Vouching and Verification

Verification : Vouching :
S.No Balance Sheet Items Profit and Loss Items
1 Buildings Revenue/Sales
2 Plant and Machine Cost of Goods Sold
3 Goodwill Bonus ,Gratuity ,PF & ESIC etc
4 Loans and Advances (Given) Employee-Payroll
5 Debtors Other Expenses :
6 Investment Legal
7 Inventory/Stock Admin
8 CWIP Travel
9 Prepaid Expenses Rent
10 Accrued Income Repair
11 Creditors Advertisement
12 Borrowings Research and Development
13 Other Payables Freight Inward and Outward

1 SA: 315
2 Walkthrough
3 Internal Control
4 Materiality
5 ROMM
6 Substantive Testing :Sample
Process of Purchase/Procure to Pay Process
User Requirements
Material Requisition Notes
1.User Department Head :Approved
2.Store Department Head :Approved
3.Finance Head :Approved

Documents Required
1.Material Requisition Notes (MRN)/PRF
2.Approved Vendor List
2.Atleast Received 3 Quotation (RFQ)
3.Performa Invoice/PO
4.When Goods Inward -Gate Entry In Gate Inward Registered
5.Quality Report
6.Vendore Invoice
7.Voucher
8.Bank Payment
9.Authorisation
10.Vendor Reconciliation
11.Transport Document
12.E-Way Bill

Auditing the Purchasing Process

The Major Functions of the P2P :
1.Requisitioning
2.Purchasing
3.Receiving
4.Invoice Processing
5.Disbursedments
6.Accounts Payable
7.General ledger

KEY Segregation of Duties

SOD :

1.The purchase function should be segregated from the requisitioning and goods,service
receiving functions.
2. The invoice processing function should be segregated from the accounts payable function.

3. The disbursement function should be segregated from the accounts payable function.

4. The accounts payable function should be segregated from the general ledger function.

KEY Segregation of Duties

Purchasing process functions
1.PR raised
2.Preparation & approval of PO
3.Receipt, counting, & inspection of purchase materials
4.Receipt of vendor invoices and matching them with supporting documents like PO
5.Coding or checking account distributions
6.Updating of account payable records
7.Preparation of vendor checks
8.Signing and mailing of vendor check
9.Preparation of voucher registered
10.Reconciliation of voucher register to general ledger

What are major processes of procurement department:

Planning & Budgeting
Purchase Requisition & Indenting Process
Receiving Quotation & Making comparative analysis
Vendor Selection & Approval Process
PO Generation & Approval Process
Receipt of Material/Service and Invoice (eg. GRN/SRN)
Vendor Contracting Process & Management
Vendor Master Management
Vendor Performance Appraisal & Evaluation
Vendor Payment Process
Reconcilation

What are the different type of Risk associated with P2P Process:
Delay in generation of PO
PO not approved by authorised personnel
Creation of PO of items already available in store/plant
Issuance of multiple PO's to the same vendor to override delegation of authority
Unauthorized Purchase by raising manual purchase order
Issuing multiple PO's for same items to different vendor with different rates
Unauthorised changes/amendments to the PO, items master, and vendor master
Unauthorisation changes in PO price and quantity after approval of PO
No three way match of PO, and GRN, Invoice
Delay in delivery of goods leads to production and operations delays
Absence of SOD in respect of updating, modification, and review of the vendor master
Early payment to vendors against PO payment terms
Absence of SOD in respect of creation of vendor master and MIRO posting in SAP
Advance issued to vendor were not adjusted while processing payments against invoice received
Non identification of dormant vendor & unauthorised payment to dormant/inactive vendors
RFQ not send to all the approved vendor
Unorganised system of sending request for quotations leading possibility of receipt of incomparable quotations
List of Approved vendor/supplier is not maintained
Procurement without assigned budget code
Procurement without budget and/or in excess of allocated budget
Delay in sending RFQ to vendor
PO may be raised for incorrect amount/quantity
Vendor selection without adequate evaluation
Order placed with higher quoted L2/L3 vendors without necessary justification and approvals
Duplicate & redundant vendors exist in vendor master
Lack of price confidentiality in obtaining quotes
Changes in details of compratives statement while creating PO
Incorrect tax code used in PO leading to risk of calculating incorrect final landed cost while evaluating the vendors and p
Non acceptance of PO term by vendor
Absence of penalty clause in PO leading to absence of remedy in case of delay in receipt of material or disputes.
Absence of periodic vendor evaluation process
Ineffective process of vendore appraisal, non
Missing or incorrect information maintained in vendor master
Order awarded to incompetent vendors
3 way match failure (automation/manual)
Purchase Department
PO
1.Tendor
2.Quotations (RFQ)
3.Select Best :Quotations (L1, L2, & L3)
4.Prepare : PO -Agreement
5.PO Signed /Approval :POD Head/Delegation of Authority
6.Send PO to Vendor

