Top-Down, Risk-Based Approach Purchase to Pay Process Overview This case study describes the flow of a Top-Down Risk, Based Approach for an example Purchase to Pay process. This case study is not all-inclusive for a Purchase to Pay process and is to be used for informational purposes only. EAGLE Training Program 1
Risk Assessment Criteria Account Risk Criteria 1 Size and Composition 2 Transaction Volume 3 Transaction Complexity 4 Subjectivity and Estimation High (Points 3) Account balance greater than $10 million Multiple transactions per day Transactions are complex in nature (i.e. complex calculations, requiring significant financial disclosures, complex accounting guidance associated with account, etc.) 75% of the account balance is based on subjectivity or estimates. 5 Inherent Risks Historically a high risk account 6 Overall Score Total Score of 12 or greater Moderate (Points 2) Account balance less than $10 million but greater than $5 million More than 100 transactions per year but less frequent than one transaction a day Majority of the transactions are noncomplex. However, some transactions require additional attention due to their complexity. Greater than 10% and less than 75% of the account balance is based on subjectivity or estimates. Historically a moderate risk account Total Score less than 12 but greater than 8 Low (Points 1) Account balance less than $5 million Less than 100 transactions per year Transactions are routine in nature. Less than 10% of the account balance is based on subjectivity or estimates. Historically a low risk account Total Score of 8 or less EAGLE Training Program 2
Risk Assessment Criteria Process Risk Criteria 1 Size and Composition 2 Susceptibility due to error / fraud 3 Complexity of transactions 4 Homogeneity of transactions 5 IT dependency / manual intervention 6 Degree of subjectivity / estimation High (Points 3) Process impacts the account balance by greater than $4 million Historically a high risk process Business and accounting transactions are highly complex Less than 25% of the transactions are similar in nature Highly manual complex processes. IT infrastructure is an older version with many manual interfaces 75% of the account balance impacted by the process is based on subjectivity or estimates. 7 Overall Score Total Score of 15 or greater Moderate (Points 2) Process impacts the account balance less than $4 million but greater than $1 million Historically a moderate risk process Business and accounting transactions are moderately complex Between 25% and 75% of the transactions are similar in nature Moderately automated process. Greater than 10% and less than 75% of the account balance impacted by the process is based on subjectivity or estimates. Total Score less than 15 but greater than 10 Low (Points 1) Process impacts the account balance less than $1 million Historically a low risk process Business and accounting transactions are not complex At least 75% of the transactions are similar in nature Highly automated process Less than 10% of the account balance impacted by the process is based on subjectivity or estimates. Total Score of 10 or less EAGLE Training Program 3
Risk Assessment Account Risk Assessment 06/30/XX Account Balance (in millions) Size and Composition Transaction Volume Transaction Complexity Subjectivity and Estimation Inherent Risk Total Score Account Description STATEMENT OF NET ASSETS Accounts payable and accrued liability 11.9 3 3 2 2 2 12 STATEMENT OF REVENUES, EXPENSES, AND CHANGES IN NET ASSETS Expenses Salaries and Benefits 163.4 3 3 2 2 2 12 Supplies and Materials 35.6 3 3 1 1 2 10 Services 31.2 3 3 2 1 2 11 Scholarships and Fellowships 10.2 3 2 3 2 2 12 Travel 5.6 2 2 1 1 2 8 Financial Statement Assertion Risk STATEMENT OF NET ASSETS C E/O V/M R&O P&D Accounts payable and accrued liability H M M L L C - Completeness E/O - Existence / Occurrence V/M - Valuation / Measurement R&O - Rights and Obligations P&D - Presentation and Disclosure EAGLE Training Program 4
Risk Assessment Process Risk Assessment Account Description Account Risk Related Significant Processes Size and Composition Susceptibility due to error / fraud Transaction Complexity Homogeneity of transactions IT dependency / manual intervention Degree of subjectivity / estimation Total Score New Vendor Setup 2 2 1 1 2 1 9 Purchasing 3 2 2 2 1 1 11 Receiving 2 2 1 2 3 2 12 Accounts payable and Processing Invoices 3 3 2 3 2 2 15 High accrued liability Payments 3 3 2 3 2 2 15 Update to G/L 3 2 2 2 1 2 12 AP Applications and Data Access 3 3 2 2 2 1 13 Employee Expenses N/A N/A N/A N/A N/A N/A N/A Travel Low Employee Expenses N/A N/A N/A N/A N/A N/A N/A Note: The Employee Expenses process, while a part of the Purchase to Pay process, is excluded as it solely impacts the Travel expense account, which is risk ranked at Low. Per OSC guidelines, this will not be documented or tested. EAGLE Training Program 5
