You are on page 1of 19

04/04/11 Accounts Payable Risk Matrices

Contributed August 29, 2001 by julia.bird@phoenix.gov City Auditor Department SAP – Accounts Payable Control Matrix The attached control matrix is the result of updating the post-implementation control matrix. The matrix outlines risks and controls. Controls will be validated and tested in the 2000-01 file for SAP Application Controls for Accounts Payable (File number 1010043) The FI-AP module process all invoices related to regular invoices, and invoices related to DPO’s and COR’s. Invoices related to PO’s are entered in the MM module, and controls are tested there. This matrix will be helpful in identifying the risks and controls over Accounts Payable processing. The 2000-01 fiscal year audit work can be relied upon for a review of internal controls over SAP & Central Accounts Payable processing. However, it will still be necessary to evaluate individual department’s business processes and sample transaction when conducting audits of individual departmental expenditures. The control matrix contains 4 categories: 1) Vendor Master 2) Invoice Processing 3) Invoice Verification 4) Disbursements

1

Financial Loss due to payments made to unapprove d vendor. Financial Loss due to payments made to incorrect vendor. 3. Incompatible segregation of duty transactions such as the following are restricted: • Create/change vendor master data and accounts payable activities • Create/change vendor master data and process warrants/distribute warrants. (fraud) 1. The vendor coding form will be attached with source documents and the A/P supervisor approves it.04/04/11 Accounts Payable Risk Matrices N o Risks Possible Negative Results Risk (High / Med / Low) H Controls P / D Audit Step Teammate Ref SOC 1 Vendor Master Users may have unauthorized access to update vendor master files. (fraud) H 1. 3. Review user profile for conflicting access . 2. Appropriate transaction codes and other object authorizations should be assigned to authorized users. 2 Creation or deletion of vendor master files may not be authorized or detected. Trace information to vendor coding form. Review user profiles added for A/P Vendor Master. 3. D 2 . and verify proper authorization. Review user profile for reasonableness of access. The Accounts Admin Section reviews the SAP report (RFKABL00) listing modified P P P 1. Verify Accounts Admin reviews list of modified/created vendors. 3. Then the Accounts Admin Section verifies AP Supervisor approval. The following transactions need to be restricted: • Create. for Controller approvals.2. 1b. Controller signs off on security forms and check for these incompatibilities. change and display master records • • Block and unblock master records Mark record for deletion P 1a. Creation or deletion of a vendor master file requires a vendor coding form authorization by the appropriate users. P 2. Select a sample of vendor master records created. Review the Vendor Master File for changes that have been made and verify that all of the users who made the changes have the appropriate Vendor Master Change profile. 2.

Observe that an error/warning message appears when erroneous information is entered. Select a sample of vendor master records created. These fields include payee name (other required information depends on the Account Group). Alternative payees cannot P 3 . 6. Vendors with incomplete info will be manually blocked from payment by AP staff. 3. P 1. A sample of new/changed vendors is agreed to the vendor coding form. 4. 1099 information is requested prior to setting up vendor master record. 3 Inaccurate or incomplete vendor data may be entered. Mandatory fields in the vendor master file are defined and required. List all master P P P 4 Sensitive fields. Observe a user creating a Vendor Master Record. Trace information to vendor coding form.04/04/11 Accounts Payable Risk Matrices N o Risks Possible Negative Results Risk (High / Med / Low) Controls P / D Audit Step Teammate Ref SOC vendors monthly. Observe a user creating a Vendor Master Record. 1. the vendor is blocked until the 1099 information is provided 3. 2. 6. and verify the 1099 is present. or required information is omitted. Legal liability for noncomplianc e with governme nt regulation s H 1. and document mandatory fields are required for entry. 5. 4. such Financial H 1. Unpaid vendors. or vendor is blocked for payment. For taxreportable vendors. Select a sample of unblocked vendor files and verify they have the required information. Evaluate override authorizations (if any) 5. The system displays an error / warning message whenever there is erroneous or omitted vendor data during data entry. The vendor coding form will be attached with source documents and the A/P supervisor approves it. Then the Accounts Admin Section verifies AP Supervisor approval. 2. Inappropriate override for mandatory fields are prevented by SAP.