Management Assertions
1.Occurance
2.Accuracy
3.Classification
4.Cutt-of Procedure

Control Activity
1.Segregation of Duties
2.Maker Checker
3.Authorisation/Delegation of Authority
4.Performance Review
Test Of Controls
1.Observe SOD (Requester # Ordered)
2.Authorisation of Order Form and that is Supported by Purchase Requisition
3.Review Policy for Choice of Supplier & Inspect Monitoring of Supplier Terms
4.Review MRN and PO"S Quantity

Initiation and approval of requests for goods and service (RFQ) by authorised individuals consistent with management cr
Received quotation and approval of purchase orders and proper execution as to price, quantity, and quality.
Reciept of properly authorised goods with quality check.
Processing of vendor invoices for goods and services received ; also , processing of adjustment for allowance, discount, ad
Processing of payment to vendors.
Recording of all vendor invoices, cash/bank disbursements, and adjustments in individual.
Proper accumulation, classification, and summarization of purchases, cash disbursements, and payable in the general.

Possible E

If one individual is responsible for the requisition, purchasing, and goods/service receiving functions, fictitious purchase
If one individual is responsible for the invoice processing and accounts payable function, purchase transactions can be pro
overpayment of goods or the theft of cash.

If one individual is responsible for the disbursement function and has access to the accounts payable records, unauthorise
theft of the entity's cash.

If one individual is responsible for the accounts payable records and for the general ledger, that individual can conceal an

Department
User Department Purchasing Receiving Accounts Payable Accounts & Finance
X
X
X
X
X
X

to be asked client :
DOA Matrix
Payment Approval Matrix
Procurement Policy

leading to possibility of delay in receipt of material which may impact plant's operation or emergency purchase at higher p
Unauthorised procurement
Ineffective Procurement it leads to blocking of working capital
To by pass the DOA Matrix
Unauthorised procurement
Ineffective Procurement it leads to blocking of working capital
Lack of access control
 Lack of access control
leading to incorrect price, damaged/low quality product procure, Inaccurate quantities & higher chances of duplicate paym
impact plant's operation or production
represent weak internal control over vendor master
Ineffective utilisation of credit periods

incomparable quotations

while evaluating the vendors and possibility of additional tax code to the company

pt of material or disputes.

ineffective technical evaluation of vendor

leading to incorrect price, damaged/low quality product procure, Inaccurate quantities & higher chances of duplicate paym
 Vendor Dispatch Accounts Finance Team
Invoice, GRN PO,Invoice,GRN
1.Gate Entry 1.Any Advance
2.User Quality Check 2.Quality meet
3.If Quality Approved : Store Entry(GRN) By SD/RD 3.On Time Delivery
4.Document Send to Finance Department 4.Payment (Considering Credit Term)
5.Payment Approval :HOD Head/DOA
6.Tax (Like TDS/TCS, GST)
7.Payment Bank
Inherent Risk Assessment 8.Recording Invoice & Payments
Industry related factors 9.Reconciliation
1. Is the supply of raw materials adequate ?
2. How volatile are raw matarial prices ? Control Activity
1.SOD (Receiver can not be the one doing the accounts)
2.Maker Checker
2.Re-perform calculation on Supplier invoice
Test Of Controls
1.Check Invoices for goods are :
Supported by GRN
Prices Checked to Quotations & PO
Classified Correctly
Correctly Calculated
2.Posted to Purchase and Accounts PL
3.Authorised Person for Making Payment and Approval (Cashier can not be the on
accouts
4.Stamp the word "Paid" on Suppliers Invoice to Prevent Duplicate Payment

nsistent with management criteria.

ity, and quality.

nt for allowance, discount, advance.

and payable in the general.