Purchase to Pay Process: Narrative Purchase to Pay Supporting Application: Application XYZ This document provides a description of the Purchase to Pay Process as performed by as of 6/30/XXXX. The following processes form part of the Purchase to Pay cycle at. New Vendor Setup: This is a prerequisite to the Purchase to Pay Process (P2P), since one cannot start the process without having vendors set up on the system. Purchasing (Purchase Request (PR) and Purchase Orders (PO); PR - This initiates the P2P process, since anyone in the company can request an item to be used in his or her daily activities. PO - This is where the purchasing department transforms related purchase requests to orders. Receiving: This is where the requestor and/or receiving clerk receives the goods ordered. Processing Invoices: This is where receives the vendor s invoice, performs a verification process on the invoice, and makes it ready for payment. Payments: This is where the vendor s payment is created and delivered. The account payable (AP) is maintained here. Update the General Ledger (GL)/Accrual: This is where the above transaction is reflected in the GL. New Vendor Setup Inputs: Vendor information (name, address, bank details, payment terms, discounts, matching principal, accounting, etc.) Output: Vendor in system A formal process exists to add or modify vendors. Note that Application XYZ does not permit the deletion of vendors; it will only allow a vendor to be altered or disabled. This process consists of the following activities: The Supplier Maintenance Form is filled out by the buyer. This form details the vendor s name, address, bank details, payment terms, discounts, matching principal, accounting information, etc. The form must be signed by the buyer s supervisor, who checks the details for accuracy. The form is then sent to the AP department where it is reviewed and entered into the system. Additional Notes: Application XYZ does not allow duplicate supplier names to reside in the system. EAGLE Training Program 6
Purchase to Pay Process: Narrative Purchasing Purchase Requests (PR) Inputs: Vendor in system, item to be purchased, quantity, delivery date and location Output: Approved purchase request A PR can be created by any Application XYZ user. This process typically consists of the following activities: Create PR using the system. The requestor enters the item needed, quantity, delivery date and location. The system routes the PR to the requestor s supervisor, who reviews the request for appropriateness. Based on the above review, the PR is approved or disapproved. If approved, the PR goes to Purchasing for creation of a PO. If disapproved, the requestor gets a notification for correction from the approver. Additional Notes: Application XYZ automatically (real-time) routes all PRs for approval upon creation. Every system user is assigned an approver to approve his or her requests (defined in HR hierarchy). Auto-numbering for purchase requisitions is being used. Narratives for remaining processes have been intentionally omitted. EAGLE Training Program 7
Purchase to Pay Process: Flowchart (using swimlanes) EAGLE Training Program 8
Purchase to Pay Process: Risk and Control Matrix Document: Risk & Control Matrix (RACM) Prepared by: XX Smith Entity: Reviewed by: XX Thomas Reporting Date: 6/30/XX Process: Purchase to Pay Financial Statement Accounts: Systems / Applications: Current and Noncurrent Liabilities Application XYZ Transaction / Sub-Process Financial Statement Assertions Risks Control Description Control Ref. Control Owner Automated, Manual or Both? Preventive or Detective? Frequency of Control Activity The Supplier Maintenance Form is reviewed and approved by the buyer's Supervisor. AP1 Buyer's Supervisor Manual Preventive More than daily The Supplier Maintenance Form is sent to the AP department where it is reviewed and entered into the system. AP2 AP Clerk Manual Preventive More than daily New Vendor Setup Existence Rights & Obligations Unauthorized or incorrect changes are made to the vendor master file, increasing the risk of fraudulent payment transactions. Application XYZ does not allow duplicate supplier names to reside in the system. Vendor maintenance is performed by the AP department and limited to supervisors. Rolebased security is utilized in Application XYZ, such that individuals having access to perform vendor maintenance do not also have access to perform other Accounts Payable functions - process vouchers and print checks. AP3 XYZ Automated Preventive Continuous AP4 XYZ Automated (access) Preventive Continuous Purchasing Existence Valuation Rights & Obligations Invoices are posted to accounts