Docstoc

Purchase Orders Sample

Document Sample
Purchase Orders Sample Powered By Docstoc
					Company (Name):
Fiscal Year End (Date):
                                                                                              A total of 73 tests have been                          Contains detailed testing                                                               Links to the pre-populated test
                                                                                              designed to evaluate ALL KEY risks                     instructions, rather than generic                                                       sheets with fill-in fields for
Tested on (Date)/ tested by (Name):
                                                                                              based on best practices and the                        descriptions of the tests to be                                                         company-specific information.
Tested in (System):


Expenditure - Audit Program for SAP R/3 - SAMPLE
Control Activity                          Control         Control        IT Nature        Control Rating   Query/        Testing Procedures:                                                                                                     Testing Reference       Conclusion
                                          Activity Type   Nature         IT Dependent/    High/            Testing       For each control activity selected for testing, auditor needs to perform adequate testing procedures to gain            Reference to supporting Effective/
                                          Preventive/     Manual/        Non IT-          Medium/          Procedure     reasonable assurance that controls operate effectively in accordance with established policies, procedures, and         evidence considered     Ineffective
                                          Detective       Automated      Dependent        Low              No            guidelines. The following testing procedures will assist auditors in performing tests of control for each control       pertinent
                                                                                                                         activity.

Purchasing

Control Objective EXP1: Purchase orders are only placed for approved purchase requisitions.
(Control Objective Assertion: [Balance Sheet] Accrued Expenses: Validity; Payables: Validity; Prepaid Expenses: Validity & [Income Statement] Operating Expenses: Validity)
Control Objective Background: Purchase requisitions are normally used only if an independent purchasing function that procures goods and services to fulfill the organization’s
requirements has been established. The purchasing function should not acquire goods or services for which purchase requisitions have not been approved by management.
EXP1.01: Only authorized personnel        Preventive      Automated      IT Dependent     High                   1       Generate listings of users who have access to create and/or change purchase orders and/or outline agreements.                   Tab 1
have the ability to create, change, or                                                                                   Assess whether it is appropriate for such users to have such access, based on their job responsibilities and
cancel:                                                                                                                  established policies, procedures, standards, and guidance.
• Purchase orders,
• Outline agreements                                                                                                     Perform the following procedures to verify which users have the ability to Create Purchase Order (Vendor Known)
  (standing purchase orders).                                                                                            in SAP via ME21 or ME21N:
                                                                             In addition to the written step-
                                                                             by-step instructions, screen-
                                                                             prints from SAP will be provided            Execute transaction code SUIM
                                                                             to visually assist those new to             Proceed to the Users By Authorization Values screen via "User " -> "Users By Complex Selection Criteria " ->
                                                                             the system.                                 "By Authorization Values "

                                                                                                                         AUTHORIZATION OBJECT 1:
                                                                                                                         • S_TCODE:
                                          Covers ALL principal expenditure                                                 ME21 or ME21N (Create Purchase Order, Vendor Known)
                                          subprocesses:
                                          • Purchasing                                                                   AUTHORIZATION OBJECT 2:
                                                                                                                         • M_BEST_EKO:
                                          • Processing Accounts Payable
                                                                                                                           Activity (ACTVT): 01 (Create)
                                          • Processing Disbursements
                                                                                                                           Purchasing Org. (EKORG): * (means SOME purch. orgs.) or specify based on the scope of the audit
                                          • Master File maintenance
                                                                                                                         AUTHORIZATION OBJECT 3:
                                                                                                                         • M_BEST_WRK:
                                                                                                                           Activity (ACTVT): 01 (Create)
                                                                                                                           Plant (WERKS): * (means SOME plants) or specify based on the scope of the audit




4d27a36b-244b-4b63-8ffe-3e169b3b18b3.xls                                                                                                                                                                                                                                               Page 1 of 10
Control Activity                            Control         Control     IT Nature        Control Rating   Query/        Testing Procedures:                                                                                                   Testing Reference       Conclusion
                                            Activity Type   Nature      IT Dependent/    High/            Testing       For each control activity selected for testing, auditor needs to perform adequate testing procedures to gain          Reference to supporting Effective/
                                            Preventive/     Manual/     Non IT-          Medium/          Procedure     reasonable assurance that controls operate effectively in accordance with established policies, procedures, and       evidence considered     Ineffective
                                            Detective       Automated   Dependent        Low              No            guidelines. The following testing procedures will assist auditors in performing tests of control for each control     pertinent
                                                                                                                        activity.
                                                                                                                        Note: Additional authorization objects to consider for this assessment include:
Purchasing                                                                                                              • M_BEST_EKG (can be used to limit your query to specific purchasing group(s) for which purchase orders can
                                                                                                                        be created, e.g., Activity (ACTVT): 01 (Create); Purchasing Group (EKGRP): specify your selected value here)
                                                                                                                        • M_BEST_BSA (can be used to limit your query to specific purchasing document type(s) for which purchase
                                                                                                                        orders can be created, e.g., Activity (ACTVT): 01 (Create) ; Purchasing document type (BSART): specify your
                                                                                                                        selected value here)

