                                                  new/changed vendors is agreed      D
                                                  to the vendor coding form.

5   Duplicate vendor         Incomplet    M       1. A/P clerk checks for same       P   1. Observe user       1 – VM3    1=
    records may be           e vendor             name address, etc. when                creating a vendor                O
    created.                 reporting            submitting or approving vendor         master record, and    2 – VM1
                             due to               master input form.                     verify the user
                             more than                                                   checks for same       3 – VM3
                             one                  2. A/P supervisor signs off on         name.
                             vendor               vendor master input forms.         P                         4 – VM1
                             number.                                                     2. Select a sample               2=
                                                  3. Standard naming conventions         of newly created                 S
                             Confusion            are used to reduce the                 vendor master
                             when                 possibility of duplicate vendor    P   records, and
                             selecting            names                                  verify proper
                             vendor                                                      approval.
                             when
                             invoicing.                                                  3. Observe                       3=

D:\Docstoc\Working\pdf\16d9b8b1-ddb1-48d3-bba0-ae23c941bfc9.doc                                                            4
City of Phoenix                                                                                                  02/22/11
Accounts Payable Risk Matrices

N   Risks                    Possible    Risk    Controls                         P   Audit                Teammate    SOC
o                            Negative    (High                                    /   Step                 Ref
                             Results     / Med                                    D
                                         /
                                         Low)
                                                                                      creation of vendor               O
                                                                                      names and verify
                                                                                      naming
                                                                                      conventions are
                                                                                      used.

                                                                                      4. Test vendor                   4=
                                                                                      master file for                  S
                                                                                      duplicate records.
6   Housing / Election       Financial   H       1. Housing vendors are subject   P   1. Perform same      All VM      1=S,
    vendors may not          loss.               to the same controls mentioned   /   audit steps for      steps       O
    receive the same level                       in Vendor Master points 1-5.     D   Housing (and any
    of review/control as                                                              other users with
    centralized A/P                                                                   vendor master
    vendors.                                                                          authorization

7   Unauthorized changes     Financial   H       1. The Accounts Admin Section    D   1. Run the           VM4         1=
    to vendor master data    loss                reviews the SAP report               RFKABL00                         S
    may go undetected.                           (RFKABL00) listing modified          report, and ask
                                                 vendors monthly. A sample of         users to explain
                                                 new/changed vendors is agreed        the items.
                                                 to the vendor coding form.




D:\Docstoc\Working\pdf\16d9b8b1-ddb1-48d3-bba0-ae23c941bfc9.doc                                                         5
City of Phoenix                                                                                                      02/22/11
Accounts Payable Risk Matrices


N   Risks                     Potential   Risk    Controls                           P   Audit Steps           Teammate    SOC
o                             Negative    (High                                      /                         Ref
                              Results     / Med                                      D
                                          /
                                          Low)
    FI Invoice Processing
1   Unauthorized users        Financial   H       1. Appropriate transaction         P   1. Review user        1 – IP2     1=S
    may gain access to post   loss.               codes and other object                 profile for
    invoice transactions                          authorizations are assigned to         reasonableness of     2 – IP2
    into SAP.                                     authorized users. The                  access.
                                                  following transactions are                                   3 – IP2
                                                  restricted:                            2. Rely on BASIS                  2=S
                                                   post, change, delete parked          audit to identify
                                                       and „normal‟ documents            conflicting access.
                                                   park and release parked
                                                       documents                         3. Review user
                                                   block and unblock                    profiles added for                3= S
                                                       documents.                        A/P Invoice, for
                                                                                         A/P supervisor
                                                  2. Invoice posting capabilities        and Controller
                                                  are segregated from the                approvals.
                                                  following:
                                                   vendor/bank master file
                                                       creation/change
                                                   warrant distribution
                                                   a/p approval/review

                                                  3. SAP security administrator
                                                  will also monitor.

2   Terminated or             Financial   M       1. A/P supervisor completes a      P   1. Compare user       IP2         1=S
    employees on extended     loss.               form to remove access when             profiles for
    leave of absence may                          employees leave.                       Invoicing to active
    have access to the                                                                   employee list
    system.                                       2. Finance SAP Team sends
                                                  out lists to departments twice a       2. Verify SAP
                                                  year identifying potential             Team sends out
                                                  terminated employees                   lists.
3   Users may be able to      Unauthori   M       1. Workflow process:               P   1. Select a sample    1 – IP1     1=
    post high dollar          zed large           Supervisory approval of                of invoices and                   O
    transactions without      payments            invoice, and Finance A/P               verify supervisory    2 – D10
    proper authorization.                         review & approval                      and central a/p
                                                                                         staff review.
                                                  2. Finance Dept Admin                                                    2=S
                                                  Supervisor reviews all                 2. Select a sample
                                                  payments greater than                  of invoices greater
                                                  $100,000.                              than $100,000 and
                                                                                         verify Finance
                                                                                         Admin Supervisor
                                                                                         review.