Invoices and receipts are system restricted payable without proper authorization, from processing unless approved by the increasing the risk of fraudulent applicable buyer supervisor. transactions or misstatements of System approval hierarchies are maintained by accounts payable. the IT Department. AP5 XYZ Automated Preventive Continuous Receiving Existence Valuation Rights & Obligations Existence Valuation Rights & Obligations Invoices are posted to accounts payable without proper authorization, All items upon receiving are inspected and increasing the risk of fraudulent matched to the bill of lading and PO for transactions or misstatements of appropriateness. accounts payable. Invoices are posted to accounts payable without proper authorization, Application XYZ will not allow receipt of items increasing the risk of fraudulent without a PO transactions or misstatements of accounts payable. AP6 Receiving Clerk Manual Detective More than daily AP7 XYZ Automated Preventive Continuous Processing Invoices Existence Valuation Rights & Obligations Invoices are posted to accounts payable without proper authorization, increasing the risk of fraudulent transactions or misstatements of accounts payable. All invoices are approved by the AP Clerk prior to validation. All invoices are validated automatically (3-way match) by Application XYZ upon invoicing. AP8 AP Clerk Manual Preventive More than daily AP9 XYZ Automated Detective More than daily EAGLE Training Program 9
Purchase to Pay Process: Risk and Control Matrix Transaction / Sub-Process Financial Statement Assertions Risks Control Description Control Ref. Control Owner Automated, Manual or Both? Preventive or Detective? Frequency of Control Activity Existence Unauthorized disbursements are made and recorded. Check printing is restricted to the AP Manager and the Corporate Controller who authorize the check run by its activation. These individuals do not have update access rights to the AP application other than to perform this function. AP10 XYZ Automated Preventive Continuous Payments Completeness Existence Unauthorized disbursements are made and recorded; cash disbursements are not recorded accurately. All checks are processed through an integrated check-writing function in Application XYZ. Checks can only be processed against vouchers already existing in the AP system and for the same amount (i.e. no changes can be made to amounts during the check processing). Checks can only be processed to payees recorded in the vendor master file (i.e. no input of temporary payee data). AP11 XYZ Automated Preventive Continuous Update to G/L Completeness Existence Valuation Rights & Obligations Presentation & Disclosure Transactions do not accurately update from Accounts Payable system to the General Ledger system, resulting in misstatements of the financial statements. General Ledger updates from Accounts Payable are controlled by integrated XYZ modules which use predefined control accounts and fields which ensure that postings are in balance and include complete data. Batches containing errors will not post to the general ledger and require resolution by the AP Supervisor prior to posting. General ledger accounts and accounts payable subsidiary ledgers are reconciled on a monthly basis by the AP Supervisor. Reconciliations are reviewed by the Financial Reporting Controller. AP12 XYZ Automated Preventive Continuous AP13 AP Supervisor Manual Detective Monthly AP Applications and Data Access Existence Rights & Obligations Unauthorized access is granted to individuals increasing the risk of unauthorized and fictitious transactions. Access to the AP applications is restricted to authorized users. Role-based security is utilized within the applications to the extent possible. Monitoring controls are put into place where application access cannot be restricted to support an optimal segregation of duties. AP14 XYZ Automated (access); monitoring of access (manual) Preventive / Detective (monitoring) Continuous EAGLE Training Program 10
Purchase to Pay Process: Walkthrough Process: Sub-process: Supporting Application: Title: Purchase to Pay New Vendor Setup Application XYZ New Vendor Setup Walkthrough This walkthrough template assists in documenting our understanding of the design of controls. We document the procedures performed, evidence obtained and conclusions as to the effective design of the underlying controls and whether the controls have been implemented. Process Owner Name / Title: Jane Smith, AP Buyer Interview Date: January 1, 20XX Selection: South Telephone (Vendor #101) Procedures Performed: To perform a walkthrough of the New Vendor Setup process, we obtained the Vendor Report listing all current vendors as of the walkthrough date. We randomly selected vendor #100, South