Observe user creating a vendor master record. A sample of new/changed vendors is agreed to the vendor coding form. 2. vendor records with an alternative payee. M 1. Then the Accounts Admin Section verifies AP Supervisor approval. P 2. Confusion when selecting vendor when invoicing. Test vendor master file for duplicate records. The Accounts Admin Section reviews the SAP report (RFKABL00) listing modified vendors monthly. 2. Observe creation of vendor names and verify naming conventions are used. and verify the user checks for same name. 2. 3. H 1. 3. levies. Select a sample of newly created vendor master records. and verify proper approval. IRS or AZ Department of Revenue levies only. may be inappropriately completed and not reviewed. A/P supervisor signs off on vendor master input forms. be set up in the vendor master record without proper authorization. 4. The creation or modification of alternative payee is subject to the same requirements as setting up or changing a vendor master record. Select a sample from the list and review supporting documentation for accuracy and proper approval. Incomplet e vendor reporting due to more than one vendor number. Verify Accounts Admin reviews list of modified/created vendors. Perform same audit steps for 5 Duplicate vendor records may be created.04/04/11 Accounts Payable Risk Matrices N o Risks Possible Negative Results loss. A/P clerk checks for same name address. The vendor coding form will be attached with source documents and the A/P supervisor approves it. etc. Standard naming conventions are used to reduce the possibility of duplicate vendor names P 6 Housing / Election vendors may not Financial loss. Alternate payees are used for collectors. Housing vendors are subject to the same controls mentioned 4 . Risk (High / Med / Low) Controls P / D Audit Step Teammate Ref SOC as Alternative Payees. 3. when submitting or approving vendor master input form. P 1. P D P 1. 3.

7 Unauthorized changes to vendor master data may go undetected. 1. Housing (and any other users with vendor master authorization D 1. Financial loss H in Vendor Master points 1-5. 5 . A sample of new/changed vendors is agreed to the vendor coding form. and ask users to explain the items.04/04/11 Accounts Payable Risk Matrices N o Risks Possible Negative Results Risk (High / Med / Low) Controls P / D Audit Step Teammate Ref SOC receive the same level of review/control as centralized A/P vendors. Run the RFKABL00 report. The Accounts Admin Section reviews the SAP report (RFKABL00) listing modified vendors monthly.

Rely on BASIS audit to identify conflicting access. 3 Users may be able to post high dollar transactions without proper authorization. P 6 .000 and verify Finance Admin Supervisor review. Workflow process: Supervisory approval of invoice. M 1. 3. Select a sample of invoices greater than $100. 2.04/04/11 Accounts Payable Risk Matrices N o Risks Potential Negative Results Risk (High / Med / Low) H Controls P / D Audit Steps Teammate Ref SOC 1 FI Invoice Processing Unauthorized users may gain access to post invoice transactions into SAP. and Finance A/P review & approval 2. Compare user profiles for Invoicing to active employee list 2. Unauthori zed large payments M 1. 2. change.000. delete parked and ‘normal’ documents • park and release parked documents • block and unblock documents. 1. 1. Financial loss. 2 Terminated or employees on extended leave of absence may have access to the system. for A/P supervisor and Controller approvals. Financial loss. Review user profile for reasonableness of access. Review user profiles added for A/P Invoice. Finance Dept Admin Supervisor reviews all payments greater than $100. 2. Select a sample of invoices and verify supervisory and central a/p staff review. 2. Appropriate transaction codes and other object authorizations are assigned to authorized users. SAP security administrator will also monitor. Verify SAP Team sends out lists. Finance SAP Team sends out lists to departments twice a year identifying potential terminated employees P 1. P 1. A/P supervisor completes a form to remove access when employees leave. Invoice posting capabilities are segregated from the following: • vendor/bank master file creation/change • warrant distribution • a/p approval/review 3. The following transactions are restricted: • post.