D:\Docstoc\Working\pdf\16d9b8b1-ddb1-48d3-bba0-ae23c941bfc9.doc                                                             6
City of Phoenix                                                                                                      02/22/11
Accounts Payable Risk Matrices

N   Risks                    Potential    Risk    Controls                           P   Audit Steps           Teammate    SOC
o                            Negative     (High                                      /                         Ref
                             Results      / Med                                      D
                                          /
                                          Low)



                                                                                     D
4   Invalid invoices may     Financial            1. Workflow process:               P   1. Select a sample    1 – IP1     1, 2
    be entered               loss.                Supervisory approval of                of invoices and                   =S
                                                  invoice, and Finance A/P               verify supervisory    2 – IP1
                                                  review & approval                      and central a/p
                                                                                         staff review.
                                                  2. Original invoices are           P
                                                  required as source document.           2. Select a sample
                                                  Supervisors must approve               of invoices and
                                                  paying on a fax or copy.               trace information
                                                                                         to supporting
                                                                                         document.
5   Inaccurate or invalid    Financial    H       1. Intelligent and mandatory       P   1. Observe the        1 – IP3     1=O
    data could be input      loss.                fields have been set up.               entry of invoices,
    when record first                                                                    and the SAP           2,3 – IP1
    entered into SAP                              2. SAP automatically required      D   controls for
                                                  supervisor approval of invoices.       mandatory and
                                                                                         intelligent fields.
                                                  3. AP also traces information
                                                  entered to the source document.    D   2,3. Select a                     2-3
                                                                                         sample of invoice                 =S
                                                                                         documents and
                                                                                         verify supervisor
                                                                                         and AP staff
                                                                                         approval, and
                                                                                         agree to source
                                                                                         document.
6   Invoices may not be      Financial    H       1. Workflow process:               P   1. Select a sample    IP1         1=S
    properly approved.       loss.                Supervisory approval of                of invoices, and
                                                  invoice, and Finance A/P               review for proper
                                                  review & approval.                     approval.

7   Invoice is posted into   Financial    M       1. System does not allow           P   1. Enter an invoice   1 – IP3     1=S
    SAP more than once.      loss from            duplicate invoices upon invoice        twice, and verify
                             duplicate            entry if the invoice number,           that the system       2 – IP4
                             invoices.            vendor number and invoice              does not allow
                                                  date are the same.                     duplicate invoice     3,4 – IP1
                             Misstated                                                   numbers.
                             financial            2. Finance staff reviews the                                 5 – IP4
                             statements           duplicate invoice report (zdup)    D   2. Review copies                  2=S
                             .                    daily. The report identifies all       of the duplicate
                                                  invoices with the same invoice         invoice report to
                                                  number and the same amount.            verify that Finance
                                                                                         is reviewing the
                                                  3. Original invoices are               report and taking
                                                  required as source document.           appropriate action.

D:\Docstoc\Working\pdf\16d9b8b1-ddb1-48d3-bba0-ae23c941bfc9.doc                                                             7
City of Phoenix                                                                                                      02/22/11
Accounts Payable Risk Matrices

N    Risks                   Potential    Risk    Controls                           P   Audit Steps           Teammate    SOC
o                            Negative     (High                                      /                         Ref
                             Results      / Med                                      D
                                          /
                                          Low)
                                                  Supervisors must approve
                                                  paying on a fax or copy.           P   3,4. Select a
                                                                                         sample of invoices
                                                  4. AP staff physically stamp           and trace                         3,4 =
                                                  “paid” on invoices after               information to                    S
                                                  approval.                              supporting
                                                                                         document, and
                                                                                         verify invoice is
                                                                                         stamped “paid”.

                                                                                         5. Use ACL to test
                                                                                         for duplicate
                                                                                         invoices in a
                                                                                         variety of ways.
8    Invoice may be          Financial    H       1. Payee or amount can not be      P   1. Observe            IP3         1=S
     changed after it is     loss.                changed once supervisor has            Finance AP staff
     posted                                       released PCD.                          trying to change
                                                                                         the payee or
                                                                                         amount after the
                                                                                         invoice is posted
                                                                                         to verify SAP
                                                                                         controls.
9    The original            Misstated    H       1. SAP will automatically          P   1. Determine if       1 – IP6     1=S
     transaction is          financial            verify the following, before a         SAP or Finance
     inappropriately         statements           reversal entry is accepted:            checks for reversal   2 – IP6
     reversed out from the   .                     no cleared items                     entries.
     system.                                       original transaction was
                             Unpaid                    within the original posting       2. Verify that only
                             vendors                   module                            Finance AP
                             resulting                                                   supervisors have
                             in lost              2. Only Finance AP supervisors         access to reverse a
                             discounts,           have access to do reversal             document.
                             or late              documents (FB08, MR08), and
                             fees.                a reason code is required.
                                                  Standard procedure is to also
                                                  enter information in the text
                                                  field.

