Detailed Control Worksheet Modules: Purchasing/Contract Management Assumptions The main functions/processes are: 1) General Administration 2) Selection of Vendors 3) Request for Quotation Process on Purchase Orders (bidding, quotes, etc.) 4) Maintaining Vendor Information Accounts Payable functions - PeopleSoft 5) Purchasing 6) Matching Goods Received with Purchase Orders 7) Liability Recording 8) Reporting 9) Data Conversion 10) System interfaces 11) General EDP Controls The following RACA covers only the Purchasing and Contract Management modules of PassPort (PORTAL Project). Purchasing business processes have not been included. Page 1
1) General Administration 1. Lack of written policy and procedures result in inconsistencies. 1. Procedural control Purchasing policies and procedures are established and available on BCH s intranet. This is not a system risk or control. Purchasing procedures exist outside of the PassPort system. Purchasing Procedure-Corporate Policy Statement (CPS) Local Purchasing (CPS) Standard Form Contract Documents (CPS) Supplier Development (CPS) Inventory Procedure (CPS) The Purchasing RACA covers PassPort system controls only. Purchasing Business procedures have not been included but are governed by BCH Corporate Policy Statements. 2. Goods being purchased if not authorized 1. Segregation of duties between purchasing, receiving, accounts payable and end users. End users will approve requirements based on signing approval levels that will be set up in PassPort. Work Flow Analysis Report 4a-42-51 Purchasing Security Profiles Inventory WFAR-Sec 4a Major Data Structures- SECURITY 211002 C1.0 Contract Requisition Purchasing//4SIT1 or6/sit2 Special security applied to all employees to permit them to execute their job functions only. Security tested through all test scripts with special role user id s and through SIT (system integration testing) testing. 2) Selection of Vendors 1. Purchases may be made from unauthorized vendors. Integration testing 1. System Control-Purchase orders can be raised only with vendors who are in the vendor database. 2. Vendors must be active (utilized during past year). 3. The vendor database is maintained by Peoplesoft and purchasing has a read only function. The vendor data base is maintained in PeopleSoft and purchasing has a read only function See appropriate PeopleSoft RACA. PeopleSoft Data Base Security Profiles Page 2
3) Request for Quotation Process 1. Request for Quotation 1. System control RFQ can only be created by 4a-42-51 Purchasing Security Profile P02.1 Create RFQ (RFQ) may be created by unauthorized personnel. authorized personnel (Corporate Buyers, Material Planner Buyers and appropriate Purchasing staff.) 4) Maintaining Vendor Information -THESE ARE ALL ACCOUNTS PAYABLE FUNCTIONS THAT ARE DONE IN PEOPLESOFT. 5) Purchasing 1. Lack of segregation of 1. System control End users can not create purchase 4a-42-51Purchasing Security Profile C1.0 Contract Requisition duties between orders/contracts; buyers and material planner buyers C3.1 Create Contract Purchasing and can not create material requests and contract C3.2 Amend Contract Requestor of goods or requisitions. This control is achieved and maintained Inventory WFAR-Sec 4a Major Data Structures- P3.1 Create PO services result in by security tables. SECURITY 211002 P3.2 Approve PO possibility of same Inventory WFAR-I09.0 Material Request P3.3 Revise PO person creating request and purchase order Inventory WFAR-I09.S1 Material Request 2. Corporate buyers are able to create contracts, purchase orders/requests and Material Planner Buyers are able to create purchase orders/requests without end user approval 3. Support clerks are able to create material & contract requests. They can also create the purchase order, if the item is from outside Canada and less than $10k. 1. System control Buyers and material planner buyers can not create material requests and contract requisitions. This control is achieved and maintained by security tables. 2. This is an acceptable risk that is present with the Legacy system. There is no specific system control. 1. This is an acceptable risk that is present with the Legacy system. There is no specific system control. 4a-42-51Purchasing Security Profile 4a-42-51Purchasing Security Profile No system control that prevents buyers creating purchase orders/requests and contracts without end user approval. This is considered to be an acceptable risk by the project team that exists in legacy systems. No system control that prevents support clerks creating material/contract requests, for purchases less than $10k from outside Canada, without end user approval. This is considered to be an acceptable risk by the project team that exists in legacy systems. Page 3