SAP automatically required supervisor approval of invoices. and verify that the system does not allow duplicate invoice numbers. 2. H 1. AP also traces information entered to the source document. Workflow process: Supervisory approval of invoice. Original invoices are required as source document. Select a 5 Inaccurate or invalid data could be input when record first entered into SAP Financial loss. Original invoices are required as source document. 2. Financial loss. AP staff physically stamp P 7 Invoice is posted into SAP more than once. Intelligent and mandatory fields have been set up. 1. 3. D P P 1.3. Supervisors must approve paying on a fax or copy. Misstated financial statements . 3. 1. System does not allow duplicate invoices upon invoice entry if the invoice number. Select a sample of invoice documents and verify supervisor and AP staff approval. M P D P 7 . and the SAP controls for mandatory and intelligent fields. 2. The report identifies all invoices with the same invoice number and the same amount. 2. 3. H 1. and review for proper approval. Select a sample of invoices and verify supervisory and central a/p staff review. Workflow process: Supervisory approval of invoice. P D D 6 Invoices may not be properly approved. and Finance A/P review & approval 2. and Finance A/P review & approval. Select a sample of invoices and trace information to supporting document.4. Financial loss from duplicate invoices. Finance staff reviews the duplicate invoice report (zdup) daily. Review copies of the duplicate invoice report to verify that Finance is reviewing the report and taking appropriate action. 4. Enter an invoice twice.04/04/11 Accounts Payable Risk Matrices N o Risks Potential Negative Results Risk (High / Med / Low) Controls P / D Audit Steps Teammate Ref SOC 4 Invalid invoices may be entered Financial loss. 1. Select a sample of invoices. 2. 1. 1. vendor number and invoice date are the same. Supervisors must approve paying on a fax or copy. and agree to source document. Observe the entry of invoices.

and a reason code is required. H 1. Determine if SAP or Finance checks for reversal entries. 8 Invoice may be changed after it is posted Financial loss. MR08). before a reversal entry is accepted: • no cleared items • original transaction was within the original posting module 2. Financial loss H 1. and Finance A/P review & approval 2. P 10 Invoice may contain mathematical errors. Only Finance AP supervisors have access to do reversal documents (FB08. 1. sample of invoices and trace information to supporting document. SAP will automatically verify the following. 5. Observe Finance AP 8 . Unpaid vendors resulting in lost discounts. H P P 1. Workflow process: Supervisory approval of invoice. The creator of the invoice or manual PCD is responsible for verifying the mathematical accuracy of the invoice. 3. Observe Finance AP staff trying to change the payee or amount after the invoice is posted to verify SAP controls. or late fees. Finance AP check for PO reference on the invoice. Select a sample of invoice documents and verify mathematical accuracy of the invoice. 1. H 1. 2&3. 1. Misstated financial statements . P 9 The original transaction is inappropriately reversed out from the system. There are no subsequent controls. Finance AP identifies P 11 Invoices may be incorrectly or inaccurately keyed in through the FI module and not through the MM module. Misstated financial statements . and verify invoice is stamped “paid”. Payee or amount can not be changed once supervisor has released PCD. Use ACL to test for duplicate invoices in a variety of ways. 1.04/04/11 Accounts Payable Risk Matrices N o Risks Potential Negative Results Risk (High / Med / Low) Controls P / D Audit Steps Teammate Ref SOC “paid” on invoices after approval. 2. Standard procedure is to also enter information in the text field. Select a sample of invoices and verify supervisory and central a/p staff review. which would bypass the ‘three way match’ (PO. invoice and Financial loss from duplicate invoices. Verify that only Finance AP supervisors have access to reverse a document.