10   Invoice may contain     Financial    H       1. The creator of the invoice or   P   1. Select a sample    IP1         1 =S
     mathematical errors.    loss                 manual PCD is responsible for          of invoice
                                                  verifying the mathematical             documents and
                                                  accuracy of the invoice.               verify
                                                                                         mathematical
                                                  There are no subsequent                accuracy of the
                                                  controls.                              invoice.
11   Invoices may be         Financial    H       1. Workflow process:               P   1. Select a sample    1 – IP1     1=S
     incorrectly or          loss from            Supervisory approval of                of invoices and
     inaccurately keyed in   duplicate            invoice, and Finance A/P               verify supervisory    2 – IP3
     through the FI module   invoices.            review & approval                      and central a/p

D:\Docstoc\Working\pdf\16d9b8b1-ddb1-48d3-bba0-ae23c941bfc9.doc                                                             8
City of Phoenix                                                                                                        02/22/11
Accounts Payable Risk Matrices

N    Risks                     Potential    Risk    Controls                           P   Audit Steps           Teammate    SOC
o                              Negative     (High                                      /                         Ref
                               Results      / Med                                      D
                                            /
                                            Low)
     and not through the                                                                   staff review.         3 – IP7
     MM module, which          Misstated            2. Finance AP check for PO         P
     would bypass the „three   financial            reference on the invoice.              2&3. Observe
     way match‟ (PO,           statements                                                  Finance AP
     invoice and goods         .                    3. Finance AP identifies               process and verify                2,3 =
     receipt) control to                            invoices for commodities, and      P   they check for PO                 O
     detect any errors.                             investigates any commodities           reference on the
                                                    not being paid against a DPO,          invoice, and they
                                                    COR, or PO.                            check
                                                                                           commodities not
                                                    4. Finance AP reconciles all           paid against a
                                                    outstanding open items in g/l          DPO, COR or PO.
                                                    account 291000. This g/l           D
                                                    account recieves all GR (goods         4. Review of g/l
                                                    receipts) and INV (invoices)           account 291000.                   4 =O
                                                    posted. Thus Finance AP can
                                                    identify:
                                                     GR without INV
                                                     INV without GR
                                                     GR different from INV,
                                                         and vice versa


12   Invoice is not applied    Misstated    H       1. Creator of the invoice enters   P   1-3. Observe          1-5 – IP8   1-5
     towards the related RF    financial            the RF# in a user-defined field.       Finance AP                        =S
                               statements                                                  process and verify
                                                    2. Workflow process:                   the reviewer
                                                    Supervisory approval of            P   checks for RF#.
                                                    invoice, and Finance A/P
                                                    review & approval.                     4. We did not test
                                                                                           for invoices with
                                                    3. Finance A/P staff approving         RF references, that
                                                    the invoice look for the RF# on    P   were not applied
                                                    the invoice, and verify the            to the PO. We
                                                    number is on the SAP invoice.          relied on the other
                                                                                           controls.
                                                    4. After Finance AP staff
                                                    approves the invoice, SAP          P   5. No test
                                                    verifies matching data (ie             necessary.
                                                    vendor number) and
                                                    automatically updates the RF.

                                                    5. Departments are responsible     D
                                                    for their budgets, and may
                                                    notice invoices not applied to
                                                    RF‟s.

13   Invoices may not be       Late         M       1. Vendor inquiries are            D   1. Review cycle       1 – IP5     1,2 =
     input in a timely         payments             investigated.                          time information                  S

D:\Docstoc\Working\pdf\16d9b8b1-ddb1-48d3-bba0-ae23c941bfc9.doc                                                               9
City of Phoenix                                                                                                         02/22/11
Accounts Payable Risk Matrices

