TABLE 12-1 Threats and Controls in the Revenue Cycle
ACTIVITY THREAT ‘CONTROLS (FIRST NUMBER REFERS TO THE CORRESPONDING
THREAT)
General issues 4. Inaccurate or ival 1.1 Data processing integry controls
‘throughout raster data 112 Restiction of access to master data
fentrerevenue 2, Unauthorized iacosura 1.3 Review o all changes ta master data
ose ofsenative information 2.7 Access cantols,
23, Loss or destruction of 22 Encryption
data 23 Tokenizaton of customer personal information
4, Poor performance 31 Backup and disaster recovery procedures
4.1 Managerial repores
Seles order entry 5, Incomplete/neccurate 5.1 Data entry ect contol (see Chapter 10)
orders 5.2 Restriction of access to master daca
6. Invalid orders 46.1 Digta signatures or writen signatures
7. Uneollecibie accounts 7.1 Greilimts
8. Stockouts or excess 7.2 Specie authorzation to approve sales to new customers or sales
inventry ‘that exceed a cstomers credit limit
9, Los of customers 17.3 Acing of accounts receivable
{8.1 Perpetual inventory control system
18.2 Use of barcodes or RFID
83 Training
‘8.4 Periodic physical counts of inventory
4 Sales forecast and activty epors
9.1 CRM system, selfhelp webates, and proper evaluation of
‘cumtomer sevice ratingt
Shipping 10. Picking the wrong items 10.1 Bar-cade and RFID technology
forthe wrong quantty 10.2 Reconellation of picking lt to sales order detail
11. Theft oF ivontory 11.1 Restriction of physical acess to inventory
12. Shipping evors(delay 11.2 Documentation of allinventory transfers
forfalureto ship, wrong 11.3 RFID and barcode technology
quantities wong items, 11.4 Period physical counts of inventary and reconciliation to
sarong asceesses, recorded quanties
cluplieaton) 12.1 Reconcliation of shipping documents with sales ores, picking
lists, and packing sips
12.2 Use RFID systoms t identi dalays
1253 Dato entry vie borcode sanners and RFID
1214 Data entry eit controls (shipping data entered on terminals)
1255 Configuration of ERP system ta prevent duplicate shipments
ling 13. Faure to bil 13,1 Separation of bling end shipping functions
14. Billeg errs 18.2 Perocic reconciliation of invoices with slat order, pcking|
15. Posting arorsin accounts tickets, and shipping documents
recewable 14.1 Configuration of system to automaticaly enter pricing data
16, Inaccurate or invalid 14.2 Restriction of access to pricing master data
godt memos 143 Data entry edit controls
"V4 Reconciliation of shipping documents (picking ticker, bills of
lading, and packing lit) to sles ovis
15,1 Data entry contvols
18.2 Reconcilation of batch totals
15.3 Maling of monthly statements to customers
15.4 Reconellation of subsidiary accounts to general ledger
16.1 Segregation of dutos of credit memo authorization from both
‘sls order entry and customer account maintenance
16,2 Configuration of system to block erect memos ures there is
tether corresponding documentation of return of damaged gaods
lor speci authorzaton by management‘TABLE 13-2
Threats and Controls in the Expenditure Cycle
activry
General iasvoe
‘throughout
etre expen-
cdture cycle
Ordering
Receiving
‘Approving sup-
lier invoices
THREAT
1
2
4
5
"
1B.
4
8.
1.
”.
Inaccurate or invalid
sates data
Unauthorized
ciselosure of
sensitive information
Loss or esructon
ofcsta
Poor periormance
Stockouts and
‘excess inventory
Purchasing tems
not needed
. Purchasing at
inflated prces
3. Purchasing goods oF
inferior quay
Unrelabie suppliers
Purchasing fom
‘unauthorized
‘upplior
Kickback
Accepting
‘ordered toms
Mistakes in courting
Not venving receipt
ofsenvces
“hel of inventory
Erorsin supplier
invoeos
Mistakesin posting
toaccaunte payable
‘CONTROLS (FIRST NUMBER REFERS TO THE CORRESPONDING THREAT)