5) Purchasing 4. Lack of approval for the purchase of goods or services 1. System control Users will be set up with correct signing levels by central control of the security tables. 5. Unauthorized purchases are made and liabilities incurred 6. Discrepancies between quantities of goods received and quantities of goods purchased are not recorded 1. System control security will be established so only authorized personnel are able to approve requests, purchase orders/contracts and receive goods. Purchase of services are approved by authorized personnel on invoices. Signatures are verified in Accounts Payable at the time of payment. 2. End users and Accounts Payable personnel do not have access to create or approve order or contract. 1. Inventoried goods received are recorded in the system by the receiving department. Users with appropriate signing authority are responsible for receiving and manually recording non-inventory items. 2. Quantities received are automatically verified against the PO quantity with an online message to the receiver. 3. Discrepancies require the receiver to issue a report to the buyer requiring an amended PO. 4a-42-51 Purchasing Security Profile Inventory WFAR-I09.0 Material Request 4a-42-51 Purchasing Security Profile Inventory WFAR-Sec 4a Major Data Structure- SECURITY 211002 I03.0 Receiving (Inventory WFAR) I03.1 OSDD (Inventory WFAR) C1.0 Contract Requisition C3.2 Amend Contract Purchasing/4/SIT1 or6/sit2 Inventory WFAR-I09.S1 Material Request C1.0 Contract Requisition C3.1 Create Contract C3.2 Amend Contract P3.1 Create PO P3.2 Approve PO P3.3 Revise PO Inventory WFAR I09.S1 Material Request I03.0 S1 Receiving I03.1 S1 OSDD Inventory/D130/06 Page 4
5) Purchasing 7. Excessive or incorrect quantities or materials are ordered 1. Authorized end users are responsible for determining requirements. I09.0 Material Request (Inventory WFAR) 3cP3.1-5 Create, Approve, Revise & Expedite Purchase Order (WFAR s) Procedural 8. Automated re-ordering results in the purchase of unrequired stock 9. Materials and services are not received when needed due to purchasing delays 10. Delivery to unauthorized (non-hydro) locations can be specified 2. Buyers notified, on-line, of overspent PO s and will contact end user 3. Accounts payable will contact material planner buyer for acceptance on inventory purchase order where quantities differ. 4. Forecasting is done by the Material Planner Buyer in the Inventory module to ensure correct quantities are ordered. 1. Automated reordering is limited to inventoried items. 2. Slow moving inventory report reviewed for adjustments to re ordering. 1. This is controlled and monitored by end user and purchasing through the expediting process. 1. Purchase orders and contracts indicate delivery locations that have been established from codes defined in the system. The codes are entered by the end user when they create a material request or contract requisition. 2. Payments are not made without a receiving report. PeopleSoft Accounts Payable RACA I02.0 Forecasting (Inventory WFAR) I02.1 Replenishment (Inventory WFAR) I02.2 Order Parameter Analysis Report (Inventory WFAR) I16.0 Surplus Analysis (Inventory WFAR) I09.S1 Material Request P3.4 Expedite PO (NOTE-Test scripts P3.4.1A & P3.5.6 planned to be completed before go-live.) C3.4 Close Contract Integration Testing I02.0 S1 Forecasting I02.2 S1 Order Parameter Analysis Report I16.0 S1 Surplus Analysis Inventory/D130/06 3c-P3.4-1 Expedite Purchase Order P3.4 Expedite PO 3c-P3-1 Purchase Order 3c-C3.1-1 Create Contract I09.0 Material Request I03.0 Receiving (Inventory WFAR) C1.0 Contract Requisition Purchasing/4/SIT or 6/SIT2 I09.S1 Material Request I03.S1 Receiving 11. Outstanding purchase orders are not followed up resulting in materials not arriving on time for field work 1. A list of outstanding purchase orders displayed on the expediting panel is continually reviewed by the material planner buyers. Automatic on-line reminders are sent to the material planner buyers when the next review date is reached. 3c-P3.4-1 Expedite Work Order 3c-P3.1-5 Create, Approve, Revise, and Expedite Purchase Order Integration Testing P3.4 Expedite PO Page 5