N    Risks                      Potential    Risk    Controls                           P   Audit Steps           Teammate    SOC
o                               Negative     (High                                      /                         Ref
                                Results      / Med                                      D
                                             /
                                             Low)
     manner.                    to                                                          for timeliness of     2 – IP5
                                vendors,                                                    invoice input.
                                resulting
                                in lost                                                     2. Review report
                                discounts,                                                  on number of
                                or late                                                     invoices paid late.
                                fees.
14   Invoices that are          Late         M       1. Finance A/P management          P   1&2. Review the       1,2 – IP5   1,2 =
     „parked‟ may not be        payments             monitors the number of items           most recent report                S
     posted and cleared on a    to                   and age in workflow inboxes.           of invoices
     timely basis.              vendors,                                                    parked, and
                                resulting            2. Finance AP management               document the
                                in lost              investigates all parked items      D   staff„s comments.
                                discounts,           over 2 weeks old.
                                or late
                                fees.
15   The General Ledger         Misstatem    H       1. The FI accounts payable and     P   1. Select a sample    1 – IP1     1=S
     account balances may       ent of               FI general ledger are fully            of invoices and
     not be updated when a      financial            integrated within SAP. A               verify that the
     transaction is posted      statements           posting to the vendor account          posting to the
     into a Vendor Account      .                    will automatically post to the         vendor account
     e.g., the reconciliation                        appropriate reconciliation             agrees to the
     process may not be                              account in the general ledger on       general ledger
     correctly set-up.                               a real time basis. GL account          posting.
                                                     number 222000 is the only
                                                     reconciliation account.


16   Transactions may be        Misstatem    M       1. The workflow process is         D   1. Select a sample    1 – IP1     1,2 =
     posted to the wrong        ent of               comprised of supervisory               of invoices and                   S
     account / project /        financial            approval of invoice, and               verify supervisory    2 – IP3
     business area.             statements           Finance A/P review &                   and central a/p
                                .                    approval.                              staff review.         3 – IP1

                                                     2. SAP gives a warning             P
                                                     message if posting information         2. Observe SAP
                                                     (ie Business Area /cost center)        warning when
                                                     is not compatible.                     Business Area and
                                                                                            Cost Center are
                                                     3. Reconciliation account              not compatible.
                                                     222000 is used to ensure
                                                     integrity between GL and AP        D   3. Review items in
                                                     sub-ledger. Direct posting to          the 222000 g/l
                                                     reconciliation account is              account and
                                                     blocked.                               document the
                                                                                            staff‟s comments.
17   Invoices may not be        Lack of      L       1. All supporting                  P   1. Select a sample    IP1         1=S
     stored for payment         document             documentation (ie invoice) is          of invoices and
     disputes, etc.             ation for            stamped “paid” and filed.              verify that

D:\Docstoc\Working\pdf\16d9b8b1-ddb1-48d3-bba0-ae23c941bfc9.doc                                                               10
City of Phoenix                                                                                                    02/22/11
Accounts Payable Risk Matrices

N    Risks                     Potential   Risk    Controls                          P   Audit Steps         Teammate    SOC
o                              Negative    (High                                     /                       Ref
                               Results     / Med                                     D
                                           /
                                           Low)
                               auditors.                                                 documents were
                                                                                         stored properly.
18   Posting keys for A/P                  H       1. SAP automatically selects      P   1-2. Observe that   IP3         1-2 =
     transactions may not be                       posting keys based on input           posting key                     O
     restricted.                                   information.                          controls are in
                                                                                     P   place.
                                                   2. SAP requires the matching of
                                                   debits and credits before an
                                                   invoice is posted.
                                                                                     P




D:\Docstoc\Working\pdf\16d9b8b1-ddb1-48d3-bba0-ae23c941bfc9.doc                                                          11
City of Phoenix                                                                                                           02/22/11
Accounts Payable Risk Matrices


N   Risks                      Potential     Risk    Controls                            P/   Audit Steps           Teammate    SOC
o                              Negative      (High                                       D                          Ref
                               Results       / Med
                                             /
                                             Low)
    Invoice Verification
1   Incorrect or invalid       Financial     M       1. The system requires entry of     P    1. Observe the        1 – IV3     1, 2
    invoice data may be        loss                  the following information upon           entry of invoices,                =S
    entered when the                                 entry of the invoice:                    and the SAP           2 – IV3
    record is first entered                           purchase order number                  controls for
    via the MM module.                                document date                          mandatory and
                                                      invoice number                         intelligent fields.
                                                      total invoice amount
                                                                                              2. Observe data
                                                     2. The system automatically              entry and verify
                                                     displays all lines of the related   P    SAP displays PO
                                                     purchase order and the value of          limitations.
                                                     the related goods receipt (GR)
                                                     entered. Therefore AP staff can
                                                     select the line items relevant to
                                                     the specific invoice.