Telephone. We then performed the procedures below. The Supplier Maintenance Form is filled out by the buyer. This form details the vendor s name, address, bank details, payment terms, discounts, matching principal, accounting information, etc. -Walkthrough procedures: We obtained the Supplier Maintenance Form for South Telephone vendor and noted that all the form details were filled out (refer to w/p XX.X). The Supplier Maintenance Form must be signed by the buyer s supervisor, who checks the details for accuracy (Control AP1). -Walkthrough procedures: We noted the approval by the buyer s Supervisor on the Supplier Maintenance Form (refer to w/p XX.X). The Supplier Maintenance Form is then sent to the AP department where it is reviewed and entered into the system (Control AP2). -Walkthrough procedures: We noted the form details including the vendor s name, address, bank details, payment terms, and discounts and agreed these to the system (refer to w/p XX.X). Application XYZ does not allow duplicate supplier names to reside in the system (Control AP3). -Walkthrough procedures: We obtained a listing of suppliers report from the system and noted that our selected vendor, South Telephone, resides within the system. We requested that the Buyer enter the same vendor name into the system. We noted that the system appropriately rejected the vendor (refer to w/p XX.X). EAGLE Training Program 11
Purchase to Pay Process: Walkthrough Vendor maintenance is performed by the AP department and limited to supervisors. Role-based security is utilized in Application XYZ, such that individuals having access to perform vendor maintenance do not also have access to perform other AP functions such as processing vouchers and printing checks (Control AP4). -Walkthrough procedures: We obtained a user access log for Application XYZ for vender maintenance and noted that there are excessive users with access. Additionally, we noted that a few of the users with access to vendor maintenance had the ability to perform other AP functionality (refer to w/p XX.X; also refer to Issue Summary Log for details on the exception noted). EAGLE Training Program 12
Purchase to Pay Process: Test Plan Document: Test Plan Prepared by: XX Smith Entity: Reviewed by: XX Thomas Reporting Date: 6/30/XX Process: Purchase to Pay Financial Statement Accounts: Current and Noncurrent Liabilities Ref 1 2 Control Description Vendor maintenance is performed by the AP department and limited to supervisors. Role-based security is utilized in Application XYZ, such that individuals having access to perform vendor maintenance do not also have access to perform other Accounts Payable functions - process vouchers and print checks. Invoices and receipts are system restricted from processing unless approved by the applicable buyer supervisor. System approval heirarchies are maintained by the IT Department. Control Reference Transaction / Sub- Process Sub-Process Risk Rating AP4 New Vendor Setup Low AP5 Purchasing Moderate Objective of Test Testing Procedures Results Conclusion Changes to the vendor master file are valid and authorized to prevent inappropriate or fraudulent vendor payments. Purchases are appropriately authorized. Obtain user access log for Application XYZ for vendor maintenance funtionality and verify that only AP Supervisors have access. Also obtain full access right details for Application XYZ and verify that others do not have access. Review configuration of approval routing within Application XYZ. Attempt to complete routing task without appropriate approvals and note results. Exceptions noted in walkthrough. No exceptions noted. Ineffective Issue Raised? Y Testing w/p ref AP4 Leadsheet P2P.Walkthrough; Issue Summary Log Effective N AP5 Leadsheet 3 All invoices are approved by the AP Clerk prior to validation. AP8 Processing Invoices High Purchases are appropriately authorized. Select invoices paid during the year. Confirm that approvals for all invoices paid are consistent with the signature log maintained by the AP Department. Exceptions noted. Ineffective Y AP8 Leadsheet P2P.Testing Leadsheet; Issue Summary Log 4 General ledger accounts and accounts payable subsidiary ledgers are reconciled on a monthly basis by the AP Supervisor. Reconciliations are reviewed by the Financial Reporting Controller. AP13 Update to G/L Moderate All AP transactions are completely and accurately updated to the general ledger in the proper period. Inspect evidence of the review and approval of AP subledger to G/L reconciliation. Randomly select 4 months. For each month, obtain copy of AP account reconciliation signed by AP Supervisor and Financial Reporting Controller. No exceptions noted. Effective N AP13 Leadsheet 5 Access to the AP applications is restricted to authorized users. Rolebased