6) Matching Goods Received with Purchase Orders 1. Goods can be received 1. Segregation of duties between receiver and 4a-42-51 Purchasing Security Profiles Special security applied to all without a purchase order. personnel creating purchase orders. I03.0 Receiving employees to permit them to execute their job functions only. Security tested through all test scripts with special role user id s and through SIT (system integration testing) testing. I03.0S1 Receiving 7) Liability Recording- ALL RISKS AND FUNCTIONS RELATED TO PAYMENTS, RECORDING OF PAYABLES, LPO S, COST DISTRIBUTION AND TAX RECORDING IS AN ACCOUNTS PAYABLE FUNCTION. 1. Liabilities are not recorded 2. Fixed asset acquisitions and disbursements are not properly authorized and recorded 1. Procedural control Segregation of duties. Different personnel have purchasing and accounts payable responsibilities 2. Internal & external audits 3. Regular review of outstanding purchase orders by buyers. 4. Invoices, receiving slips direct to accounts payable, not purchasing 5. Unmatched documents investigated regularly by material buyers 1. Fixed assets transactions under same controls as other purchases 2. Fixed asset transactions also requires approved capital asset requisition and multiple approving authorities 4a-42-51 Purchasing Security Profile Inventory WFAR Fixed asset transactions are under the same controls as other purchases and also require completion of multiple approved capital asset requisition (CAR). P3.5 Close PO C3.4 Close Contract Fixed asset transactions are under the same controls as other purchases and also require completion of multiple approved expenditure authorization requests (EAR). Page 6
7) Liability Recording- ALL RISKS AND FUNCTIONS RELATED TO PAYMENTS, RECORDING OF PAYABLES, LPO S, COST DISTRIBUTION AND TAX RECORDING IS AN ACCOUNTS PAYABLE FUNCTION. 3. Incorrect amounts and quantities are recorded. 4. Accumulated amounts or quantities exceed STANDING PURCHASE ORDER limits. 1. Segregation of duties accounts payable, inventory and purchasing. 2. Controlled by end user who is responsible for receipt and costs. 3. Invoices are checked to PO S and receiving slips by accounts payable. 1. Inventory buyer required to authorize change over request for increase in quantity 2. Buyer must contact end user for increase in cost amount. 3. Buyer and accounts payable are notified on-line when quantity or dollar limits exceed PO. 4a-42-51 Purchasing Security Profile PeopleSoft Responsibility Reporting I03.1 OSDD I03.0 Receiving 3c-P3.3-1 Revise Purchase Order 3c-P3.3-1 Revise Purchase Order 3c-C3.1-1 Create Contract 3c-P3.3-1 Revise Purchase Order 3c-C3.1-1 Create Contract C3.1 Create Contract C3.2 Amend Contract P3.1 Create PO P3.2 Revise PO I03.1S1 OSDD I03.0S1 Receiving Inventory/D130/06 Integration Testing P3.5 Close PO C3.4 Close Contract 5. Price information to update the average price calculation is incorrect or incomplete 1. Price comparison by buyers when obtaining quotes. Business Procedure no system control Business Procedure no system control 8) Reporting 1. Charges are distributed to improper accounts 1. System validates account numbers. 2. Managers review monthly charges. PeopleSoft Responsibility Reporting Central administration of account numbers New account numbers must be requested System validates account numbers Managers are accountable for monthly charges and budgets Page 7
9) Data Conversion 1. Data is incorrectly converted from legacy systems into PassPort. 1. Procedural control system and conversion testing ensure that field types are properly mapped from one system to another using control totals. 6.1 Conversion Analysis 2. Currently many legacy systems maintain their own security access, which quickly becomes outdated with retirements, transfers etc. Security profiles and signing authorities are currently updated automatically through ODMS. This system is disappearing and this interface will have to be maintained. 2. Test scripts and test results documented. 3. User signoffs obtained 1. This issue has been identified as Issue 108 and will be resolved. Module test scripts and results @ Purchasing/2-D140 Design Build/Deliverables/BC Hydro Current Scripts-Edited Integration testing scripts and results @J/Indus/Integration/Testing Data correctly converted with the exception of outstanding SIR #956 (System Incident Reports). The SIRs are located at http://edmssappt1.bchhydro.bc.ca/trackb in/wtms.d11/portal Issue Tracking. This is a low priority SIR and will be corrected after go-live. This is an outstanding sustainment issue. Users will be set up in PassPort with the appropriate approval levels. This is a sustainment issue. 