P P 1-3. and investigates any commodities not being paid against a DPO. D 1. Vendor inquiries are investigated. 4. and Finance A/P review & approval. SAP verifies matching data (ie vendor number) and automatically updates the RF. Finance A/P management P 1&2. invoices for commodities. and they check commodities not paid against a DPO. We did not test for invoices with RF references. and vice versa D process and verify they check for PO reference on the invoice. that were not applied to the PO. No test necessary. 4. Review cycle time information for timeliness of invoice input. 5. Late M 1. COR or PO. Review report on number of invoices paid late. Observe Finance AP process and verify the reviewer checks for RF#. Thus Finance AP can identify: • GR without INV • INV without GR • GR different from INV. COR.04/04/11 Accounts Payable Risk Matrices N o Risks Potential Negative Results Risk (High / Med / Low) Controls P / D P Audit Steps Teammate Ref SOC goods receipt) control to detect any errors. Creator of the invoice enters the RF# in a user-defined field. Review of g/l account 291000. Finance A/P staff approving the invoice look for the RF# on the invoice. This g/l account recieves all GR (goods receipts) and INV (invoices) posted. resulting in lost discounts. 12 Invoice is not applied towards the related RF Misstated financial statements H 1. Finance AP reconciles all outstanding open items in g/l account 291000. M 1. P P D 13 Invoices may not be input in a timely manner. 4. We relied on the other controls. Review the 9 . 3. 5. After Finance AP staff approves the invoice. Departments are responsible for their budgets. 14 Invoices that are Late payments to vendors. and verify the number is on the SAP invoice. Workflow process: Supervisory approval of invoice. 4. 2. or late fees. 2. or PO. and may notice invoices not applied to RF’s.

g. D most recent report of invoices parked. the reconciliation process may not be correctly set-up. monitors the number of items and age in workflow inboxes. Observe SAP warning when Business Area and Cost Center are not compatible. P 10 . Review items in the 222000 g/l account and document the staff’s comments. Risk (High / Med / Low) Controls P / D Audit Steps Teammate Ref SOC ‘parked’ may not be posted and cleared on a timely basis. Finance AP management investigates all parked items over 2 weeks old. 16 Transactions may be posted to the wrong account / project / business area. Misstatem ent of financial statements . and document the staff‘s comments. 2. Misstatem ent of financial statements . M D 1. L 1. Reconciliation account 222000 is used to ensure integrity between GL and AP sub-ledger. P 18 H P P 3. SAP automatically selects posting keys based on input information. Select a sample of invoices and verify that documents were stored properly. The FI accounts payable and FI general ledger are fully integrated within SAP. SAP requires the matching of debits and credits before an invoice is posted. resulting in lost discounts. or late fees.04/04/11 Accounts Payable Risk Matrices N o Risks Potential Negative Results payments to vendors. 1. 1. 1-2. 1. etc. SAP gives a warning message if posting information (ie Business Area /cost center) is not compatible. 2. and Finance A/P review & approval. 2.. Observe that posting key controls are in place. P D 17 Invoices may not be stored for payment disputes. 2. Direct posting to reconciliation account is blocked. Select a sample of invoices and verify supervisory and central a/p staff review. 15 The General Ledger account balances may not be updated when a transaction is posted into a Vendor Account e. Lack of document ation for auditors. H 1. Posting keys for A/P transactions may not be restricted. 3. The workflow process is comprised of supervisory approval of invoice. GL account number 222000 is the only reconciliation account. Select a sample of invoices and verify that the posting to the vendor account agrees to the general ledger posting. All supporting documentation (ie invoice) is stamped “paid” and filed. A posting to the vendor account will automatically post to the appropriate reconciliation account in the general ledger on a real time basis. P 1.

04/04/11 Accounts Payable Risk Matrices 11 .