                                                                                                                        Export results to the Tab referenced in the "Testing Ref." Column for further analysis. Review whether access is
                                                                                                                        appropriate for the users to have such access, based on their job responsibilities and established policies,
                                                                                                                        procedures, standards, and guidance. Compare the results of the test with the information obtained from the
                                                                                                                        interviews with the individuals responsible for the control activity. Investigate any discrepancies. Document your
                                                                                                                        conclusions.




                   • • •                                                                                                                                                        • • •
Control Objective EXP2: Purchase orders are entered accurately.
(Control Objective Assertion: [Balance Sheet] Accrued Expenses: Recording; Payables: Recording; Prepaid Expenses: Recording & [Income Statement] Operating Expenses: Recording)

Control Objective Background: Inaccurate input of purchase orders could lead to financial losses due to incorrect goods or services being purchased.

EXP2.01: System edits / validations have Preventive         Automated   IT Dependent     High                  24       Tolerance limits - for two aspects, namely price variance (the net price compared to the valuation price) and                     N/A
been configured in the SAP R/3 system                                                                                   maximum cash discount deduction, variances may be set. It is also possible to specify in the system whether the          (if needed, include
for the following documents:                                                                                            message that the system issues is a warning or an error message.                                                      reference to supporting
• Purchase Requisitions                                                                                                                                                                                                                        evidence considered
• Purchase orders                                                                                                       Perform the following procedures to check if the tolerance limits for price variance (PO versus Receipt) are set up            pertinent)
• Contracts                                                                                                             correctly:
• Outline agreements
• Payment Transactions.                                                                                                 • Variance settings:
                                                                                                                          Execute transaction code OMEU (Set tolerance limits for price variance)
In addition, the following configurations                                                                                 The system will show an overview of the defined tolerance limits
have been implemented according to                                                                                        Double-click on the entries that relate to the company being audited
management's intentions:                                                                                                  Two entries must be checked: Tolerance key PE (price) & Tolerance key SE (discount)
• Matching parameters designed to                                                                                         Note the values shown:
  flag "potential" duplicate invoices                                                                                     - Both a lower and upper limit may be specified
• Tolerances and posting rules for 2                                                                                      - Both in an absolute (PE only) & a percentage value
  and 3 way matching.
                                                                                                                        Ascertain whether the values noted comply with management’s intentions.




4d27a36b-244b-4b63-8ffe-3e169b3b18b3.xls                                                                                                                                                                                                                                            Page 2 of 10
In addition, the following configurations
have been implemented according to
management's intentions:
• Matching parameters designed to
  flag "potential" duplicate invoices
Control Activity posting rules for 2
• Tolerances and                            Control         Control     IT Nature       Control Rating   Query/       Testing Procedures:                                                                                                 Testing Reference       Conclusion
  and 3 way matching.                       Activity Type   Nature      IT Dependent/   High/            Testing      For each control activity selected for testing, auditor needs to perform adequate testing procedures to gain        Reference to supporting Effective/
                                            Preventive/     Manual/     Non IT-         Medium/          Procedure    reasonable assurance that controls operate effectively in accordance with established policies, procedures, and     evidence considered     Ineffective
                                            Detective       Automated   Dependent       Low              No           guidelines. The following testing procedures will assist auditors in performing tests of control for each control   pertinent
                                                                                                                      activity.
                                                                                                                      • Message settings:
Purchasing                                                                                                              Execute transaction code OME0 (Define system messages for price variance)
                                                                                                                        Click on the "Position" button
                                                                                                                        Enter values 00, 06 and 207 (message for price variance) and press "Enter"
                                                                                                                        Note the value in the field "Categories"
                                                                                                                        If tolerance limits are exceeded, possible messages are a W for warning and an E for an error

                                                                                                                      Ascertain whether the values noted comply with management’s intentions.


                   • • •                                                                                                                                                      • • •

Processing Disbursements

Control Objective EXP8: Disbursements are only made for goods and/or services received.
(Control Objective Assertion: [Balance Sheet] Accrued Expenses: Completeness; Payables: Completeness; Prepaid Expenses: Validity & [Income Statement] Operating Expenses: Validity)

Control Objective Background: Unauthorized payments could be made to fictitious parties, and such errors might not be detected.

