Control Risk Matrix

SCOT - Purchase to Pay

12/31/XXXX

WCGW 1: Unauthorized or
WCGW 2: Purchase
incorrect changes are made WCGW 3: Invoice amounts WCGW 4: All WCGW 5: Coding of WCGW 6:
requests/orders are not
Control Description Control Type Related IT App to the vendor master file are not accurately purchases/payables purchases to the GL is Fictitious/duplicate
reviewed and authorized in
(i.e., vendors added or recorded. incurred are not recorded. incorrect purchases are recorded.
accordance with the policy.
vendors changed)
PTP-1: New vendor set-up or changes to an existing vendor require approval within ABCsuite; approval is restricted to those Application
ABCsuite 1
designated in the Purchase Approval Request Matrix. Control
Application
PTP-2a: ABCsuite automatically routes purchase requisitions to the requestor's immediate supervisor ABCsuite 1 1
Control
PTP-2b: The requestor's supervisor reviews the purchase requisition for justification of the purchase and supporting
ITDM ABCsuite 1 1
documentation for the request (i.e. vendor quote).
PTP-2c: Upon supervisor approval within ABCsuite, the purchase requisition is automatically routed to the Corporate Application
ABCsuite 1 1
Procurement Manager (CPM). Control
PTP-3a: The CPM reviews the purchase requisition for the following:
(1) supervisor approval
(2) the cost/price of the goods and/or services requested
ITDM ABCsuite 1 1
(3) appropriate GL account coding
(4) appropriate Department Coding
The CPM accepts all fields in the purchase requisition and approves the purchase requisition within ABCsuite.
Application
ABCsuite 1
PTP-3b: Upon CPM and/or Controller approval in ABCsuite, ABCsuite creates a Purchase Order. Control
Application
PTP-4a: ABCsuite routes purchase requisitions >$10K to the Controller for approval. ABCsuite 1
Control
PTP-4b: The Controller reviews purchase requisitions > $10k for CPM approval, cost/price of goods/services requested,
ITDM ABCsuite 1
appropriate GL account and department coding.
PTP-5: AP Manager reviews and approves all non-PO invoices and invoices which exceed the PO of either 5% of total price or
$1,000 identified through the 3-way match process. This review includes appropriateness of GL and Department Coding ITDM ABCsuite 1 1 1 1
within ABCsuite
PTP-6: ABCsuite is configured to perform a 3-way match between the purchase order, the invoice and the receiving Application
ABCsuite 1 1 1 1
documentation. If the invoice exceeds the PO by either 5% of total price or $1,000, the system rejects the match. Control
PTP-7: Appropriate access rights within ABCsuite are granted to the Procurement and Accounting teams based on their Application
ABCsuite 1 1 1 1
respective responsibilities and related functions. Control
PTP-8: Authorized signers approve the disbursement and sign the checks in accordance with the check authorization matrix. Manual Prevent N/A
ELC-1: Monthly, Management's Purchase Approval Request Matrix (impacts PTP-2a-c) and Authorized Access Matrix
ITDM ABCsuite 1
(impacts PTP-7) are reviewed by the CFO and updated in ABCsuite by IT.

FSCP-1: All balance sheet reconciliations are reviewed and approved by the Controller at month-end. Reconciling items
ITDM ABCsuite 1
greater than $10K require follow up.

FSCP-2: Journal entries are reviewed and approved by appropriate personnel prior to processing. ITDM ABCsuite 1

FSCP-3: The ABCsuite is configured to enforce data validation parameters to not allow posting of a journal entry that is not
Application
in balance, has an invalid/inactive account code, has a date of a closed period, or has an invalid code combination. When any ABCsuite 1
Control
of these conditions are present, the uploading of the entry fails and an error message is displayed.
Application
FSCP-4: ABCsuite is configured to have an approver that is different than the JE preparer. ABCsuite 1
Control
FSCP-5: Upon identifying invoices as a "paid" in ABCsuite, the system automatically posts a journal entry to debit accounts Application
ABCsuite
payable and credit cash. Control
Total 1 8 6 6 4 4

03 April 2018
 |------------------------------------------------------------ Manually Added Columns-----------------------------------------------------------------------------|

WCGW 10: Journal entries Review control

WCGW 7: Accrued payables WCGW 8: Accrued Payables WCGW 9: Accrued payables WCGW 11: Manual journal WCGW 12: Check/wire risk designation
are not properly calculated Response to a Existence or Measurement or Rights and Presentation and
are not recorded in the are not accurately are inaccurate and/or entries are not approved payments are not Total IPE Ref (Review control - Completeness
or recorded in the GL based specific risk Occurrence Valuation Obligations Disclosure
proper period. calculated and recorded. incomplete. prior to posting to the GL. appropriately authorized. higher, Review
on underlying support
control or N/A)

1 N/A N/A No 1

2 N/A N/A No 1

2 N/A Review control No 1 1

2 N/A N/A No 1

2 N/A Review control No 1 1

1 N/A N/A No 1

1 N/A N/A No 1 1

1 N/A Review control No 1

4 IPE 1a, IPE 1b Review control No 1 1 1

4 N/A N/A No 1 1 1

4 N/A N/A No 1

1 1 N/A N/A No 1

1 N/A Review control No 1

1 1 3 IPE 4, IPE 5, IPE 6 Review control No 1 1 1 1

IPE 2, IPE 3, IPE 3a,

1 1 1 1 1 6 Review control No 1 1
IPE 7

1 1 1 1 1 6 N/A N/A No 1 1

1 1 1 1 1 6 N/A N/A No 1 1 1

1 1 N/A N/A No 1 1 1 1

4 3 4 3 3 2 48 16 5 10 0 4

03 April 2018