Possible Errors or Fraud

functions, fictitious purchase can be made. This can result in the theft of goods and possibly payment for unauthorised purchases.
rchase transactions can be processed at the wrong price or terms, or a cash disburshment can be processed for goods not received. Th

payable records, unauthorised checks supported by fictitious documents can be issued, and unauthorised transactions can be record

hat individual can conceal any defalcation that would normally be detected by reconciling subsidiary records with general ledger con

Accounts & Finance IT

X
X

mergency purchase at higher price

gher chances of duplicate payment against same invoice

gher chances of duplicate payment against same invoice

 Match
All Relevant Documents
1.4 way Match (means: MRN= PO=GRN=Invoice)
2.Quantity
3.Amount & Rate
4.Items Name
5.PO Number
6.Invoice No
7.Customer No
8.Customer Name
9.Receiving
10.BOL

oing the accounts)

ment and Approval (Cashier can not be the one doing

Invoice to Prevent Duplicate Payment

yment for unauthorised purchases.

be processed for goods not received. This can result in

nauthorised transactions can be recorded. This can result in

sidiary records with general ledger control account.

Following are 16 Analytics Reports S.No

Test 1 - Employee and Vendor having same Bank Account Test 1

Test 2 - More than One Vendor having same Bank Account Test 2
Test 3 - Same Vendor having Multiple Master Data with PO Details Test 3
Test 4 - PO Details of Vendors having same Bank Account Test 4
Test 5 - PO and Contract Pending for Release for more than 90 Days Test 5
Test 6 - PO and Contract Created without Purchase Req Test 6
Test 7 - PO created without a Release Strategy Test 7
Test 8 - PO created without GR based Invoice Verification Check Test 8
Test 9 - Purchase Orders created on Public Holidays Test 9
Test 10 - Multiple PO for Value Split by Same User on Same Day for same Material Test 10
Test 11 - Multiple PO for Value Split by Diff Users on Same Day for same Material Test 11
Test 12 - Same Material Procured from Diff Vendors with Diff Price on Same Day Test 12
Test 13 - Material Procured from same Vendor at Diff. Price Test 13
Test 14 - Same Material Procured from Diff Vendors at Different Price Test 14
Test 15 - Vendors with Single PO with value above Rs. 5 Lakh Test 15
Test 16 - Vendors with Nil Balance with more than 5 Lakhs transactions Test 16
Test 17 - Material Delivery Pending for more than 90 Days Test 17
Test 18 - Excess Materials Delivered against Purchase Order Quantity Test 18
Test 19 - Goods Receipt but Invoice Not Receipt Test 19

Test 20 - Vendor Aging Analysis in 30, 60, 90, 120, 180, 365 days bracket Test 20
Test 21 - PO Vendors and Invoice Vendors are Different Test 21
Featured playlist Feature
Following are 16 Analytics Reports As per Thinkingbridg

