TABLE 12-1 Threats and Controls in the Revenue Cycle ACTIVITY THREAT ‘CONTROLS (FIRST NUMBER REFERS TO THE CORRESPONDING THREAT) General issues 4. Inaccurate or ival 1.1 Data processing integry controls ‘throughout raster data 112 Restiction of access to master data fentrerevenue 2, Unauthorized iacosura 1.3 Review o all changes ta master data ose ofsenative information 2.7 Access cantols, 23, Loss or destruction of 22 Encryption data 23 Tokenizaton of customer personal information 4, Poor performance 31 Backup and disaster recovery procedures 4.1 Managerial repores Seles order entry 5, Incomplete/neccurate 5.1 Data entry ect contol (see Chapter 10) orders 5.2 Restriction of access to master daca 6. Invalid orders 46.1 Digta signatures or writen signatures 7. Uneollecibie accounts 7.1 Greilimts 8. Stockouts or excess 7.2 Specie authorzation to approve sales to new customers or sales inventry ‘that exceed a cstomers credit limit 9, Los of customers 17.3 Acing of accounts receivable {8.1 Perpetual inventory control system 18.2 Use of barcodes or RFID 83 Training ‘8.4 Periodic physical counts of inventory 4 Sales forecast and activty epors 9.1 CRM system, selfhelp webates, and proper evaluation of ‘cumtomer sevice ratingt Shipping 10. Picking the wrong items 10.1 Bar-cade and RFID technology forthe wrong quantty 10.2 Reconellation of picking lt to sales order detail 11. Theft oF ivontory 11.1 Restriction of physical acess to inventory 12. Shipping evors(delay 11.2 Documentation of allinventory transfers forfalureto ship, wrong 11.3 RFID and barcode technology quantities wong items, 11.4 Period physical counts of inventary and reconciliation to sarong asceesses, recorded quanties cluplieaton) 12.1 Reconcliation of shipping documents with sales ores, picking lists, and packing sips 12.2 Use RFID systoms t identi dalays 1253 Dato entry vie borcode sanners and RFID 1214 Data entry eit controls (shipping data entered on terminals) 1255 Configuration of ERP system ta prevent duplicate shipments ling 13. Faure to bil 13,1 Separation of bling end shipping functions 14. Billeg errs 18.2 Perocic reconciliation of invoices with slat order, pcking| 15. Posting arorsin accounts tickets, and shipping documents recewable 14.1 Configuration of system to automaticaly enter pricing data 16, Inaccurate or invalid 14.2 Restriction of access to pricing master data godt memos 143 Data entry edit controls "V4 Reconciliation of shipping documents (picking ticker, bills of lading, and packing lit) to sles ovis 15,1 Data entry contvols 18.2 Reconcilation of batch totals 15.3 Maling of monthly statements to customers 15.4 Reconellation of subsidiary accounts to general ledger 16.1 Segregation of dutos of credit memo authorization from both ‘sls order entry and customer account maintenance 16,2 Configuration of system to block erect memos ures there is tether corresponding documentation of return of damaged gaods lor speci authorzaton by management‘TABLE 13-2 Threats and Controls in the Expenditure Cycle activry General iasvoe ‘throughout etre expen- cdture cycle Ordering Receiving ‘Approving sup- lier invoices THREAT 1 2 4 5 " 1B. 4 8. 1. ”. Inaccurate or invalid sates data Unauthorized ciselosure of sensitive information Loss or esructon ofcsta Poor periormance Stockouts and ‘excess inventory Purchasing tems not needed . Purchasing at inflated prces 3. Purchasing goods oF inferior quay Unrelabie suppliers Purchasing fom ‘unauthorized ‘upplior Kickback Accepting ‘ordered toms Mistakes in courting Not venving receipt ofsenvces “hel of inventory Erorsin supplier invoeos Mistakesin posting toaccaunte payable ‘CONTROLS (FIRST NUMBER REFERS TO THE CORRESPONDING THREAT) 1.1 Data processing integrity controle 112 Restriction of acceu to matter te 1.3 Roviow ofall canges to master data 24 Access conte 22 Encryption 411 Backup and csaster racovery procedures ‘41 Managerial pons 5.1 Peqpetual inventory system 52 Bar coding or RFID togs 5.3 Periodic physical counts of inventory 6.1 Perpetual inventory systom 6.2 Review and approval of purchase requisitions 163 Centaiaed purchasing function 72 Pri its 7.2 Competitne bideing 73 Review of purchase orders 74 Budgets 8.1 Purchasing onl from approved suppliers 8.2 Review and approval of purchases om neve supoliens 23 Tracing and manitering product quality by supplier 8.4 Holding purchasing managers responsible for rework and serap coats 9.4 Rouirng suppliers to possess quay corifeaton (6. [SO 9000) 9.2 Collecting and monitoring supplier delivery performance data 10.1 Meinteiing els of approved suppliers end coniguting the system to permit purchase orders only to approves supplier 10.2 Roview and approval of purchases from nev supolions 10.3 EDI.spocifc contol (access, rview of orders, encryption, poicy), 11.1 Prohibit acceptance af gis fom suppliers 112 Job ration and mandatory vacations 1113 Raquring purchasing agents to disclose nancial and personal interest in suppliers 114 Supplerauate 121 aquingeitenc of oppeved pcs nde por seeping ary pivery 13.1 Do not inform receiving employees about quantity ordered 132 Require recehving employees to sgn receiving report. 