1 – IV4 2 . and compare the limits to the City standards.04/04/11 Accounts Payable Risk Matrices N o Risks Potential Negative Results Risk (High / Med / Low) M Controls P/ D Audit Steps Teammate Ref SOC 1 Invoice Verification Incorrect or invalid invoice data may be entered when the record is first entered via the MM module. The standard is 10%. and will notify Purchasing of the discrepancy. the system will not display the PO line items. and they 1. 2. P 1. Financial loss due to invoices being paid before final approval. 2. Observe the entry of invoices. IV3 1= O 2=O 4 Purchase made through PO is paid by PCD. Then the AP clerk will not process the invoice. Finance AP check for PO reference on the invoice. by transaction key. 2. L 1. The tolerance limits used to check on the three way match process are set according to the City’s policies and standards. Unauthori zed large payments. Observe the entry of invoices and verify SAP warning message and AP clerk action.2 – IV3 3 – IV4 12 . If the tolerance is exceeded. 2. 2 =S P 2 The tolerance limits for invoice verification procedures may be set too high. Observe Finance AP process and verify they check for PO reference on the invoice. 1. and the SAP controls for mandatory and intelligent fields. and investigates any commodities not being paid against a DPO. Payment blocks include: • Invoice amount exceeds PO amount by tolerance limits • The quantity on the invoice exceeds the quantity on the goods receipt (GR). M 1. Run the tolerance limit report for AP and MM. The system blocks the payments automatically if one of the above situations exists. P 1. 1. Therefore AP staff can select the line items relevant to the specific invoice.IV3 1= S 3 Payment blocks may not be placed on invoices during the invoice approval process. The system automatically displays all lines of the related purchase order and the value of the related goods receipt (GR) entered. Finance AP identifies invoices for commodities. Misstated financial statements .2. or $100 per line item. 2. Observe the entry of invoices and verify SAP warning message and AP clerk action. 1. Financial loss 1. Observe data entry and verify SAP displays PO limitations.2. 1 – IV3 2 – IV3 1. The tolerance limit is used to match the FI invoice with the MM PO goods receipt. The system requires entry of the following information upon entry of the invoice: • purchase order number • document date • invoice number • total invoice amount 2.

or PO. IV4 NA 13 . 3. H 1. An example is the account where tolerance differences are posted. or late fees. Late payments to vendors. check commodities not paid against a DPO. resulting in lost discounts. 3. COR or PO. Review of g/l account 291000. open items. Review of g/l account 291000. 2.04/04/11 Accounts Payable Risk Matrices N o Risks Potential Negative Results Risk (High / Med / Low) Controls P/ D Audit Steps Teammate Ref SOC COR. Thus Finance AP can identify: • GR without INV • INV without GR • GR different from INV. 5 Large outstanding payable balances may build up and not be reviewed on a regular basis in the GR/IR general ledger account. and vice versa 1. the GR/IR account will not be cleared automatically. 2. This g/l account recieves all GR (goods receipts) and INV (invoices) posted. and makes the appropriate corrections. A batch job is run to match GR and IR entries within the account on a daily basis. and if there is no further goods receipt recorded by the system. Finance AP reconciles all outstanding open items in g/l account 291000. If there is a quantity variance where the quantity invoiced is different than the quantity of goods received. Finance AP staff reviews the GR/IR clearing account monthly for long outstanding.

Select a sample of unblocked vendor files and verify they have the required information. The system captures the check number in the document allocation fields. Vendors with incomplete info will be manually blocked from payment by AP staff. See controls for Invoice Processing. Unauthorized access to the Payment Output file. to cut checks. SAP Security Profiles: Only 3 A/P supervisors have access. Rely on Invoice Processing tests. in report format. SAP creates an exception report for invoices where mandatory fields are not populated. Rely on Invoice Processing controls. List all users with this profile and review for reasonableness and proper authorization. 2. 1. 1 – all IP 2. The A/P supervisor reviews the Payment Proposal List (RFZALI00) and the Exception List (RFZALI10).) Cash disbursement details may be inaccurate and incomplete. P 1. (Note: Payment Output File is the result of a formatted payment batch. Disbursement data is based on information provided during invoice entry (either via FI or MM module).3. 2. IP all H P D3 1=S 3 Financial loss. Misstated financial statements . P 1. Financial loss Financial 1. P 1. Access to the directory should be restricted or extremely limited. and automatically prints the P 1 – D1 2 – D2 1=S 14 .3 – D4 1=S 2= O D 4 Inaccurate or incomplete vendor invoices may be paid. Observe the documentation existing to verify supervisory review of payment proposal list and exception list.04/04/11 Accounts Payable Risk Matrices N o Risks Potential Negative Results Risk (High / Med / Low) H Controls P / D Audit Steps Teammate Ref SOC 1 2 Disbursements Unauthorized users may be able to post invoice transactions into SAP. 1. H 1. 3. and for invoices blocked for payment. H 1. 1. It contains all of the formatted payment information. Prior to the payment run. Select a sample of invoices and trace the check VM3 1= S 5 Check number may not be indicated in the payment document during payment H 1.