Unapproved Planning/Budgeting (Direct procurement like RM Full Year as per

production, Indirect Procurement like Service e.g. Cap, Housekeeping),
Inappropriate basis for budgeting, cost centre
Expenses not Approved as per DOA
Unauthorised Procurement
Post Facto-PR/PO
Open PR >90 days
Employee is the Vendor
Possible redundant vendor or Duplicate vendor
Back dated PR/PO
Delay in raising the PO from PR date
PO Spliting
Amount excess invoiced for which quantities not received (as compare to PO)
Excess rate per unit involved
Duplicate invoice
Failure of 3/2 way match control
Duplicate Payment
Minimum 3 quotation not received
Minimum and Maximum level not maintained
Absence Spilt up the operation duties from the accounting duties i.e. SOD matrix
Absence of proper authorization of matrix like early payment discount
Absence of Physical security like PO approved, GRN prepared and Invoice is ok and
Paid but inventory in missing/lost/damaged as no control
Absence of limited bank access
Sales Process/Order to Cash Process
Sales Department/Marketing Department
1.Customer Inquiry
2.Send/Submission of Quotations
3.Negotiations with Customers
4.Finalization of Terms & Conditions with Customers
5.Received PO from Customers
6.Planing Of Raw Material ,Packing Material and Others
7.Prepare SO & Booking
8.Prepare Sales Invoice :Approved
9.Goods Dispatch Note
10.Gate Entry In Gate Outward Registered
11.Term Of Sales : FOB/CIF
12.Credit Terms
13.Receving
14.Sales Return :Approved
15.Quality Check
16.Corrective Actions

Point need to check in System Sales Audit

is your sales price correct as per Agreement ?
is effective date correct ?
New sales order (fresh or amended)
No Order but price increased by email
Compare in ERP _Rate is mapping correct
Taxes is ok as per customer 12 GST but you charged 18
Price change _retrospective increase or decrease
E-Invoice
New customer creation
mentioned in ERP
required sales order for price increased
change PO
check dr note or credit note prepared on time and GST adjustme
as well for dr note or cr note (TO exceeeds 5 cr)
whether SOP followed (mapp correct gst in SAP, if it is wrong th
 Documents Required Match
1.Sales Order 1.3 Way Match
2.Sales Invoice 2.Quantity —‒󠇝―――――――――――――――――
3.GDN 3.Amount & Rate ↓
4.GST,TDS,TCS ,if any 4.Items Name Test of Control/Compliance
5.Gate Outward Registered 5.PO Number 1.Approval of Bank Recon.
6.Transport Documents 6.Invoice No and Date
7.Receiving 7.Customer No
8.Bank 8.Customer Name
9.Accounting 9.Receiving
10.Credit Terms 10.BOL
11.Advance Adjusted
12.Dr/Cr Note
13.Customer Reconciliation

les order for price increased

ote or credit note prepared on time and GST adjustment (Vendor dr us basic plus gst) , loss of gst for us
dr note or cr note (TO exceeeds 5 cr)
OP followed (mapp correct gst in SAP, if it is wrong then debit us via customer)
 To Obtain SAAE
↓
—‒󠇝――――――――――――――――― —————————
——————
↓
Test of Control/Compliance Substantive Procedure
1.Approval of Bank Recon. ↓ ↓

Test of Detail SAP/AP

↓ ↓
At Assertion Level Cover in SA :520
↓
Management Assertions
1.Occurance
2.Accuracy
3.Classification
4.Cutt-of Procedure
 30 25 21.05
9.5 9.5 9.5 8 Pm
2.85 2.375 2
12.35 11.875 11.5

215
10.5
2257.5

400 65
201 780
50.25
Upcoming Interview
Comapany Profile Location Interview date
Genpact SOX Gurgoan 16 th at 8 PM
Avaso IA Mohali 18th at 3:30 Pm
KPMG IA Gurgoan
JK Paper IA Gurgoan
GT IA Dubai
TRChandha IA Dubai
Protivit IA Gurgoan & Gulf
Daikin IA Neemrana, Raj
Genpact IA Gurgoan Juhi
Documenting effective internal controls: Not just for public com

Although independent auditors have always been required to consider the existence of internal controls and the imp
has so much attention been directed to this subject until Congress enacted the Sarbanes-Oxley Act of 2002 (SOX). A
of complying with SOX over the past couple of years, there’s been much criticism relative to the cost and effort inher
of documenting and testing internal controls are finally beginning to emerge, as companies move into their second o
of 3 chief executives credited SOX and other compliance initiatives with helping them to uncover potentially damagi
those surveyed said that SOX compliance has increased their understanding of their businesses.

It’s these hidden benefits that are driving some non-public companies to start SOX-like projects to develop and docu
seeking to improve internal controls are looking for a structured approach to guide their efforts. Indeed, many of the
struggling to comply with SOX were a direct result of the ambiguity of the law itself and the fact that there was no pla
follow.