133 Incentives 13.4 Use of bar codes and RFID tage 138 Configuration ofthe ERP systom to fag dscropancios betwoon recoived ‘nd ordered quantities that exceed tolerance threshold for investigation 144 Budgetay comrols 142 Audits 15.1 Restriction of physical access to inventory 152 Documentation of al ransiers of inventory between receiving and inven- tory employees 18.3 Poridic physical counts oF inventory and reconciliation to recorded quentves 15.4 Segregstion of duties: custody of inventory versus receiving 16.1 Verfication of invoice accuracy 16.2 Requring detailed receipts or procurement card purchates 163 ERS 16:4 Restrition of access to supplier master data 165 Vorfication of eight bil and use of approved delvery channels 47.4 Data entyecit controls 1722 Reconeltion of detailed accounts payable records withthe general ledger contrl accountTABLE 13-2 Continued acrivry Cash ‘dabursements ‘THREAT 18. Falla to take edrentage of sSiscounts for prompt payment 19. Paying foritems not received 20. Duplicate payments 21, Tha ofeaen 22 Check aeration 22, Cath ow probleme (CONTROLS (FIRST NUMBER REFERS TO THE CORRESPONDING THREAT) 18.1 Fling of invoices by due date for ciscounte 182 Cash lon budgets 19.1 Reauirng that all eupier invoices be matched to supporting docu: ments that ae acknowedged by both receWvng and inventory contol 19.2 Budgets for serves) 19.3 Raquiing receipts for vavel expanses 1954 Use of corporate credit ear for travel exponsat 20.1 Requiring 3 compiete voucher package forall payments 20.2 Paley to pay only from erginl copies of appler invoices 203 Canceling all supporting documents whon payments made 21.4 Physical secufty of blank checks and check signing machine 21.2 Periodic accountng of al sequentially numbered checks by cashier 21.3 Access controls 0 EFT terminals 21.8 Use of deciated computer and browser for ening banking 21.5 ACH blocks on accounts not uted for payments 21.6 Seperation of check-wrting funeion from aecounts payable 21,7 Requiring duel signatures on checks grester then » specie amount 21.8 Regula reconciliation of bank account with recorded amounts by someone independent of ish daburserents procedures 21.9 Restriction ofecces to supplier mester le 21.10 Limiting the number of employees with ality 10 este onetime ‘supplies and to process involens fom one-time suppliers 21.11. Running pety cash a an imprest fund 21.12 Surprite audits of patty cash fund 224 Check protection machines 22.2 Use of special inke and papers 225 "Positive Pay” arrangement with berks 231 Cash flow budget‘TABLE 14-1 Threats and Controls in the Production Cycle ‘acrivny THREAT ‘CONTROLS (FIRST NUMBER REFERS TO THE CORRESPONDING THREAT) Generalissuse 1. Inaccurate or invalid 114 Data processing integrity carto's throughout master data 112 Resticton of access to master dt entire 2. Unsuthorzed cclossra 13 Review ofall changes to master data production cofsersitve information 2.1 Arcess contol, ere 3. Lose ordesmuction af 2.2 Enarypton oon 3.1 Badap and disaster recovery procedtros Productdesign 4, Poor productdesian 44. Accounting analysis of cons arsng rom product design choices resulting nexcoss costs 4.2 Analysis of waranty and repar cons Planning and 5. Over and. 5.1 Production planning systems scheduling underpreducton 52 Review and approval of production schedules and orders 53 Resticton of access to production orders and production schedules Productos 6, Thott of inventory 6.1 Physical acooss controls ‘operations 7, Thottof Fixed ascts 6.2 Documentation of al inventory movement £8. Poor performance 63 Segregation of dutiescustady of azeets from recording and 9. Suboptimal investment authorzation of removal in fed assets 64 Resticton of accesso inventory master data 10. Lore of inventory or (65 Periodic physical courts of iwentoy and reconciliation of hose counts fxd ations due 0 fre 0 recorded quarttios orotherdiastos 7.4 Physcal inventory ofall fet assets 11. Dieuption af 172 Resection of physical acces to fe azeets operations 17.3 Maintaining detaied tocorde oF fied state, inlcng disposal 81 Training 82 Performance reports 9.1 Propor approval of ficed-assetacqustons,incuing use of roquests ‘er proponas to solet mulple compettve bids 10.1 Physiea safeguards (eg, fre savinles) 102 Insurance 1111 Backup and same recovery plans con 42, Inaccurate cost data 12.1 Source data automation ‘accounting 13. Ingppropriete allocation 122 Date processing integrity controls ofovemnead cote 131 Timesdven act based costing 14, Misleading ropons 14.1 Innovative performance matis (eg, throughput!