1.1 Data processing integrity controle
112 Restriction of acceu to matter te
1.3 Roviow ofall canges to master data
24 Access conte
22 Encryption
411 Backup and csaster racovery procedures
‘41 Managerial pons
5.1 Peqpetual inventory system
52 Bar coding or RFID togs
5.3 Periodic physical counts of inventory
6.1 Perpetual inventory systom
6.2 Review and approval of purchase requisitions
163 Centaiaed purchasing function
72 Pri its
7.2 Competitne bideing
73 Review of purchase orders
74 Budgets
8.1 Purchasing onl from approved suppliers
8.2 Review and approval of purchases om neve supoliens
23 Tracing and manitering product quality by supplier
8.4 Holding purchasing managers responsible for rework and serap coats
9.4 Rouirng suppliers to possess quay corifeaton (6. [SO 9000)
9.2 Collecting and monitoring supplier delivery performance data
10.1 Meinteiing els of approved suppliers end coniguting the system to
permit purchase orders only to approves supplier
10.2 Roview and approval of purchases from nev supolions
10.3 EDI.spocifc contol (access, rview of orders, encryption, poicy),
11.1 Prohibit acceptance af gis fom suppliers
112 Job ration and mandatory vacations
1113 Raquring purchasing agents to disclose nancial and personal interest
in suppliers
114 Supplerauate
121 aquingeitenc of oppeved pcs nde por seeping ary
pivery
13.1 Do not inform receiving employees about quantity ordered
132 Require recehving employees to sgn receiving report.
133 Incentives
13.4 Use of bar codes and RFID tage
138 Configuration ofthe ERP systom to fag dscropancios betwoon recoived
‘nd ordered quantities that exceed tolerance threshold for investigation
144 Budgetay comrols
142 Audits
15.1 Restriction of physical access to inventory
152 Documentation of al ransiers of inventory between receiving and inven-
tory employees
18.3 Poridic physical counts oF inventory and reconciliation to recorded
quentves
15.4 Segregstion of duties: custody of inventory versus receiving
16.1 Verfication of invoice accuracy
16.2 Requring detailed receipts or procurement card purchates
163 ERS
16:4 Restrition of access to supplier master data
165 Vorfication of eight bil and use of approved delvery channels
47.4 Data entyecit controls
1722 Reconeltion of detailed accounts payable records withthe general
ledger contrl accountTABLE 13-2 Continued
acrivry
Cash
‘dabursements
‘THREAT
18. Falla to take
edrentage of
sSiscounts for
prompt payment
19. Paying foritems not
received
20. Duplicate payments
21, Tha ofeaen
22 Check aeration
22, Cath ow probleme
(CONTROLS (FIRST NUMBER REFERS TO THE CORRESPONDING THREAT)
18.1 Fling of invoices by due date for ciscounte
182 Cash lon budgets
19.1 Reauirng that all eupier invoices be matched to supporting docu:
ments that ae acknowedged by both receWvng and inventory contol
19.2 Budgets for serves)
19.3 Raquiing receipts for vavel expanses
1954 Use of corporate credit ear for travel exponsat
20.1 Requiring 3 compiete voucher package forall payments
20.2 Paley to pay only from erginl copies of appler invoices
203 Canceling all supporting documents whon payments made
21.4 Physical secufty of blank checks and check signing machine
21.2 Periodic accountng of al sequentially numbered checks by cashier
21.3 Access controls 0 EFT terminals
21.8 Use of deciated computer and browser for ening banking
21.5 ACH blocks on accounts not uted for payments
21.6 Seperation of check-wrting funeion from aecounts payable
21,7 Requiring duel signatures on checks grester then » specie amount
21.8 Regula reconciliation of bank account with recorded amounts by
someone independent of ish daburserents procedures
21.9 Restriction ofecces to supplier mester le
21.10 Limiting the number of employees with ality 10 este onetime
‘supplies and to process involens fom one-time suppliers
21.11. Running pety cash a an imprest fund
21.12 Surprite audits of patty cash fund
224 Check protection machines
22.2 Use of special inke and papers
225 "Positive Pay” arrangement with berks
231 Cash flow budget‘TABLE 14-1 Threats and Controls in the Production Cycle
‘acrivny THREAT ‘CONTROLS (FIRST NUMBER REFERS TO THE CORRESPONDING THREAT)
Generalissuse 1. Inaccurate or invalid 114 Data processing integrity carto's
throughout master data 112 Resticton of access to master dt
entire 2. Unsuthorzed cclossra 13 Review ofall changes to master data
production cofsersitve information 2.1 Arcess contol,
ere 3. Lose ordesmuction af 2.2 Enarypton
oon 3.1 Badap and disaster recovery procedtros
Productdesign 4, Poor productdesian 44. Accounting analysis of cons arsng rom product design choices
resulting nexcoss costs 4.2 Analysis of waranty and repar cons
Planning and 5. Over and. 5.1 Production planning systems
scheduling underpreducton 52 Review and approval of production schedules and orders
53 Resticton of access to production orders and production schedules
Productos 6, Thott of inventory 6.1 Physical acooss controls
‘operations 7, Thottof Fixed ascts 6.2 Documentation of al inventory movement
£8. Poor performance 63 Segregation of dutiescustady of azeets from recording and
9. Suboptimal investment authorzation of removal
in fed assets 64 Resticton of accesso inventory master data
10. Lore of inventory or (65 Periodic physical courts of iwentoy and reconciliation of hose counts
fxd ations due 0 fre 0 recorded quarttios
orotherdiastos 7.4 Physcal inventory ofall fet assets
11. Dieuption af 172 Resection of physical acces to fe azeets
operations 17.3 Maintaining detaied tocorde oF fied state, inlcng disposal
81 Training
82 Performance reports
9.1 Propor approval of ficed-assetacqustons,incuing use of roquests
‘er proponas to solet mulple compettve bids
10.1 Physiea safeguards (eg, fre savinles)
102 Insurance
1111 Backup and same recovery plans
con 42, Inaccurate cost data 12.1 Source data automation
‘accounting 13. Ingppropriete allocation 122 Date processing integrity controls
ofovemnead cote 131 Timesdven act based costing
14, Misleading ropons 14.1 Innovative performance matis (eg, throughput!‘TABLE 15-1 Threats and Controls in the PayrolV/HAM Cycle
‘activ
General isuee
throughout
entre eM!