L 1. so checks can’t be P 1 – D1 2 – D1 3 – D1 1.000. Procedures exist to review and approve invoices that are blocked. 3=S 15 .000 are approved by Accounts Admin. Check number is pre-printed on manual checks. and all payments to 1-time vendors. 2. Financial loss H 1. Select a sample of paid invoices and verify they were assigned a clearing document number and clearing date. Document management’s review of the Payment Proposal List and Exception List. 2. Run a report of all invoices due for a specific date. H 1. A/P reviewer approval is required before payment. 6 Large or unusual payments may not be blocked for management review. Trace manual check numbers back to invoices to make sure the manual check number was entered. Select a sample of payments > $100. P 1 – D1 2 – D4 1. Print file disappears after it is printed. 2. 1. 1. number back to the record.04/04/11 Accounts Payable Risk Matrices N o Risks Potential Negative Results Risk (High / Med / Low) Controls P / D Audit Steps Teammate Ref SOC processing. Observe check run and verify checks =>$100. 2. 1. 2. 2 =S D 8 Payments could be made more than once for an invoice. number on the check. and compare that to the automatic payment run. 2 =S 7 Invoices selected for payment may not be reviewed. The Accounts Admin staff approves all payments over $100. 3. 2. P D 1 – D10 2 – D4 1. Unauthori zed large payments.000 and verify Accounts Admin signature. SAP automatically assigns a clearing document number and clearing date when payment is made for open invoice item. The system is configured to propose invoices that are due for payment in the automatic payment run. Financial loss from duplicate payments. SAP will not select cleared items for payment. 2.

04/04/11 Accounts Payable Risk Matrices N o Risks Potential Negative Results Risk (High / Med / Low) Controls P / D Audit Steps Teammate Ref SOC printed again. The FI accounts payable and FI general ledger are fully integrated within SAP. Review the check register for missing check numbers. Financial loss due to the difficulty reconcilin g bank accounts. Identify process for assigning both electronic and manual check numbers. 3. 2. A posting to the vendor account will automatically post to the appropriate reconciliation account in the general ledger on a real time basis. The check register is used to keep track of physical check numbers. 2. Test the disbursement run to make sure no cleared items were paid. Observe procedures for: • reviewing missing checks or check numbers • reconciling check register after each run • spoiled checks • voided checks 4. • Are spoiled manual checks retained. 1. SAP automatically assigns a sequential check number to each check. and records it in the register 2. Verify SAP reports all 1 – D1 2 – D1 1=S P 2= O 10 The check number in the check register may not be updated. 1. and others are denoted as “void”. Select a sample of invoices and verify the g/l account entry. Document that the print file disappears after it is printed. H P 1 – D2 &D4 2 – D1 3 – D1 4 – D1 1=S P 2=S 3= O 16 . • Reconcile check register after each check run. and noting missing checks. The procedures cover: • Reviewing missing checks or checks number not running in sequence. M 1. P 1. 3. Procedures exist for reviewing the check number in the check register. Review activity in g/l account #220000 to verify all invoices were posted to FI-GL. 9 Payments made are posted to the wrong accounts. GL account number 222000 is the only reconciliation account. Misstated financial statements . 3. 2. • Checks printed as overflow documents are denoted as “void” • Payment is made by the first check in the series only.