This article describes seven steps an organization should follow to develop and document an efficient and value-adde
reporting processes. This process works well for both financial and information technology controls.

Step 1: Plan

A major component of planning is the risk assessment. A risk assessment is needed to identify the specific processes
that could affect financial statements. Financial risk is assessed at the entity level (by division or location) and at the
are known, an information technology risk assessment is conducted, which maps financial risks to systems, people, a
a risk assessment is to identify which entities or processes contain key controls that need to be documented and teste
a “bottom-up” compliance effort may result in covering nonessential processes and may miss critical key processes a

Step 2: Establish a control framework

Once the risk assessment process is completed, an appropriate risk control framework can be established. A control
processes, control objectives, and related control statements.

The control framework establishes the boundaries for documenting and testing the internal control environment, so
key process areas identified in the risk assessment. A company that’s required to comply with SOX may want to cons
development of the framework. Ultimately, the design of the framework must be acceptable to the external auditors,
to provide management with any specific feedback on the design of an internal control system they will later audit.

Step 3: Document control activity

Now that control objectives have been identified, the activities or processes that are preformed to ensure the control
amount of detail may vary in activity descriptions. Some companies have extensive process and task-level document
summaries of the activity or processes followed in as little as a few carefully crafted paragraphs. Either way can be ac
assertions can be identified in the activity descriptions.

Step 4: Identify specific controls

Identifying the specific controls is very important, because these contain attributes, or action steps, that must be test
processes. Information technology controls provide a foundation layer for enterprise security underlying application
or automated, and they can be preventative or detective. Preventative controls proactively attempt to prevent unauth
Detective controls, on the other hand, are designed to detect acts that aren’t authorized or undesirable after they’ve o
components of an effective internal control system.

Step 5: Evaluate control design

Evaluating the design of a control prior to developing tests of compliance is an often overlooked part of the process. W
could result if the control is not operating effectively or if there’s a flaw in the design or documentation of the control
clearly identify the specific controls and:

Who performs the control activity

How the control is being performed
What reports or other information is used to perform the control
How frequently the control operates
Whether the documented control activity meets all of the control objective assertions
A control activity description that passes all the above quality review steps would be evaluated as a control that’s “eff

Step 6: Test control effectiveness

Once controls have been properly described, controls should be tested to determine if they’re operating as designed a
perform unbiased testing, and to ensure that results are representative of the total population, statistical sampling te
sample sizes, and samples should be randomly selected.

After testing has been completed, if no exceptions are found in the unbiased samples, then the control is classified as
should be recorded in a remediation log.

Step 7: Remediate and retest

All testing exceptions should be documented in a remediation log and assigned to a person responsible for correcting
recommending that controls be retested. Typically some time needs to pass so that a new sample can be selected from
remediation efforts. This cycle of retesting and remediation should continue until the controls are determined to be o

In conclusion
By following the steps above, companies of all sizes can implement and document a program aimed at improving the
information technology systems in their organizations.
Enterprise Risk Management (ERM)

Risk management methods that firms use to identify and mitigate risks that can pose problems for the ente

What is Enterprise Risk Management (ERM)?

Enterprise Risk Management (ERM) is a term used in business to describe risk managemen
problems for the enterprise. The simple question that ERM practitioners attempt to answer
mission?”

Summary

Enterprise Risk Management (ERM) is essential for public and private companies to appro
management method, if integrated properly, can result in substantial cost savings for the c
There are four specific types of risks associated with each business – hazard risks, financia
The ERM process includes five specific elements – strategy/objective setting, risk identifica
communication/monitoring.
Type of Risks

Hazard risks include risks that present a high level of threat to life, health, or property.
Financial risks refer to risks that are directly related to money. They include financial consequences lik
funding source
Strategic risks are risks that affect or are created by strategic business decisions.
Operational risks are risks that materially affect an organization and result from Inadequa
Internal Controls and People like Risk of Fraud by an Employee, Resignation by Skilled Hu