‘TABLE 15-1 Threats and Controls in the PayrolV/HAM Cycle ‘activ General isuee throughout entre eM! payolile Update pay raster date Validate time ‘and attr dance data Prepare payroll Disbure payroll Disburse payroll taxes and miscellaneous Seductions THREAT 1 2 Inaccurate or invalid master ata Unouthodeed cleclosue of sensitive Information Los or destruction ofdaw Hiring unqualfed or lercencus employees Violations of empoy- ment lave Unauthorized changes 0 peyrol master cata Inaccurate updating of payroll master data Inaccurate time and stendonce data Erorin processing aye Theft or raudulent dtrbution of paychocks Flue to make required payments Untimely payments Inaccurate payments ‘CONTROLS (FIRST NUMBER REFERS TO THE CORRESPONDING THREAT) 111 Data processing inegrty controls 12 Resttion of access to mastr data 13 Review ofall changes to mester deta 21 Access contro 22 Encryption 23 Tokertation 3:1 Backup and disaster covery procedures 441 Sound hing procedures, inclucing verification of ob applicants! credentials, sells, references, nd employment history 42 Criminal background investigation chock of all aplcans for france- related postions 5.1 Thorough documentation f hing, performance evaluation, and dimisel procedures 52 Continuing education on changes in employmentlaws 6.1 Segregation of dues: HRM doparment updates master data, but only payroll department issues paychecks 62 Aacess contro 7:1 Data processing intsgrty controls 72 Reguer review o all chenges to master payroll deta 8.1 Source data automation for data capture 8.2 Biomotic authentication 8.3 Segregation of cues feconcilaion a job-time tickets tote ear) 8.4 Superiory review 9.4 Data processing integrty controls: batch total, cross footing ofthe payroll egistr use of a payel clearing account anda 2ere-oalance check 9.2 Superiory review of payral register and other reports 93 lasing ennings statements to employees 94 Raview ofS guidelines to ensure proper claseifestion of workers ‘thor employees or independent contractors 10.1 Restriction af physical cceeso bank payroll checks and the check Signature machine 102 Rettriction of access to the EFT system 103 Prenumbering and periodically accounting fo al payroll chacks and review of all EFT direct depos wansactions 104 Require proper supporting documentation forall paychecks 105 Use ofa separate checking account for payeol, maintained as an imprest fund 104 Segregation of duis (cahir versus accounts payable; check dsribution ‘fom hiring/firing: independent recenclation of the payrll hacking acooun) 107 Restriction of access fo payroll marter database. 108 Variicaton of identity ofall emolayees receiving paychecks 109 Redeposting unclaimed paychecks and investigating cause 111 Configuration of sytem to moke required peyments using curent instructions fom IS Publication Circular E) 121 Sameas 1.1 13.1 Procesting integrity controls 132 Supenisory review of reports 13.3 Employee review of eamings statement‘TABLE 16-1 Threats and Controls inthe General Ledger and Reporting System activry Goneralissves ‘THREAT 1. Insccurate or invalid general edger ‘CONTROLS (FIRST NUMBER REFERS TO THE ‘CORRESPONDING THREAT) 1.4 Data processing integrity controls throughout entre ate 41.2 Restriction of acoess to general ledger ‘general ledger 2 Unauthorized csclosute of nancial 1.3 Review ofa changes to general ledger deta andreportng statoront 2:1 Access controls epee 43, Loss or ceetruction of data 22 Eneryption 3.1 Backup and dasster recovery procedures Update general 4, Inacerate updating of general 4.4 Data enty processing integrity controle ledger ledger 4.2 Reconclations and conta reports 5. Unauthoried journal entvios 43 Audit tral creation and review 5.1 Access contola 5.2 Reconelations and conta reports 5.3 Ault trail reat and review Post adiusing 6, Inaccurate adjusting entries 6.1 Dato enty processing integtty controls enmes 7. Unautharied adjusting envies 62 Spreadsheet ertor protection contels 63 Standard adjusting entries {64 Reconciliations and conto reports 65 Audit tall creation and review 7 Access controls 7.2 Reconciliations and canto epore 713 Aut tall xeaton and rviow Prepare financial 1, Inaccurate financial statements 8.1 Processing ntogty controls sateen. 9, Fraudulent nancial reporting 8.2 Use of packaged softwere 183 Training and experience in applying IFRS and XBRL 8.4 Aude 9.1 Aude Produce managerial 10. Focrly designed reports and graphs 10.1 Responsibility accountng repons 40.2 Balanced scorecard 103 Training on proper graph design