payolile
Update pay
raster date
Validate time
‘and attr
dance data
Prepare payroll
Disbure payroll
Disburse payroll
taxes and
miscellaneous
Seductions
THREAT
1
2
Inaccurate or invalid
master ata
Unouthodeed
cleclosue of sensitive
Information
Los or destruction
ofdaw
Hiring unqualfed or
lercencus employees
Violations of empoy-
ment lave
Unauthorized
changes 0 peyrol
master cata
Inaccurate updating
of payroll master data
Inaccurate time and
stendonce data
Erorin processing
aye
Theft or raudulent
dtrbution of
paychocks
Flue to make
required payments
Untimely payments
Inaccurate payments
‘CONTROLS (FIRST NUMBER REFERS TO THE CORRESPONDING THREAT)
111 Data processing inegrty controls
12 Resttion of access to mastr data
13 Review ofall changes to mester deta
21 Access contro
22 Encryption
23 Tokertation
3:1 Backup and disaster covery procedures
441 Sound hing procedures, inclucing verification of ob applicants!
credentials, sells, references, nd employment history
42 Criminal background investigation chock of all aplcans for france-
related postions
5.1 Thorough documentation f hing, performance evaluation, and dimisel
procedures
52 Continuing education on changes in employmentlaws
6.1 Segregation of dues: HRM doparment updates master data, but only
payroll department issues paychecks
62 Aacess contro
7:1 Data processing intsgrty controls
72 Reguer review o all chenges to master payroll deta
8.1 Source data automation for data capture
8.2 Biomotic authentication
8.3 Segregation of cues feconcilaion a job-time tickets tote ear)
8.4 Superiory review
9.4 Data processing integrty controls: batch total, cross footing ofthe
payroll egistr use of a payel clearing account anda 2ere-oalance check
9.2 Superiory review of payral register and other reports
93 lasing ennings statements to employees
94 Raview ofS guidelines to ensure proper claseifestion of workers
‘thor employees or independent contractors
10.1 Restriction af physical cceeso bank payroll checks and the check
Signature machine
102 Rettriction of access to the EFT system
103 Prenumbering and periodically accounting fo al payroll chacks and
review of all EFT direct depos wansactions
104 Require proper supporting documentation forall paychecks
105 Use ofa separate checking account for payeol, maintained as an imprest
fund
104 Segregation of duis (cahir versus accounts payable; check dsribution
‘fom hiring/firing: independent recenclation of the payrll hacking acooun)
107 Restriction of access fo payroll marter database.
108 Variicaton of identity ofall emolayees receiving paychecks
109 Redeposting unclaimed paychecks and investigating cause
111 Configuration of sytem to moke required peyments using curent
instructions fom IS Publication Circular E)
121 Sameas 1.1
13.1 Procesting integrity controls
132 Supenisory review of reports
13.3 Employee review of eamings statement‘TABLE 16-1 Threats and Controls inthe General Ledger and Reporting System
activry
Goneralissves
‘THREAT
1. Insccurate or invalid general edger
‘CONTROLS (FIRST NUMBER REFERS TO THE
‘CORRESPONDING THREAT)
1.4 Data processing integrity controls
throughout entre ate 41.2 Restriction of acoess to general ledger
‘general ledger 2 Unauthorized csclosute of nancial 1.3 Review ofa changes to general ledger deta
andreportng statoront 2:1 Access controls
epee 43, Loss or ceetruction of data 22 Eneryption
3.1 Backup and dasster recovery procedures
Update general 4, Inacerate updating of general 4.4 Data enty processing integrity controle
ledger ledger 4.2 Reconclations and conta reports
5. Unauthoried journal entvios 43 Audit tral creation and review
5.1 Access contola
5.2 Reconelations and conta reports
5.3 Ault trail reat and review
Post adiusing 6, Inaccurate adjusting entries 6.1 Dato enty processing integtty controls
enmes 7. Unautharied adjusting envies 62 Spreadsheet ertor protection contels
63 Standard adjusting entries
{64 Reconciliations and conto reports
65 Audit tall creation and review
7 Access controls
7.2 Reconciliations and canto epore
713 Aut tall xeaton and rviow
Prepare financial 1, Inaccurate financial statements 8.1 Processing ntogty controls
sateen. 9, Fraudulent nancial reporting 8.2 Use of packaged softwere
183 Training and experience in applying IFRS and XBRL
8.4 Aude
9.1 Aude
Produce managerial 10. Focrly designed reports and graphs 10.1 Responsibility accountng
repons 40.2 Balanced scorecard
103 Training on proper graph design