2   The tolerance limits       Unauthori     L       1. The tolerance limits used to     P    1. Run the            1 – IV4     1=
    for invoice verification   zed large             check on the three way match             tolerance limit                   S
    procedures may be set      payments.             process are set according to the         report for AP and     2 - IV3
    too high. The                                    City‟s policies and standards.           MM, by
    tolerance limit is used                          The standard is 10%, or $100             transaction key,
    to match the FI invoice                          per line item.                           and compare the
    with the MM PO                                                                            limits to the City
    goods receipt.                                   2. If the tolerance is exceeded,         standards.
                                                     the system will not display the
                                                     PO line items. Then the AP               2. Observe the
                                                     clerk will not process the               entry of invoices
                                                     invoice, and will notify                 and verify SAP
                                                     Purchasing of the discrepancy.           warning message
                                                                                              and AP clerk
                                                                                              action.
3   Payment blocks may         Financial             1. Payment blocks include:               1,2. Observe the      IV3         1=
    not be placed on           loss due to            Invoice amount exceeds                 entry of invoices                 O
    invoices during the        invoices                   PO amount by tolerance              and verify SAP
    invoice approval           being paid                 limits                              warning message
    process.                   before                 The quantity on the invoice            and AP clerk
                               final                      exceeds the quantity on the         action.
                               approval.                  goods receipt (GR).

                                                     2. The system blocks the                                                   2=O
                                                     payments automatically if one
                                                     of the above situations exists.
4   Purchase made through      Misstated     M       1. Finance AP check for PO               1,2. Observe          1,2 – IV3
    PO is paid by PCD.         financial             reference on the invoice.                Finance AP
                               statements                                                     process and           3 – IV4
                               .                     2. Finance AP identifies                 verify they check


D:\Docstoc\Working\pdf\16d9b8b1-ddb1-48d3-bba0-ae23c941bfc9.doc                                                                 12
City of Phoenix                                                                                                    02/22/11
Accounts Payable Risk Matrices

N   Risks                     Potential    Risk    Controls                          P/   Audit Steps        Teammate    SOC
o                             Negative     (High                                     D                       Ref
                              Results      / Med
                                           /
                                           Low)
                                                   invoices for commodities, and          for PO reference
                                                   investigates any commodities           on the invoice,
                                                   not being paid against a DPO,          and they check
                                                   COR, or PO.                            commodities not
                                                                                          paid against a
                                                   3. Finance AP reconciles all           DPO, COR or
                                                   outstanding open items in g/l          PO.
                                                   account 291000. This g/l
                                                   account recieves all GR (goods         2. Review of g/l
                                                   receipts) and INV (invoices)           account 291000.
                                                   posted. Thus Finance AP can
                                                   identify:
                                                    GR without INV
                                                    INV without GR
                                                    GR different from INV,
                                                        and vice versa
5   Large outstanding         Late         H       1. If there is a quantity              1. Review of g/l   IV4         NA
    payable balances may      payments             variance where the quantity            account 291000.
    build up and not be       to                   invoiced is different than the
    reviewed on a regular     vendors,             quantity of goods received, and
    basis in the GR/IR        resulting            if there is no further goods
    general ledger account.   in lost              receipt recorded by the system,
    An example is the         discounts,           the GR/IR account will not be
    account where             or late              cleared automatically.
    tolerance differences     fees.
    are posted.                                    2. A batch job is run to match
                                                   GR and IR entries within the
                                                   account on a daily basis.

                                                   3. Finance AP staff reviews the
                                                   GR/IR clearing account
                                                   monthly for long outstanding,
                                                   open items, and makes the
                                                   appropriate corrections.




D:\Docstoc\Working\pdf\16d9b8b1-ddb1-48d3-bba0-ae23c941bfc9.doc                                                          13
City of Phoenix                                                                                                          02/22/11
Accounts Payable Risk Matrices


N   Risks                     Potential    Risk    Controls                            P   Audit Steps          Teammate       SOC
o                             Negative     (High                                       /                        Ref
                              Results      / Med                                       D
                                           /
                                           Low)
    Disbursements
1   Unauthorized users        Financial    H       1. See controls for Invoice         P   1. Rely on           IP all
    may be able to post       loss                 Processing.                             Invoice
    invoice transactions                                                                   Processing tests.
    into SAP.
2   Unauthorized access to    Financial    H       1. SAP Security Profiles: Only      P   1. List all users    D3             1=S
    the Payment Output        loss                 3 A/P supervisors have access.          with this profile
    file.                                                                                  and review for
    (Note: Payment                                                                         reasonableness
    Output File is the                                                                     and proper
    result of a formatted                                                                  authorization.
    payment batch. It
    contains all of the
    formatted payment
    information, in report
    format, to cut checks.
    Access to the directory
    should be restricted or
    extremely limited.)