security is utilized within the applications to the extent possible. Monitoring controls are put into place where application access cannot be restricted to support an optimal segregation of duties. AP14 AP Applications and Data Access Moderate Access to AP Obtain a report of system users and applications should be access rights granted for XYZ limited to authorized application. Confirm that all users users and restricted by are active employees and that the job function to promote rights granted are consistent with the an appropriate individual's job responsibilities in segregation of duties. relation to AP. No exceptions noted. Effective N AP14 Leadsheet Note: This is a subset of the test plan showing tested controls. EAGLE Training Program 13
Purchase to Pay Process: Test Leadsheet Document: Testing Leadsheet Performed by: XX Smith Entity: Reviewed by: XX Thomas Reporting Date: 6/30/XX Process: Purchase to Pay Control Reference: Control Description: AP8 All invoices are approved by the AP Clerk prior to validation. Control Owner: AP Clerk Sub-Process: Processing Invoices Sub-Process Risk Rating: High Control Type: Manual Control Frequency: Sample Methodology: More than daily Random Sample Size: 40 Source Test Documents: Copy of Invoice Procedures / Testing Discussion: Definition of an Exception: Select a report of all invoices paid during the year. Randomly select 40 invoices and obtain approved invoice. Confirm that AP Clerk approved the paid invoice. An exception will be noted under any of the following conditions: No evidence of AP Clerk's approval of invoice. Sample No. Invoice No. Vendor Date A w/p ref 1 101 Joe Smith 1/2/XX AP1.a 2 500 B Dept. Services 2/3/XX X, Note 1 AP1.b 3 800 C. Electric 2/20/XX AP1.c 40 1001 A. Faculty 3/1/XX X, Note 1 AP1.zz Attributes: A Paid invoice is approved by the AP Clerk. Approval is evidenced by AP Clerk's signature on the invoice. Tickmark Legend: X n/a Note 1 Attribute satisfied without exception. Attribute not satisfied. Attribute not applicable. No evidence of AP Clerk's approval on the invoice. Results: For two of the 40 selections, no evidence of the AP Clerk's approval existed. EAGLE Training Program 14
Purchase to Pay Process: Workpaper AP1.b B. Dept Services 200 Peachtree Street Atlanta, GA 00022 Invoice Invoice #500 Date: 2/3/XX Customer Name: Customer Address: 100 Main Street Raleigh, NC 27000 Quantity Description of Unit Amount Total Amount Services 1 Utilities for month of $500 January 1 Service Charge $50 Tax $30 Total amount due: $580.00 Remit payment to: B. Dept Services 200 Peachtree Street Atlanta, GA 00022 EAGLE Training Program 15
Purchase to Pay Process: Issue Summary Log Issue Summary Log June 30, 20XX Process - Sub process Control Control Reference 1 Purchase to Pay - New Vendor maintenance is AP4 Vendor Set-Up performed by the AP department and limited to supervisors. Role-based security is utilized in Application XYZ, such that individuals having access to perform vendor maintenance do not also have access to perform other Accounts Payable functions - process vouchers and print checks. Issue Risk/Implication Recommendation Managements Response We obtained a user access log for Application XYZ for vendor maintenance and noted that there are excessive users with access. Additionally, we noted that a few of the users with access to vendor maintenance had the ability to perform other AP functionality. Issue was noted during walkthrough. Unauthorized or incorrect changes are made to the vendor master file, increasing the risk of fraudulent payment transactions. We recommend that management review the listing of AP users and their access rights in detail to help ensure that access to perform vendor maintenance be restricted to only AP supervisors. Additionally, we recommend that those AP supervisors be restricted from performing other AP functions. A listing of users with access to perform vendor maintenance will be reviewed for appropriateness by Joe Controller and restricted only to AP supervisors. Additionally, a segregation of duties review will be performed to further restrict access within the AP department. 2 Purchase to Pay - Processing Invoices All invoices are approved by the AP Clerk prior to validation. AP8 For two of the 40 selections, no evidence of the AP Clerk's approval existed. Issue was noted during testing. Invoices are posted to accounts payable without proper authorization, increasing the risk of fraudulent transactions or misstatements of accounts payable. We recommend that employees need to be reminded of the agency policy regarding documentation of their review. We will review the policy around approval of invoice documentation and remind employees of the importance of signing off as evidence of approval. EAGLE Training Program 16