EXP8.02: Only authorized personnel          Preventive      Automated   IT Dependent    High                 65       When a vendor invoice is entered in the system, it can be blocked. To do this, management can enter a blocking              Tab 36
have the ability to:                                                                                                  key in the item, which represents the reason for blocking. If management wants to block the account of a business
• Release invoices that have been                                                                                     partner from payment, they enter the blocking key in the business partner's master record. A posting block can be
blocked for payment, either for an                                                                                    set for a specific vendor account for certain company codes or for all company codes. When a vendor account is
individual invoice or for a specified                                                                                 blocked centrally, both posting and order processing (when implemented Materials Management) is prevented. A
vendor.                                                                                                               vendor account can also be blocked for posting to this account only.

                                                                                                                      Perform the following procedures to produce a list of users with access to process blocked invoices in SAP:

                                                                                                                      Execute transaction code SUIM
                                                                                                                      Proceed to the Users By Authorization Values screen via "User " -> "Users By Complex Selection Criteria " ->
                                                                                                                      "By Authorization Values "




                                                                                                                      AUTHORIZATION OBJECT 1:
                                                                                                                      • S_TCODE:
                                                                                                                        MR02 (Process blocked invoices)

                                                                                                                      AUTHORIZATION OBJECT 2:
                                                                                                                      • M_RECH_SPG:
                                                                                                                        Activity (ACTVT): 02
                                                                                                                        Blocking reason (SPEGR): * (means SOME blocking reason(s)) or restrict to selected values below:
                                                                                                                        - G (Order price quantity) OR
                                                                                                                        - M (Quantity) OR
                                                                                                                        - P (Price) OR
                                                                                                                        - Q (Manually) OR
                                                                                                                        - T (Date)




4d27a36b-244b-4b63-8ffe-3e169b3b18b3.xls                                                                                                                                                                                                                                        Page 3 of 10
Control Activity                          Control         Control         IT Nature        Control Rating   Query/        Testing Procedures:                                                                                                  Testing Reference       Conclusion
                                          Activity Type   Nature          IT Dependent/    High/            Testing       For each control activity selected for testing, auditor needs to perform adequate testing procedures to gain         Reference to supporting Effective/
                                          Preventive/     Manual/         Non IT-          Medium/          Procedure     reasonable assurance that controls operate effectively in accordance with established policies, procedures, and      evidence considered     Ineffective
                                          Detective       Automated       Dependent        Low              No            guidelines. The following testing procedures will assist auditors in performing tests of control for each control    pertinent
                                                                                                                          activity.
                                                                                                                          Export results to the Tab referenced in the "Testing Ref." Column for further analysis. Review whether access is
Purchasing                                                                                                                appropriate for the users to have such access, based on their job responsibilities and established policies,
                                                                                                                          procedures, standards, and guidance. Compare the results of the test with the information obtained from the
                                                                                                                          interviews with the individuals responsible for the control activity. Investigate any discrepancies. Document your
                                                                                                                          conclusions.


                   • • •                                                                                                                                                          • • •

*** THIS IS A SAMPLE, NOT A COMPLETE AUDIT PROGRAM ***

The complete audit program is available at http://soxmadeeasy.com/SAP_Expenditure.html and contains 73 tests designed to help audit, risk and security professionals attain reasonable assurance that controls over Expenditure
business cycle in SAP R/3 operate effectively and in accordance with management's intentions, including:

• Purchasing - controls to ensure that purchase orders are entered accurately & (if purchasing function has been established) only placed for approved purchase requisitions, etc.:
  - Access to create, maintain, & release purchase orders, purchase requisitions and outline agreements
  - Release procedure for purchase orders and purchase requisitions; source list maintenance
  - System edits for purchase requisitions, purchase orders, outline agreements, & payment transactions
  - Tolerances and posting rules for price variance (PO versus Receipt)
  - Tolerances and posting rules for PO/Invoice Price variance and quantity variance (Invoice versus PO)
  - Goods received invoice verification and GR-based invoice verification
  - System edits for purchasing documents (document type, posting keys, tolerance groups) and more.


• Processing Accounts Payable - controls to ensure that the amounts posted to the A/P represent goods/services received, accurately calculated and recorded; credit notes and other adjustments
   related to the A/P are accurately calculated, recorded and processed, etc.:
  - Access to enter/maintain/release credit notes, invoices, credit memos, and recurring payments
  - Access to maintain the exchange rate table, rounding units, and foreign currency ratios
  - Access to maintain the Goods receipt/ Invoice receipt (GR/IR) account
  - Access to create, change, or delete vendor pricing information and much more.