3   Cash disbursement         Financial    H       1. Disbursement data is based       P   1. Rely on           1 – all IP     1=S
    details may be            loss.                on information provided during          Invoice
    inaccurate and                                 invoice entry (either via FI or         Processing           2,3 – D4
    incomplete.               Misstated            MM module).                             controls.
                              financial
                              statements           2. Prior to the payment run,            2,3. Observe the
                              .                    SAP creates an exception report         documentation
                                                   for invoices where mandatory            existing to verify
                                                   fields are not populated, and for       supervisory
                                                   invoices blocked for payment.           review of                           2=
                                                                                           payment                             O
                                                   3. The A/P supervisor reviews           proposal list and
                                                   the Payment Proposal List           D   exception list.
                                                   (RFZALI00) and the Exception
                                                   List (RFZALI10).

4   Inaccurate or                          H       1. Vendors with incomplete          P   1. Select a          VM3            1= S
    incomplete vendor                              info will be manually blocked           sample of
    invoices may be paid.                          from payment by AP staff.               unblocked
                                                                                           vendor files and
                                                                                           verify they have
                                                                                           the required
                                                                                           information.

5   Check number may not                   H       1. The system captures the          P   1. Select a          1 – D1         1=S
    be indicated in the                            check number in the document            sample of
    payment document                               allocation fields, and                  invoices and         2 – D2
    during payment                                 automatically prints the number         trace the check

D:\Docstoc\Working\pdf\16d9b8b1-ddb1-48d3-bba0-ae23c941bfc9.doc                                                                14
City of Phoenix                                                                                                       02/22/11
Accounts Payable Risk Matrices

N   Risks                   Potential   Risk    Controls                            P   Audit Steps          Teammate       SOC
o                           Negative    (High                                       /                        Ref
                            Results     / Med                                       D
                                        /
                                        Low)
    processing.                                 on the check.                           number back to
                                                                                        the record.
                                                2. Check number is pre-printed
                                                on manual checks.                       2. Trace manual
                                                                                        check numbers
                                                                                        back to invoices
                                                                                        to make sure the
                                                                                        manual check
                                                                                        number was
                                                                                        entered.
6   Large or unusual        Unauthori   L       1. The Accounts Admin staff         P   1. Select a          1 – D10        1, 2
    payments may not be     zed large           approves all payments over              sample of                           =S
    blocked for             payments.           $100,000, and all payments to           payments >           2 – D4
    management review.                          1-time vendors.                     D   $100,000 and
                                                                                        verify Accounts
                                                2. Procedures exist to review           Admin signature.
                                                and approve invoices that are
                                                blocked.                                2. Observe
                                                                                        check run and
                                                                                        verify checks
                                                                                        =>$100,000 are
                                                                                        approved by
                                                                                        Accounts Admin.
7   Invoices selected for   Financial   H       1. The system is configured to      P   1. Run a report      1 – D1         1, 2
    payment may not be      loss                propose invoices that are due           of all invoices                     =S
    reviewed.                                   for payment in the automatic            due for a specific   2 – D4
                                                payment run. A/P reviewer               date, and
                                                approval is required before             compare that to
                                                payment.                                the automatic
                                                                                    D   payment run.

                                                                                        2. Document
                                                                                        management‟s
                                                                                        review of the
                                                                                        Payment
                                                                                        Proposal List and
                                                                                        Exception List.
8   Payments could be       Financial   H       1. SAP automatically assigns a      P   1. Select a          1 – D1         1, 2,
    made more than once     loss from           clearing document number and            sample of paid                      3=S
    for an invoice.         duplicate           clearing date when payment is           invoices and         2 – D1
                            payments.           made for open invoice item.             verify they were
                                                                                        assigned a           3 – D1
                                                2. SAP will not select cleared          clearing
                                                items for payment.                      document
                                                                                        number and
                                                3. Print file disappears after it       clearing date.
                                                is printed, so checks can‟t be
                                                printed again.                          2. Test the
                                                                                        disbursement run

D:\Docstoc\Working\pdf\16d9b8b1-ddb1-48d3-bba0-ae23c941bfc9.doc                                                             15
City of Phoenix                                                                                                            02/22/11
Accounts Payable Risk Matrices

N    Risks                    Potential     Risk    Controls                            P   Audit Steps           Teammate       SOC
o                             Negative      (High                                       /                         Ref
                              Results       / Med                                       D
                                            /
                                            Low)
                                                                                            to make sure no
                                                                                            cleared items
                                                                                            were paid.

                                                                                            3. Document
                                                                                            that the print file
                                                                                            disappears after
                                                                                            it is printed.