10) System Interfaces ALL RISKS AND FUNCTIONS ASSOCIATED WITH PAYMENTS AND CHEQUES IS AN ACCOUNTS PAYABLE FUNCTION. 1. Data is incorrectly passed from Portal to Peoplesoft Data correctly passed. 1. Procedural control system and integration testing ensured that field types are properly mapped from one system to another. 2. Test scripts and test results documented. 3. Project team members obtained written agreement from Peoplesoft team members regarding responsibilities concerning the accuracy of data received and sent between systems 4. Financial integration tool managed by Financial Integration team Module test scripts and results @ Purchasing/2-D140 Design Build/Deliverables/BC Hydro Current Scripts-Edited Integration testing scripts and results @J/Indus/Integration/Testing SIRs are located at http://edmssappt1.bchhydro.bc.ca/trackb in/wtms.d11/portal Issue Tracking. Page 8
10) System Interfaces ALL RISKS AND FUNCTIONS ASSOCIATED WITH PAYMENTS AND CHEQUES IS AN ACCOUNTS PAYABLE FUNCTION. 2. Purchase orders are inaccurately passed from Passport to PeopleSoft Data correctly passed. 3. Vendor information is inaccurately passed from PeopleSoft to Passport 4. Invoices paid information is inaccurately passed from PeopleSoft to Passport 5. Payment history may be changed or lost 6. Vendor history may be adjusted or lost resulting in the inability to review prior transactions 1. Controls established at conversion by Financial Integration team 2. Documented agreements regarding data responsibilities for accuracy 3. Financial Integration Module 1. Controls established at conversion by Financial Integration team 2. Documented agreements regarding data responsibilities for accuracy 3. Financial Integration Module 1. Controls established at conversion by Financial Integration team 2. Documented agreements regarding data responsibilities for accuracy 3. Financial Integration Module 1. This is an accounts payable function - Purchasing may read only. 2. Proper data backup in Accounts Payable. 1. This is an accounts payable function - Purchasing may read only. 2. Proper data backup in Accounts Payable. Module test scripts and results @ Purchasing/2-D140 Design Build/Deliverables/BC Hydro Current Scripts-Edited Integration testing scripts and results @J/Indus/Integration/Testing Module test scripts and results @ Purchasing/2-D140 Design Build/Deliverables/BC Hydro Current Scripts-Edited Integration testing scripts and results @J/Indus/Integration/Testing Module test scripts and results @ Purchasing/2-D140 Design Build/Deliverables/BC Hydro Current Scripts-Edited Integration testing scripts and results @J/Indus/Integration/Testing SIRs are located at http://edmssappt1.bchhydro.bc.ca/trackb in/wtms.d11/portal Issue Tracking. Data correctly passed. SIRs are located at http://edmssappt1.bchhydro.bc.ca/trackb in/wtms.d11/portal Issue Tracking. Data correctly passed. SIRs are located at http://edmssappt1.bchhydro.bc.ca/trackb in/wtms.d11/portal Issue Tracking. See Accounts Payable procedures To be tested by Accounts Payable (FBT) Data backup procedures confirmed with NCS see separate FI Review. See Accounts Payable procedures To be tested by Accounts Payable (FBT) Data backup procedures confirmed with NCS see separate FI Review. Page 9
11) EDP General Controls 1. Purchasing information can be lost from software and hardware problems 1. Network Computing Services(offsite) is responsible for system 2. There is LAN backup on site 3. Disaster recovery procedures will be put in place. Corporate Policy Procedures-Security This is part of the Infrastructure testing. 2. Unauthorized access to system 3. Unauthorized changes to data 1. Central control of security tables. 2. A report of access attempts can be produced and reviewed. 1. Central control of security tables. 2. A report of changes can be produced and reviewed. Role of Guardian (Security) 4a-42-51 Purchasing Security Profile Corporate Policy Procedures-Security Role of Guardian (Security) 4a-42-51 Purchasing Security Profile Corporate Policy Procedures-Security The security established in PassPort permits personnel to access only the panels related to their job functions. Security is tested throughout all Purchasing and Contract test scripts and SIT. User ids are established for SIT to test all job roles. The security established in PassPort permits personnel to access only the panels related to their job functions. Security is tested throughout all Purchasing and Contract test scripts and SIT. User ids are established for SIT to test all job roles. Page 10