• Processing Disbursements - controls to ensure that disbursements are only made for goods/services received, accurately calculated and recorded, and distributed to the appropriate suppliers, etc.:
  - Access to modify payment run parameters, edit payment run proposal, execute payment run
  - Access to block/unblock vendors, release invoices blocked for payment
  - Alternative payee and one time vendor functionalities
  - Edits/validations of the payment and order entry transactions and much more.

• Maintaining Supplier and/or Vendor Master Files - controls to ensure validity, accuracy, and timeliness of changes to the vendor master files, etc.:
  - Access to create, change, or delete vendor master records
  - Segregation/separation of duties within SAP R/3 expenditures functions
  - Monitoring changes to vendor master data and more.




4d27a36b-244b-4b63-8ffe-3e169b3b18b3.xls                                                                                                                                                                                                                                             Page 4 of 10
Exception Details          Mitigating Controls        Planned Remediation Procedures   Planned           Remediation   Ref. to Post-
For ineffective controls   For ineffective controls   For ineffective controls         Remediation       Status        Remediation
                                                                                       Date              Completed/    Testing Details
                                                                                       For ineffective   In Progress   If applicable
                                                                                       controls




4d27a36b-244b-4b63-8ffe-3e169b3b18b3.xls                                                                                                 Page 5 of 10
Exception Details          Mitigating Controls        Planned Remediation Procedures   Planned           Remediation   Ref. to Post-
For ineffective controls   For ineffective controls   For ineffective controls         Remediation       Status        Remediation
                                                                                       Date              Completed/    Testing Details
                                                                                       For ineffective   In Progress   If applicable
                                                                                       controls




4d27a36b-244b-4b63-8ffe-3e169b3b18b3.xls                                                                                                 Page 6 of 10
Exception Details          Mitigating Controls        Planned Remediation Procedures   Planned           Remediation   Ref. to Post-
For ineffective controls   For ineffective controls   For ineffective controls         Remediation       Status        Remediation
                                                                                       Date              Completed/    Testing Details
                                                                                       For ineffective   In Progress   If applicable
                                                                                       controls




4d27a36b-244b-4b63-8ffe-3e169b3b18b3.xls                                                                                                 Page 7 of 10
Exception Details          Mitigating Controls        Planned Remediation Procedures   Planned           Remediation   Ref. to Post-
For ineffective controls   For ineffective controls   For ineffective controls         Remediation       Status        Remediation
                                                                                       Date              Completed/    Testing Details
                                                                                       For ineffective   In Progress   If applicable
                                                                                       controls




4d27a36b-244b-4b63-8ffe-3e169b3b18b3.xls                                                                                                 Page 8 of 10
4d27a36b-244b-4b63-8ffe-3e169b3b18b3.xls                                                                   Tab 1




Count        User ID   User Name           Locked?                       Valid From   Valid Through       User Type                      Access Appropriate Exceptions   Comments/ Exception Detail
*Insert                                    (Yes/No)                                   *Exclude IDs that   *Exclude D (System) and C      as per the Job     Noted?
additional                                 *Exclude locked user IDs                   are past their      (Communication) IDs (no end    Responsibilities?  (Yes/No)
rows as                                    ("0" or "Blank" in this field              validity date (no   user access); leave A          (Yes/No)
needed                                     means that user ID is NOT                  access)             (Dialog) and S (Service) IDs
                                           locked)                                                        for analysis
1
2
3
4
5


Total              0                                                                                                                             0               0




                                                                                                                                                                                                      Page 9 of 10
4d27a36b-244b-4b63-8ffe-3e169b3b18b3.xls                                                                   Tab 36




Count        User ID   User Name           Locked?                       Valid From   Valid Through       User Type                      Access Appropriate Exceptions   Comments/ Exception Detail
*Insert                                    (Yes/No)                                   *Exclude IDs that   *Exclude D (System) and C      as per the Job     Noted?
additional                                 *Exclude locked user IDs                   are past their      (Communication) IDs (no end    Responsibilities?  (Yes/No)
rows as                                    ("0" or "Blank" in this field              validity date (no   user access); leave A          (Yes/No)
needed                                     means that user ID is NOT                  access)             (Dialog) and S (Service) IDs
                                           locked)                                                        for analysis
1
2
3
4
5


Total              0                                                                                                                             0               0




                                                                                                                                                                                                      Page 10 of 10

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:52
posted:7/29/2011
language:English
pages:10
Description: Purchase Orders Sample document sample