9    Payments made are        Misstated     M       1. The FI accounts payable and      P   1. Select a           1 – D1         1=S
     posted to the wrong      financial             FI general ledger are fully             sample of
     accounts.                statements            integrated within SAP. A                invoices and          2 – D1
                              .                     posting to the vendor account           verify the g/l
                                                    will automatically post to the          account entry.
                                                    appropriate reconciliation
                                                    account in the general ledger on    P   2. Review                            2=
                                                    a real time basis. GL account           activity in g/l                      O
                                                    number 222000 is the only               account #220000
                                                    reconciliation account.                 to verify all
                                                                                            invoices were
                                                                                            posted to FI-GL.
10   The check number in      Financial     H       1. SAP automatically assigns a      P   1. Identify           1 – D2 &D4     1=S
     the check register may   loss due to           sequential check number to              process for
     not be updated.          the                   each check, and records it in the       assigning both        2 – D1
                              difficulty            register                                electronic and
                              reconcilin                                                    manual check          3 – D1
                              g bank                2. The check register is used to    P   numbers.
                              accounts,             keep track of physical check                                  4 – D1
                              and noting            numbers.                                2. Review the                        2=S
                              missing                                                       check register for
                              checks.               3. Procedures exist for                 missing check
                                                    reviewing the check number in           numbers.
                                                    the check register. The
                                                    procedures cover:                       3. Observe                           3=
                                                     Reviewing missing checks              procedures for:                      O
                                                         or checks number not                reviewing
                                                         running in sequence;                  missing
                                                     Reconcile check register                 checks or
                                                         after each check run;                 check
                                                     Are spoiled manual checks                numbers
                                                         retained;                           reconciling
                                                     Checks printed as overflow               check register
                                                         documents are denoted as              after each run
                                                         “void”                              spoiled checks
                                                     Payment is made by the                 voided checks
                                                         first check in the series
                                                         only, and others are               4. Verify SAP
                                                         denoted as “void”.                 reports all voided

D:\Docstoc\Working\pdf\16d9b8b1-ddb1-48d3-bba0-ae23c941bfc9.doc                                                                  16
City of Phoenix                                                                                                              02/22/11
Accounts Payable Risk Matrices

N    Risks                        Potential     Risk    Controls                            P   Audit Steps         Teammate       SOC
o                                 Negative      (High                                       /                       Ref
                                  Results       / Med                                       D
                                                /
                                                Low)
                                                                                                checks during the
                                                        4. SAP reports all voided               run.
                                                        checks during the check run,                                               4=S
                                                        and the AP Supervisor reviews           5. Document the
                                                        the report.                             reconciliation of                  5=S
                                                                                                Check register
                                                        5. The AP Supervisor                    and SAP Job Log
                                                        reconciles the number of checks
                                                        from the check register report to
                                                        the count on the Job Log.

11   The discount amount          Financial     M       1. The system automatically         P   1. Select a         1 – D5         1=S
     may be calculated            loss.                 calculates discounts.                   sample of
     incorrectly.                                                                               invoices and
                                                                                                verify that the
                                                                                                appropriate
                                                                                                discount was
                                                                                                taken.
12   The transaction in the       Financial     L       1. The system assigns a             P   1. Select a         1 – D1         1=S
     system may be left as        loss from             clearing number and a clearing          sample of paid
     an open item even-           duplicate             document to close an                    invoices and
     though payment has           payments.             outstanding transaction when            verify they were
     been made.                                         payment is made.                        assigned a
                                                                                                clearing
                                                                                                document
                                                                                                number and
                                                                                                clearing date.
13   In the Check Print           Financial     H       1. Have not had to do a check       P   1. Document         1 – D1         1=O
     Restart and Reset            loss due to           print restart yet. Could not            any “check print
     Payment Batch                discarding            validate.                               restart” events,
     functions:                   spoiled                                                       and verify
     spoiled checks may not       checks.                                                       spoiled checks
     be retained for                                                                            were retained
     evidence as to restart.                                                                    and checks were
     Completeness of                                                                            completed.
     checks may not be
     verified prior to restart.

14   Checks issued to             Financial     M       1. Employees are grouped in a       P   1. Select a         1 – D8         1-4 =
     employees may be             loss.                 separate account group.                 sample of checks                   S
     inappropriate.                                                                             paid to             2-4 – all IP
                                                        2. Supervisory approval             P   employees, and
                                                        required through workflow.              verify proper
                                                                                                approval and
                                                        3. A/P audit review.                D   proper account
                                                                                                group.
                                                        4. Manual approval required         D
                                                        on PCDs entered by A/P clerks.          2-4 Rely on
                                                                                                Invoice

D:\Docstoc\Working\pdf\16d9b8b1-ddb1-48d3-bba0-ae23c941bfc9.doc                                                                    17
City of Phoenix                                                                                                     02/22/11
Accounts Payable Risk Matrices