Risk Response Strategies for Enterprise Risk Management

Management selects one of the five appropriate risk response strategies below to deal with their identified r
1. Risk avoidance: The elimination of risks or activities that can negatively impact the organization’s as
line.
2. Risk reduction: The mitigation or limitation of the severity of losses. For example, management can
early.
3. Alternative actions: The consideration of other possible ways to reduce risks.
4. Share or insure: The actions of transferring risks to third parties, like insurance agencies. For examp
business.
5. Risk acceptance: The acknowledgment of the identified risks and the willingness to accept their cons
of risk acceptance.
Core Elements of an Enterprise Risk Management Process

ERM follows a very distinct and ongoing process, where it actively identifies and reassesses the various stra
includes five specific elements:
1. Risk identification: Provide a clear profile of major risks that can negatively impact the company’s o
2. Risk assessment: Identified risks are strictly analyzed to determine both their likelihood and potenti
3. Risk response (mitigate identified risk via implementing appropriate control)): Conside
paths to align identified risks with management’s risk tolerances.
4. Communication and monitoring: Relevant information and data need to be constantly monitored
Example of an Enterprise Risk Management Process
1. Risk identification: Once the key drivers are identified, the ERM process will begin the risk identific
success of each key driver.
2. Risk assessment: The risks must then be carefully analyzed from cross-departmental views during th
3. Risk response: Once the discussion and acknowledgment of the potential risks are finalized by upper
4. Communication and monitoring: Finally, upper management will measure, monitor, and commu
indicators deemed effective by that organization.

Understanding Risk – Business Risks vs. Financial Risks

Broadly speaking, risk can be split up into two main categories – financial risk and business risk.

Financial Risk

Financial risk comes with the use of leverage (sometimes called gearing); it occurs when a company has a h

Financial risk represents the notion that a company’s commitment to meet debt service obligations, as well
firm into an event of default.

Business Risk
Business risk, on the other hand, is about internal and external forces that converge to create threats to a co

1. The external business environment, including macroeconomic forces well outside the control of manage
2. Industry-specific risks, like the level of concentration in the industry, regulatory risk, barriers to entry,
3. Company or firm-level concerns, like ineffective management, reputational risk, a toxic corporate cultu

Categories of Operatinal Risk

1. People Risk - Resignation of critical human resource

2. System Risk - Collapse or loss of system due to error or virus attack or cyberattack
3. Process Risk - Process inefficiencies or implementation of waek internal controls
4. Legal Risk - Non-compliance with applicable laws and regulations such as AML laws, GDPR, ESG regula
5. Event Risk - Occurrence of natural dissasters or hazards such as Earthquake, Fire, etc.

Important definition

1. Likelihood - Means what are the chances of a risk to occur. (Judgements and Past data are used to assess
2. Impact - What will be the impact if risk occurs (it depends on type or nature of risk)
3. Risk Assessment - In risk assessment we consider both likelihood and impact

Risk Mitigation Action Plan

what actions are required to mitigate or avoid the risk written in Risk Assessment Column (give rating or sc
 Internal Audit
A SOP (standard operating proceedure)
1 H2R (hiring process, salary processing, retirement and leave system etc.
2 Annual business plan (permant, contrat, trainee etc)
3 Organisation hierarchy chart
B Recruitment Process
1 MRP (manpower requisition from like PRF)) reason position vacant or business extension
VP or department head approved (as per DOA)
2 internal talent bank, external agencies
Intreview assessment checklist (communication skill, technical skill, presentation etc. , CTC
3 comparision done or not for
A, B, C===
Mr C hires…...requires
4 KYC like Aadhar card, pan card, educatinal certificate, experince cetificate, signation letter,
NOC, medicall fit certification, BGV etc.

induction process :
meeting with company staff
5 Code of conduct form sign
hand book
familiarization program
awareness and adequate training about to company rules and regulation

Employee master data creation ;

Basic
HRA
6 DA
PF
ESI
TDS
date of joining
accuracy of data entered in the SAP
Control is restricted with vey few personnel
Attendance Software;
7