1 – D5 4=S 5=S 1=S 12 The transaction in the system may be left as an open item eventhough payment has been made. M 1. 5. The system assigns a clearing number and a clearing document to close an outstanding transaction when payment is made. SAP reports all voided checks during the check run. Financial loss. 5. M 1. P 1 – D1 1=O 14 Financial loss. The AP Supervisor reconciles the number of checks from the check register report to the count on the Job Log. Employees are grouped in a separate account group. and the AP Supervisor reviews the report. P 1 – D1 1=S 13 In the Check Print Restart and Reset Payment Batch functions: spoiled checks may not be retained for evidence as to restart. Select a sample of checks paid to employees. and verify spoiled checks were retained and checks were completed. 1. 11 The discount amount may be calculated incorrectly. A/P audit review. H 1. 2. Financial loss due to discarding spoiled checks. Financial loss from duplicate payments.04/04/11 Accounts Payable Risk Matrices N o Risks Potential Negative Results Risk (High / Med / Low) Controls P / D Audit Steps Teammate Ref SOC 4. 2-4 Rely on Invoice Processing 1 – D8 2-4 – all IP 1-4 = S 17 . Checks issued to employees may be inappropriate. Supervisory approval required through workflow. Document the reconciliation of Check register and SAP Job Log 1. The system automatically calculates discounts. Select a sample of paid invoices and verify they were assigned a clearing document number and clearing date. 3. L 1. 1. Manual approval required on PCDs entered by A/P clerks. 4. Completeness of checks may not be verified prior to restart. Have not had to do a check print restart yet. P P D D 1. Could not validate. Document any “check print restart” events. Select a sample of invoices and verify that the appropriate discount was taken. and verify proper approval and proper account group. P voided checks during the run.

1-4 – D2 1=S 2=O 3=O 4=S 16 Printed checks may be lost or stolen. and review the security methods used to make sure checks are mailed out or kept in a secure location. Printed checks kept for pick up are kept in a secretary’s desk. The check printer is stored in a public area. H 1. 2. Verify independent review of manual check log. D D 1. 4. Agree check information to supporting documentation. 2. 3. and verify all missing check numbers are in SAP and on the manual log. and locked in the safe for the night. Observe the check run. The City Controller reviews the SAP check list prior to the release of manual checks. 1. 2. An Accounts Admin staff member reviews the log of manual checks to ensure that no checks are missing and all numbers are entered. Financial loss M 1. 1-3 – D11 1. 2. 2. Document City Controller requires SAP Check List prior to signing manual checks. Manual checks are recorded in the SAP check register. 3. Select a sample of reissued checks and verify that the original warrant was never cashed. D1 1 =O 17 Cancellation and reissue of checks may be improperly processed. 3=S 18 . Misstatem ent of financial statements . Blank check stock is secured. P 1. and noting missing checks. but is supervised during the printing. P testing 1. Financial loss due to the difficulty reconcilin g bank accounts. 4. Financial loss. Verify blank checks are secure. Controls are in place to ensure that warrants already issued have not been cashed before the re-issue of another warrant by checking with the bank and SAP. 2. Appropriate and authorized documentation is received from the vendor for review before the re-issue of another warrant. Checks are mailed out the same day they are printed. Take an inventory of the manual checks. 3.04/04/11 Accounts Payable Risk Matrices N o Risks Potential Negative Results Risk (High / Med / Low) H Controls P / D Audit Steps Teammate Ref SOC 15 Manual checks issued may not be recorded in the system.

000.D9 1= O 2=S 19 20 21 Signature stamp is used by an unauthorized person Payment to vendor may be made when there is a large outstanding receivable from that company Credit memos due to Accounts Receivable customers may not be processed properly Financial loss Financial loss H M 1. The bank account is reconciled automatically daily. A/P supervisor checks documentation and approves transaction 18 The bank amount in the books may not agree with the amount at hand in bank. 1-2 .04/04/11 Accounts Payable Risk Matrices N o Risks Potential Negative Results Risk (High / Med / Low) Controls P / D Audit Steps Teammate Ref SOC 3. Select a sample of reconciliations and review unreconciled items. 1. 1. Document segregation of duties between disbursements and bank reconciliation. 2. 1. Misstated financial statements . Verify the signature stamp is secure. The signature stamp is kept in a safe in Accounts Admin 1. Finance staff performs a separate payment run for credit memos D2 D10 D7 19 . AP provides Collections with a list of all checks => $100. with exceptions cleared manually. Verify that Treasury reviews all checks => $100. 2. An independent person reviews the bank reconciliation . Verify supervisor approval on all re-issued checks. Financial loss. D 3.000 daily for their review. 1. 1. Observe credit memo run and document issues. H 1.