N    Risks                    Potential     Risk    Controls                           P   Audit Steps        Teammate    SOC
o                             Negative      (High                                      /                      Ref
                              Results       / Med                                      D
                                            /
                                            Low)
                                                                                           Processing
                                                                                           testing
15   Manual checks issued     Financial     H       1. Manual checks are recorded      P   1. Take an         1-4 – D2    1=S
     may not be recorded in   loss due to           in the SAP check register.             inventory of the
     the system.              the                                                          manual checks,
                              difficulty            2. The City Controller reviews         and verify all
                              reconcilin            the SAP check list prior to the        missing check
                              g bank                release of manual checks.              numbers are in
                              accounts,                                                    SAP and on the
                              and noting            3. An Accounts Admin staff             manual log.
                              missing               member reviews the log of
                              checks.               manual checks to ensure that no        2. Document                    2=O
                                                    checks are missing and all             City Controller
                                                    numbers are entered.                   requires SAP
                                                                                           Check List prior
                                                    4. Blank check stock is                to signing
                                                    secured.                               manual checks.

                                                                                           3. Verify                      3=O
                                                                                           independent
                                                                                           review of manual
                                                                                           check log.

                                                                                           4. Verify blank                4=S
                                                                                           checks are
                                                                                           secure.

16   Printed checks may be    Financial     M       1. The check printer is stored     P   1. Observe the     D1          1 =O
     lost or stolen.          loss                  in a public area, but is               check run, and
                                                    supervised during the printing.        review the
                                                                                           security methods
                                                    2. Checks are mailed out the           used to make
                                                    same day they are printed.             sure checks are
                                                                                           mailed out or
                                                    3. Printed checks kept for pick        kept in a secure
                                                    up are kept in a secretary‟s           location.
                                                    desk, and locked in the safe for
                                                    the night.

17   Cancellation and re-     Financial     H       1. Controls are in place to        D   1. Select a        1-3 – D11   1, 2,
     issue of checks may be   loss.                 ensure that warrants already           sample of re-                  3=S
     improperly processed.                          issued have not been cashed            issued checks
                              Misstatem             before the re-issue of another         and verify that
                              ent of                warrant by checking with the           the original
                              financial             bank and SAP.                      D   warrant was
                              statements                                                   never cashed.
                              .                     2. Appropriate and authorized
                                                    documentation is received from         2. Agree check
                                                    the vendor for review before the       information to

D:\Docstoc\Working\pdf\16d9b8b1-ddb1-48d3-bba0-ae23c941bfc9.doc                                                           18
City of Phoenix                                                                                                     02/22/11
Accounts Payable Risk Matrices

N    Risks                    Potential    Risk    Controls                           P   Audit Steps         Teammate    SOC
o                             Negative     (High                                      /                       Ref
                              Results      / Med                                      D
                                           /
                                           Low)
                                                   re-issue of another warrant.           supporting
                                                                                          documentation.
                                                   3. A/P supervisor checks
                                                   documentation and approves             3. Verify
                                                   transaction                            supervisor
                                                                                          approval on all
                                                                                          re-issued checks.
18   The bank amount in       Financial    H       1. An independent person           D   1. Document         1-2 - D9    1=
     the books may not        loss.                reviews the bank reconciliation        segregation of                  O
     agree with the amount                         .                                      duties between
     at hand in bank.         Misstated                                                   disbursements
                              financial            2. The bank account is                 and bank
                              statements           reconciled automatically daily,        reconciliation.
                              .                    with exceptions cleared
                                                   manually.                              2. Select a                     2=S
                                                                                          sample of
                                                                                          reconciliations
                                                                                          and review
                                                                                          unreconciled
                                                                                          items.
19   Signature stamp is       Financial    H       1. The signature stamp is kept         1. Verify the       D2
     used by an               loss                 in a safe in Accounts Admin            signature stamp
     unauthorized person                                                                  is secure.
20   Payment to vendor        Financial    M       1. AP provides Collections with        1. Verify that      D10
     may be made when         loss                 a list of all checks => $100,000       Treasury reviews
     there is a large                              daily for their review.                all checks =>
     outstanding receivable                                                               $100,000.
     from that company
21   Credit memos due to                           1. Finance staff performs a            1. Observe          D7
     Accounts Receivable                           separate payment run for credit        credit memo run
     customers may not be                          memos                                  and document
     processed properly                                                                   issues.




D:\Docstoc\Working\pdf\16d9b8b1-ddb1-48d3-bba0-ae23c941bfc9.doc                                                           19

				
DOCUMENT INFO
Description: Invoice Financial document sample